Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.0.10 - Sizing Guide for SPS version 5.0 or later

Introduction

One Identity provides three different One Identity Safeguard for Privileged Sessions (SPS) appliances (boxes), and deciding which box suits customers' exact requirements best always depends on a great many factors. All boxes have different performance measurements and One Identity's goal is to provide information to help select the most appropriate solution for customers' environment.

For detailed hardware specifications of the three SPS appliances, see Installation Guide.

It is strongly recommended to always ask One Identity engineers to verify the planned design. Each and every use case is different and there can be case-specific conditions changing the final design. One Identity cannot take responsibility for improper architectural and/or performance design if One Identity has not been asked to verify those.

Performance capabilities heavily depend on several client-specific technical factors. Consequently, the maximum number of concurrent users served by a given SPS box may vary in each IT environment.

Note that:

  • While this document uses the terms "sessions" and "concurrent sessions" when providing figures, "concurrent sessions" also means "concurrent users" (assuming that a single user corresponds to a single session).

    There can, of course, be users in the client's system who are not all using session management at once, and there can be users (for example, the admin account) who are able to open multiple sessions concurrently. The rough conversion of one user to one session simply serves as a ballpark estimate when calculating license requirements. Client-specific circumstances can fine-tune this estimate.

  • All benchmarks presented in this document assume typical administrative workflows within the sessions.
  • All performance tests were carried out without One Identity Safeguard for Privileged Analytics (SPA) configured, so measurement figures provided in this document are only valid for SPS appliances with no SPA used.
  • Each column in Performance metrics shows the benchmark for a particular protocol.
  • When measuring performance for a given protocol, all sessions audited by SPS during the test were from that protocol only (for example, in the case of SSH measurements, 100% of the sessions was SSH).

Performance metrics

This section provides detailed performance metrics, as well as capacity information related to indexing, and audit trail files.

General performance and capacity information

Pure performance:
  • The number of indexer worker threads running inside SPS is 0.
  • Real-time alerting (Content policy) is disabled.
Table 1: Pure performance
Appliance Max. RDP sessions Max. SSH sessions Max. HTTP sessions
SPS T1 200

1000

500

SPS T4 300

1200

600

SPS T10 500

1500

750

SPS Virtual Appliance (VA)

VA capabilities depend on the resources assigned to the Virtual Machine (VM). For the desired performance, One Identity recommends creating a VM with equivalent or similar resources to those of the corresponding T1 / T4 / T10 hardware appliance.

When calculating the required resources, always take into account the overhead produced by the virtualization layer.

NOTE:

Adding more resources than those of a T10 hardware model is not recommended as in certain cases, that can cause a decrease in performance.

Capacity with real-time alerting:
  • SSH: Content policy was enabled on 100% of the sessions, with 4 rules matching 10% of the commands.
  • RDP: Content policy was enabled on 100% of the sessions, with 1 rule matching 10% of the window titles.
Table 2: Capacity with real-time alerting
Appliance Max. RDP sessions Capacity Max. SSH sessions

Capacity

SPS T1 20

10%

200

20%

SPS T4 90

30%

600

50%

SPS T10 150

30%

1350

90%

SPS Virtual Appliance (VA)

VA capabilities depend on the resources assigned to the Virtual Machine (VM). For the desired performance, One Identity recommends creating a VM with equivalent or similar resources to those of the corresponding T1 / T4 / T10 hardware appliance.

When calculating the required resources, always take into account the overhead produced by the virtualization layer.

NOTE:

Adding more resources than those of a T10 hardware model is not recommended as in certain cases, that can cause a decrease in performance.

Indexer performance

Indexer performance with lightweight_indexing:

When using lightweight_indexing, SPS extracts only the executed commands (Command event) and window titles (Window title event) that appear on the screen. It does not index any other screen content (for example, text that is displayed in a terminal or that appears in an RDP window). Note that lightweight_indexing is available only in SPS 5 F3 and later. Also, on newly installed 5 F3 and later appliances, lightweight_indexing is automatically enabled by default in the Connection policies.

One instance of indexer worker thread can process the following amount of audit trails:

  • CLI: 450 hours / day
  • Graphical on 1280x1024 screen resolution: 560 hours / day
  • HTTP: N/A (HTTP traffic is not indexed when using lightweight_indexing)

The SPS appliances can have the following number of indexer worker threads running internally:

Table 3: Indexer performance with lightweight_indexing
Appliance # of internal threads CLI capacity Graphical capacity
SPS T1 2

900 hours / day

1120 hours / day

SPS T4 1-4 *

450-1800 hours / day

560-2240 hours / day

SPS T10 6-12 *

2700-5400 hours / day

3360-6720 hours / day

SPS Virtual Appliance (VA)

VA capabilities depend on the resources assigned to the Virtual Machine (VM). For the desired performance, One Identity recommends creating a VM with equivalent or similar resources to those of the corresponding T1 / T4 / T10 hardware appliance.

When calculating the required resources, always take into account the overhead produced by the virtualization layer.

NOTE:

Adding more resources than those of a T10 hardware model is not recommended as in certain cases, that can cause a decrease in performance.

* The lower value shows the maximum number of internal indexer threads on an SPS under high load.

Caution:

Running any number of internal indexer threads is not suggested when real-time alerting is enabled, due to the high CPU usage of both features.

NOTE:

If the internal indexer of SPS is unable to handle the load, then One Identity recommends running external indexers.

In environments with high loads or when using near-real time indexing, running external indexers is the recommended approach.

Indexer performance with full_indexing:

When using full_indexing, SPS indexes the complete content of the screen, including all events. In SPS version 5 F2 and earlier, only full_indexing is available. Using full_indexing is slower and requires more resources than lightweight_indexing.

One instance of indexer worker thread can process the following amount of audit trails:

  • CLI: 600 hours / day
  • Graphical on 1280x1024 screen resolution: 100 hours / day
  • HTTP: 600 hours / day

SPS appliances can have the following number of indexer worker threads running internally:

Table 4: Indexer performance with full_indexing
Appliance # of internal threads CLI capacity

Graphical capacity

HTTP capacity
SPS T1 2

1200 hours / day

200 hours / day

1200 hours / day

SPS T4 1-4 *

600-2400 hours / day

100-400 hours / day

600-2400 hours / day

SPS T10 6-12 *

3600-7200 hours / day

600-1200 hours / day

3600-7200 hours / day

SPS Virtual Appliance (VA)

VA capabilities depend on the resources assigned to the Virtual Machine (VM). For the desired performance, One Identity recommends creating a VM with equivalent or similar resources to those of the corresponding T1 / T4 / T10 hardware appliance.

When calculating the required resources, always take into account the overhead produced by the virtualization layer.

NOTE:

Adding more resources than those of a T10 hardware model is not recommended as in certain cases, that can cause a decrease in performance.

* The lower value shows the maximum number of internal indexer threads on an SPS under high load.

Caution:

Running any number of internal indexer threads is not suggested when real-time alerting is enabled, due to the high CPU usage of both features.

NOTE:

If the internal indexer of SPS is unable to handle the load, then One Identity recommends running external indexers.

In environments with high loads or when using near-real time indexing, running external indexers is the recommended approach.

Using an external indexer:

Creating an external indexer with equivalent or similar resources to those of the corresponding T1 / T4 / T10 hardware appliance allows you to process roughly the same amount of audit trails as the internal indexer of those hardware models.

Minimum hardware requirements for running the indexer externally from SPS:
  • Available CPU core/thread per indexer worker.
  • 2.4 GHz or faster CPU.
  • 300 MB RAM per indexer worker.
  • There is minimal disk space usage by the indexer workers (only to store the logs).
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating