Azure Configuration RecommendationsAzure Configuration Recommendations
This topic contains the minimum Azure VM configuration settings recommended for the NetWitness (NW) virtual stack components.
-
VM:
-
The recommended settings in the NetWitness component VM tables below were calculated under the following conditions.
- Ingestion rates of 15,000 EPS and 1.5GBps were used.
- All the components were integrated.
- The Log stream included a Log Decoder, Concentrator, and Archiver.
- The Packet stream included a Network Decoder and Concentrator.
- Incident Management was receiving alerts from the Reporting Engine and Event Stream Analysis.
- The background load included reports, charts, alerts, investigation, and respond.
- The default partition size of Azure VM hosts for /root is 8GB and for /var/netwitness is 15GB. These partitions can be increased to a minimum of 40GB. For more information see, Updating Partition Size.
-
-
VHD (Storage)
For more information, see Storage Guide for NetWitness® Platform XDR 12.1 on how to increase the number of volumes based on your storage requirements using the NetWitness Sizing & Scoping Calculator.Azure Instance Recommendations
The following table shows the storage recommendations for NetWitness Azure VMs.
Azure Image Type Rate (EPS) CPU (Cores) RAM (GB) Instance Type (Azure Name) NW Server Does not apply 16 112 Standard D14_v2
Log Decoder 15,000 32 128 Standard D32s_v3 Log Concentrator 15,000 16 112 Standard DS14_v2
Archiver 15,000 16 112 Standard D14_v2 Log Collector 15,000 8 32 Standard D8s_v3 UEBA* Does not apply 16 112 Standard D14_v2
Note: *If your log collection volume is low, NetWitness recommends you to deploy UEBA only on a virtual host. If you have a moderate to high log collection volume, NetWitness recommends you to deploy UEBA on the physical host as described under "NetWitness UEBA Host Hardware Specifications" in the Physical Host Installation Guide.
Refer to the Storage Guide for NetWitness Platform for additional storage information.
Packet Stream SolutionsPacket Stream Solutions
The following tables show Instance recommendations for Different EPS rates for Packet stream.
Note: NetWitness Decoder is supported with Gigamon Packet broker from version 11.7.x or higher on Azure Cloud environment.
Decoder - Gigamon SolutionDecoder - Gigamon Solution
| Azure Image Type | Rate (Mbps) | CPU (Cores) | RAM (GB) | Instance Type (Azure Name) | Accelerated Networking Enabled |
|---|---|---|---|---|---|
| Decoder | 500 | 16 | 64 |
Standard D16ds_v4 |
Yes |
| Decoder | 1000 | 16 | 64 | Standard D16ds_v4 | Yes |
| Decoder | 1500 | 32 | 128 |
Standard D32ds_v4 |
Yes |
| Rate (Mbps) | Volumes | Volume Type | IOPS / Baseline Throughput |
|---|---|---|---|
| 500 | index, session, meta | RAID5 of minimum 3 P15 Premium SSD Disks | 80MB/s |
| 500 | packet | RAID5 of minimum 3 P15 Premium SSD Disks | 80MB/s |
| 1000 | index, session, meta | RAID5 of minimum 3 P20 Premium SSD Disks | 170MB/s |
| 1000 | packet | RAID5 of minimum 3 P30 Premium SSD Disks | 170MB/s |
| 1500 | index, session, meta | RAID5 of minimum 3 P40 Premium SSD Disks | 300MB/s |
| 1500 | packet | RAID5 of minimum 3 P40 Premium SSD Disks | 300MB/s |
Concentrator - Gigamon SolutionConcentrator - Gigamon Solution
| Azure Image Type | Rate (Mbps) | CPU (Cores) | RAM (GB) | Instance Type (Azure Name) | Accelerated Networking Enabled |
|---|---|---|---|---|---|
| Packet Concentrator | 500 | 16 | 64 |
Standard D16ds_v4 |
No |
| Packet Concentrator | 1000 | 16 | 114 | Standard DS14_v2 | No |
| Packet Concentrator | 1500 | 16 | 114 |
Standard DS14_v2 |
No |
Note: For Packet Concentrator with 500Mbps rate, if the query load on the environment is on the higher side (max concurrent queries > 5), it is recommended to use Standard DS14_v2 Instance.
| Rate (Mbps) | Volumes | Volume Type | IOPS / Baseline Throughput |
|---|---|---|---|
| 500 | index | RAID5 of minimum 3 P30 Premium SSD Disks | 10000 |
| 500 | session, meta | RAID5 of minimum 3 P15 Premium SSD Disks | 80MB/s |
| 1000 | index | RAID5 of minimum 3 P40 Premium SSD Disks | 12000 |
| 1000 | session, meta | RAID5 of minimum 3 P20 Standard SSD Disks | 170MB/s |
| 1500 | index | RAID5 of minimum 3 P40 Premium SSD Disks | 15000 |
| 1500 | session, meta | RAID5 of minimum 3 P40 Premium SSD Disks | 300MB/s |
ESA and Context HubESA and Context Hub
The following table shows Instance recommendations for Different EPS rates for ESA.
| Rate (EPS) | CPU (Cores) | RAM (GB) | Instance Type | Accelerated Networking Enabled |
|---|---|---|---|---|
| 15,000 | 16 | 112 |
Standard DS14_v2 |
No |
| 50,000 | 20 | 140 | Standard DS15_v2 | Yes |
| 100,000 | 32 | 256 |
Standard E32s_v3 |
Yes |
Updating Partition SizeUpdating Partition Size
You can increase the partition size to a minimum of 40GB each.
After adding additional required disk size to the Azure VM, you can extend the partition sizes using the following commands:
- SSH to the VM, login as a root user and execute the following command to view the existing partitions along with the new partition added.
lsblk - Check the name of the new partition. Eg: sdc
pvcreate /dev/sdc -y
vgextend netwitness_vg00 /dev/sdc -y
lvextend -L 40G /dev/netwitness_vg00/root -y
xfs_growfs /dev/netwitness_vg00/root
lvextend -L 40G /dev/netwitness_vg00/nwhome -y
xfs_growfs /dev/netwitness_vg00/nwhome
These commands are provided assuming that sdc is the new disk added and 40GB is the extended partition size for each of the partitions.
