Symantec™ Data Loss

Prevention Endpoint Server

Scalability Guide

Version 15.1
Symantec™ Data Loss Prevention Endpoint Server
Scalability Guide
Documentation version: 15.1

Last updated: 26 July 2018

Legal Notice
Copyright © 2018 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo and the Checkmark Logo are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks
of their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

http://www.symantec.com
 Contents

Chapter 1 Overview of Endpoint Server scalability .......................... 5

About Endpoint Server scalability ...................................................... 5
Other Endpoint scalability documents ................................................. 6

Chapter 2 Testing methodology ............................................................ 7

Product setup and configuration ........................................................ 7
Test scenarios and execution ............................................................ 9
Performance measurements .................................................... 10
Break point conditions ............................................................. 11

Chapter 3 Test results and recommendations ................................. 12

About the test results .................................................................... 12
Test results ................................................................................. 12
Deployment recommendations ........................................................ 14
 Chapter 1
Overview of Endpoint
Server scalability
This chapter includes the following topics:

■ About Endpoint Server scalability

■ Other Endpoint scalability documents

About Endpoint Server scalability

A major consideration when you plan a Symantec Data Loss Prevention deployment is the
number and configuration of Endpoint Servers that you include in your deployment. This
document presents the results of scalability testing for Endpoint Servers and agents that can
help you establish what works best for scaling your deployment.
The tests examined the following operations:
■ The effect of adding agents to an Endpoint Server
■ The effect of restarting the Endpoint Server
■ The effect of agents connecting and disconnecting from the network
■ Policy updates
■ The effect of sending incidents to an Endpoint Server
■ The effect of running Endpoint Discover scans and the DLP Agent sending scan status to
the Endpoint Server
■ The effect of Endpoint Server failover
 Overview of Endpoint Server scalability 6
Other Endpoint scalability documents

Other Endpoint scalability documents

The following documents, available at the Symantec Support Center, discuss Endpoint Server
scalability and performance:
■ Symantec Data Loss Prevention Endpoint Server Scalability on VMware
DOC8800
■ Symantec Data Loss Prevention Endpoint Server Scalability on Citrix XenApp
DOC8801
■ Symantec Data Loss Prevention Endpoint Performance
DOC8802
 Chapter 2
Testing methodology
This chapter includes the following topics:

■ Product setup and configuration

■ Test scenarios and execution

Product setup and configuration

Scalability data is affected by a variety of hardware and software factors. The specific
configurations that were used to derive the data that is presented in this guide were based on
typical Symantec Data Loss Prevention environments.
Table 2-1 describes the environments that were used for the performance tests.
 Testing methodology 8
Product setup and configuration

Table 2-1 Test environment

Setup or Configuration Description

Hardware and software Computer 1: Enforce Server/Oracle database:

■ 3.0 GHz 4-core CPU
■ 16 GB RAM
■ Microsoft Windows 2008 (64-bit)
■ Oracle 12c R1, version 12.1.0.2.0
■ Symantec Data Loss Prevention version 15.1

Computer 2: Endpoint Server:

■ 3.0 GHz 4-core CPU

■ 16 GB RAM
■ Microsoft Windows 2008 R2 (64-bit), Microsoft
Windows 2012 R2 (Standard), and RHEL 6.6 and
RHEL 7.1
■ Symantec Data Loss Prevention version 15.1

Both servers were deployed on hardware computers.

Virtualization was not used.

Agents The tests used three host systems that each ran 10,000
simulated DLP Agents.

Policies Polices were chosen that were of sufficient size and

complexity. The policies were derived from actual
production environments and represent the types of
policies that most customers use.

The following polices were used:

■ Gramm-Leach-Bliley
■ HIPPA and HITECH
■ Keyword

Network The tests were carried out in a well-controlled laboratory

environment where systems were connected on a local
area network that had 100-Mbps Ethernet connectivity.

Although the tests were performed in a controlled

environment, the network was not isolated. Other systems
that were not related to this test were connected and
communicating but these systems were not performing
any network-intensive activity. This design was intentional
and the aim was to simulate real-time load on the network
while the tests were in progress.
 Testing methodology 9
Test scenarios and execution

Table 2-1 Test environment (continued)

Setup or Configuration Description

Incidents generated during testing During the eight-hour test, the simulated agents sent one
Clipboard incident every three hours. The incidents were
triggered by either keyword matches or EDM matches
(which uses two-tier detection).

Events sent during testing The simulated agents sent the following events:

■ Connection and disconnection

■ Agent service status
■ File system driver status

Figure 2-1 shows the architecture that was used for testing.

Figure 2-1 Endpoint Server scalability test architecture

Test scenarios and execution

The tests were designed to simulate load on a newly installed Endpoint Server. The tests used
simulated agents that connected to the Endpoint Server.
The tests were run on a new installation of the Endpoint Server. The following steps were
performed:
1. 30,000 agents were added to the Endpoint Server.
2. Started the Endpoint Discover scan after all the agents connected to the Endpoint Server.
Ran the scan for eight hours.
 Testing methodology 10
Test scenarios and execution

3. Updated and sent a policy to all agents.

4. Restarted the Endpoint Server.
During the test, each agent sent the following data every three hours:
■ Connection and disconnection events
■ Agent service status
■ Incidents
■ File system driver status
These steps exercised the following functionality of the Endpoint Server:
■ Policy management—receiving, storing, and pushing policies to connected agents
■ Incident management—receiving, processing, and sending incidents to the Enforce Server
■ Agent connections—processing incoming connections from new agents
■ Agent re-connections—processing reconnections from all agents when the Endpoint Server
restarts
■ Agent grouping—adding agents to an agent group

Note: The tests were performed a minimum of three times and performance measurements
were averaged among the test results.

Performance measurements
The following aspects of Endpoint Server performance were measured:
■ Overall CPU usage
■ CPU usage of Endpoint Server processes
■ Overall system memory usage
■ Memory usage for all Endpoint Server processes
■ Process crashes and restarts
■ Disconnection of agents (if any)
■ Number of disconnected agents
■ Time that is required for all agents to reconnect
■ Time that is required for a new policy to reach all agents
 Testing methodology 11
Test scenarios and execution

Break point conditions

The testing attempted to find the maximum load for an Endpoint Server. When the server
reaches its maximum load, one of the following conditions occurs.
■ The Endpoint Server does not respond to new connections.
■ Connected agents disconnect and are not able to reconnect within the expected amount
of time.
■ A new policy or updated policy that is sent to the agents does not reach the agents or takes
longer than expected to reach the agents.
■ Endpoint Server or system CPU usage remains consistently high (greater than 80%).
■ The host machine consumes all available memory, resulting in overall performance
degradation.
■ Incidents are lost, or it takes an abnormally long period of time for incidents to reach the
Enforce Server.
 Chapter 3
Test results and
recommendations
This chapter includes the following topics:

■ About the test results

■ Test results

■ Deployment recommendations

About the test results

This chapter presents the observations, test results, and recommendations for scalability of
Endpoint Servers. Performance of a Symantec Data Loss Prevention deployment varies
depending on the infrastructure, Enforce Server configuration, and the overall workload of the
deployment. The test results, observations, and recommendations provide a point of reference
based on the configurations and the hardware that were specified for the testing. Limitations
in scalability cannot be attributed to any one variable in these tests.

Test results
Table 3-1 describes the scalability test results.

Table 3-1 Scalability test results

Observation Description

Number of agents supported with transient connection 30,000

With 30,000 agents connected, a restart of the Endpoint

Server did not have negative effect on the ability of the
agents to reconnect. All agents reconnected successfully.
 Test results and recommendations 13
Test results

Table 3-1 Scalability test results (continued)

Observation Description

Number of agents supported with persistent connection If agents are set up to connect to the Endpoint Server
using a persistent connection, 10,000 agents are supported
to connect.

Memory consumption The average memory consumption for the supported

number of agents on the specified hardware configuration
was around 4 GB.

Table 3-2 lists the Endpoint Server performance test results based on scenario.

Table 3-2 Endpoint Server performance measurements

Test scenario SSL cache Polling Concurrent Average Average

interval connected Endpoint Server Endpoint Server
(minutes) agents CPU resource memory
(maximum) consumption consumption

■ Endpoint Prevent On 15 6000 25.5% 4.5 GB

incidents sent to
Endpoint Server
■ Endpoint Discover
incidents sent to
Endpoint Server
■ Endpoint Server
restarted
■ Policies sent to agents
■ Agent configurations
sent to agents

■ Endpoint Prevent Off 15 9000 22.5% 4.47 GB

incidents sent to
Endpoint Server
■ Endpoint Discover
incidents sent to
Endpoint Server
■ Endpoint Server
restarted
■ Policies sent to agents
 Test results and recommendations 14
Deployment recommendations

Table 3-2 Endpoint Server performance measurements (continued)

Test scenario SSL cache Polling Concurrent Average Average

interval connected Endpoint Server Endpoint Server
(minutes) agents CPU resource memory
(maximum) consumption consumption

■ Endpoint Prevent On 5 9000 21% 4.28 GB

incidents sent to
Endpoint Server
■ Endpoint Discover
incidents sent to
Endpoint Server
■ Start secondary
Endpoint Server
■ Stop primary Endpoint
Server
■ Agents connect to
secondary Endpoint
Server
■ Policies sent to agents

Deployment recommendations
Symantec recommends the following based on the test results.
■ Host the Endpoint Server on a physical computer that is dedicated only to the functions of
the server.
■ Use server-grade computers with a minimum of 16 GB RAM and 4-core processors.

Note: Increasing CPU and memory resources is not directly proportional to the ability of an
Endpoint Server to support additional agents.

In addition to these scalability recommendations, the following general recommendations can

also improve scalability and performance:
■ Consider how changes in policy size affect overall performance of the Endpoint Server.
Policies that are larger or more complex require more processing power and memory usage
by the Endpoint Server.
■ When possible, use single-tier detection. Agent IDM, introduced in Symantec Data Loss
Prevention version 14.5, largely eliminates the need for two-tier detection. Two-tier detection
reduces the overall performance and scalability of the Endpoint Server. (Two-tier detection
occurs when the Agent sends data to the Endpoint Server for analysis.)
 Test results and recommendations 15
Deployment recommendations

■ Consider that networking speed, latency, and the use of load balancers in the network can
affect the overall performance of the Endpoint Server.