Deep Security : DSVA Availability options

This topic comes up a lot on our internal and at client conversations. How to ensure the DSVA is available ? For those that don’t know, some points on the DSVA :

  • DSVA = Deep Security Virtual Appliance
  • One DSVA per ESXi host
  • Is used for the offloading of the Malware scanning (the basic function)

Below is some design considerations that I would have taken into account  in a VMware environment to ensure the DSVA is available and alerts is send out. Some of these options involve placing the host into MA mode, some restarts the DSVA and some just send out an alert.

DSVA Heartbeat

The DSVA have a default policy that you can modify. The options to review is on the DVSA Heartbeat back to Deep Security Manager(DSM). These can be found as below :

DSVA_HA_01

This policy works as follow using the options above pointed out in Red :

  • The Heartbeat interval is set to 2 mins
  • Number of Heartbeats to miss before alarms is raised in DSM is set to 2
  • Thus if the DSVA have missed two Heartbeats you will get an Alarm raised in DSM. Emails can be setup to send these alarms to administrator.

vSphere Alarms

vSphere Alarms can be setup to monitor if the DSVA power state. This have happened that the DSVA is powered off accidentally. By creating and Alarm that monitors the DSVA power state with an action to power on again one can assure that the the DSVA is always powered on. Below screenshots of the Alarm that can be created :

DSVA_HA_02

DSVA_HA_03

HA Monitoring

VMware HA Monitoring can also be used to ensure the DSVA is available. HA Monitoring uses the VMtools Heartbeat from inside the DSVA to determine if the machine is still responding to in OS heartbeats. You can setup rules for the DSVA to have a High (30 sec) monitoring setting. Thus for High if the Heartbeat is not received 3 times in a 30Sec interval the VM will be restarted.

Just a design consideration, when you enable HA Monitoring it is done for all the VM’s in the cluster. you will need to disable for the VM’s you don’t need it.

Performance Stats and vCOps

The DSVA is not disk intensive but can be Memory and CPU intensive if not sized correctly(The Deep Security Best Practice Guide have these sizing guidelines). You can use vCOps to monitor the Performance to gain insight to the usage of CPU and Memory over time. The Risk tab can provide guidelines on these metrics.

vSphere alarms can also be configured to trigger when the DSVA CPU and Mem usage is over 80%. This could be an indication that the DSVA VM sizing should be re-looked at.

Powershell Script to place Host into MA Mode

It is possible to create a Powershell Script that when a DSVA is Off the vSphere Alarm will run this script and place the DSVA into MA mode.

Key takeaways from this

There is many options to ensure the DSVA is available or to send alerts if there is an issue with the DSVA. It will form part of the design that you should review the availability options and implement as part of the design options that will fit the client and the design needs.

The above options is for the architect to consider and made aware of. Again, all my views and considerations I would have taken into account.

Leave a Reply