Manual Chapter : What resources do I need to collect FPS data

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter

Use this table to estimate the number of DCDs necessary to collect and display FPS alert data from BIG-IP devices.

  • If you are using an off-box logging solution to log FPS events, review a week’s worth of alert logs to identify the logging load you need to support. Take note of both the average and maximum alerts per second.

To determine the peak alerts/second rate to use in the table, first estimate the peak user load for the protected application over your highest period of production hours, and then plug that value into the following calculation:

<peak user load> users/(peak duration (h)*60m*60s)≈ number of logins/sec ≈ number of alerts/sec

For example, if you estimate that there are, at most, 1 million users logging in to access your FPS environment over a 4-hour timespan, the calculation results in a login rate of:

1,000,000 users/(4h*60m*60s) = ≈ 70 logins/sec ≈ 70 alerts/sec

Although each user login does not generate an alert, even single user logins or application transactions can generate multiple alerts depending on the protection policy’s configuration. For determining the number of DCDs needed to operate during peak conditions, 70 alerts per second is a reasonable assumption for this login rate.

Alerts/Sec Data Redundancy Recommended DCD count
100 No 1
200 Yes 2
300 Yes 3
400 Yes 4
500 Yes 5
600 Yes 6
  • The sizing recommendations in this table assume that you provision your DCDs with 8 cores/CPUs and 32 GB of memory.
  • When you choose an alert rate, consider both the average and peak loads that you anticipate. If your peak loads are frequent, consider provisioning additional data-collection nodes for the increased load. Also, when you determine your peak rates, plan for growth by considering the rate at which you expect your traffic load to increase.
  • The outgoing data rate from your BIG-IP devices also depends on the FPS policy configuration, the number of simultaneous application users, and their expected transaction rate.
  • The scale numbers provided assume the use of three forwarding rules (100% syslog forwarding, 10% SOC forwarding, 10% customer forwarding), and 17000 transform rules.
Note: Increasing the number of forwarding targets or the distance between your data collection devices increases the performance requirements for each node in the DCD cluster.