Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Administering Forcepoint Databases > Factors that affect reporting database size
Factors that affect reporting database size
Administering Forcepoint Databases | Web, Data, and Email Solutions | v8.4.x
In this topic                                       
*
Web visits, consolidation, and full URL logging
*
Email sizing factors
*
Data sizing factors
Web visits, consolidation, and full URL logging
Forcepoint Web Security and Forcepoint URL Filtering use proprietary algorithms to reduce the volume of log data in order to achieve a balance between visibility into users' web browsing activity and the size and performance of the Log Database.
*
When you enable visits, Log Server combines the individual elements that create a web page (such as graphics and advertisements) into a single log record that includes bandwidth information for all elements of the visit.
When this option is disabled, you instead log hits. In this case, a separate log record is created for each HTTP request generated to display different page elements, including graphics, advertisements, embedded videos, and so on. This creates a much larger Log Database that grows rapidly.
Disabling visits can increase the total amount of data stored in the Log Database by a factor of 2.5.
*
To further reduce the size of the database, enable log record consolidation. This combines multiple, similar Internet requests into a single log record, reducing the granularity of reporting data.
*
By default, web protection products log only the URL hostname for each request, instead of the full URL. Storing the full URLs provides more visibility into where users are going within a particular website, but increases the Log Database storage demands.
Enabling full URL logging can increase the size of each record by 50%.
For information about more ways to either reduce the size of the Log Database or increase the amount of data recorded, refer to:Log Database sizing guidance
Email sizing factors
Email hybrid service
The Forcepoint Email Security hybrid service (included with the Hybrid Module) drops email that comes from known bad (blacklisted) sources and blocks email with a very high spam score in the cloud before it ever reaches the email appliance. This reduces the amount of data stored in the Email Log Database for reporting by 30 MB per user per month.
Above average email traffic: recipients, quarantined messages, or spam
The sizing guidelines above are based on the following assumptions about the email traffic handled by Forcepoint Email Security. These assumptions are derived from the average email traffic pattern of Forcepoint customers over time.
*
There are an average of 5 recipients for each email message.
*
When the email hybrid service is not enabled, the ratio among spam messages, infected messages, and clean messages is 85-to-1-to-14.
*
The email hybrid service scans only inbound email traffic, and it can block 25 percent of spam.
*
All outbound and internal email messages are clean.
Note that Forcepoint Email Security counts the number of recipients for each message rather than the number of messages sent. Each recipient is counted as a transaction.
If the pattern of email traffic in your organization exceeds these averages, your storage capacity will vary.
Data sizing factors
Number of discovery incidents
Forcepoint DLP limits the number of discovery incidents that can be stored in the Data Incident and Configuration Database in order to prevent improperly configured discovery policies from flooding the database. By default this limit is set to 1 million incidents. If you are using SQL Server Express, you should reduce this number to 250,000.
To do this:
1.
Log onto the Forcepoint Security Manager.
2.
Go to the Data > Settings > General > Reporting page.
3.
Select the Discovery tab.
4.
Adjust the Maximum Discovery Incidents field.
Refer to "Setting preferences for discovery incidents" in the Forcepoint DLP Administrator Help for more information.
 
* 
Note 
Forcepoint Data Discovery is not included in combined web, data, and email security solutions. It is an add-on feature that requires a separate subscription.
Rate of network and endpoint incidents
The rate of network and endpoint incidents detected varies widely across Forcepoint customers. The sizing guidelines above are based on an average incident rate of 1 per user every 10 days (an incident is a policy violation). For best practice, periodically review the actual incident rate in the database to gauge how closely your environment matches this average, and then adjust your database storage requirements based on the actual data in your environment.
Do this by examining the Incident Trends report found in the Data Security module of Forcepoint Security Manager under Main > Reporting.
 
* 
Note 
Forcepoint DLP Endpoint is not included in combined web, data, and email security solutions. It is an add-on feature that requires a separate subscription.
The Forcepoint DLP database stores data in partitions per each calendar quarter. You can have 1 active partition for the current quarter.
If you are using Microsoft SQL Server Standard or Enterprise for your reporting database, you can have up to 8 online partitions (approximately 2 years), but if you are using SQL Server Express, you can have only 4 (approximately 1 year). (Online partitions are partitions that can be used to show reports and log data).
For both databases, you can have up to 12 archived partitions representing 3 years of records, and 4 restored partitions (1 year).
 
Partition type
Microsoft SQL Server Standard or Enterprise
SQL Server Express
Active
1 partition (current quarter)
1 partition (current quarter)
Online
up to 8 partitions (2 years)
up to 4 partitions (1 year)
Restored
up to 4 partitions (1 year)
up to 4 partitions (1 year)
Archived
up to 12 partitions (3 years)
up to 12 partitions (3 years)
Total available managed partitions
25
21
Refer to "Incident partitions" in the Forcepoint DLP Administrator Help for more information on archiving. For instructions on setting the maximum disk space allowed for the incident archive, refer to "Configuring the incident archive".
Size of user directory import
To support user-based policy and reporting, Forcepoint DLP imports entries from your user directory—such as Active Directory or Domino—into the Configuration Database. Depending on the size and design of your user directory, this can result in database space being consumed by entries that are not needed by Forcepoint DLP. To reduce the number of imported user directory entries:
*
Configure Forcepoint DLP to import entries from a more specific root context that is deeper in the tree than the directory's root context.
*
Restrict the user attributes that are imported by specifying specific attributes to import; or eliminate them altogether by disabling the import of user attributes.
To configure user directory settings:
1.
Log onto the Forcepoint Security Manager.
2.
Go to the Data > Settings > General > User Directories page.
3.
Select the user directory to edit.
4.
Modify or add a root naming context.
5.
Modify the user attributes settings.
Refer to the "Adding a new user directory server" section in the Forcepoint DLP Administrator Help for information on configuring these settings.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Administering Forcepoint Databases > Factors that affect reporting database size
Copyright 2017 Forcepoint. All rights reserved.