Network Architecture Overview
Table 1. Sites and Components
| Sites | Components | Description |
| Primary Site | ESA | ESA P1, ESA S1, ESA S2 |
| LTM | LTM-1: Manages resiliency within the Primary Site | |
| DR Site | ESA | ESA S3, ESA S4, ESA S5 |
| LTM | LTM-2: Manages resiliency within the DR Site | |
| GTM | GTM | GTM: Manages resiliency between the Primary and DR Sites |
Table 2. ESA Compatibility
| ESA version Supported Protectors | Supported Protectors |
| 10.x.x |
|
Communication Flows
Below table describes communication flows as depicted in diagrams in Deployment with Default Audit logging flow to ESA and Deployment with Audit logging flow to External SIEM.
Table 3. Communication Flows
| Flow | Request Initiator | Destination | Port | Protocol | Flow Sequence | LTM Configuration |
Policy Download for v9.1.0.0
Protector | Pepserver in the Protector node | Service Dispatcher in ESA | 8443 | TLS |
| Primary Active Flow: Active connection to ESA P1 and
standby connection to other ESAs Protector 9.1 -> GTM
->LTM-1->ESA P1 DR Flow: Active connection to ESA S3
and standby connections to other ESAs Protector 9.1->
GTM ->LTM-2->ESA S3 |
Package Download for v10.0.0 Standard
Protector | RPAgent in the Protector node | RPP in ESA | 25400 | TLS |
| Primary Active Flow: Active connection to ESA P1 and
standby connection to other ESAs Protector 10.0.0->GTM
->LTM-1->ESA P1 DR Flow: Active connection to ESA S3
and standby connection other ESAs Protector 10.0.0->GTM
->LTM-2->ESA S3 |
Forwarding of Audit Events to
ESA | Log Forwarder in the Protector node | Insight in ESA | 9200 | TLS |
| Primary Active Flow: Routed to all ESAs in the Primary
Site Protector 9.1.0.0/10.0.0->GTM ->LTM-1->ESA P1,
S1,S2 DR Flow: Routed to all ESAs in the DR
Site Protector 9.1.0.0/10.0.0->GTM ->LTM-2->ESA S3,
S4,S5 |
Forwarding of Audit Events to External SIEM via
ESA | Log Forwarder in the Protector node | TD-Agent in ESA | 24224/ 24284 | Non-TLS/TLS |
| Primary Active Flow: Routed to all ESAs in the Primary
Site Protector 9.1.0.0/10.0.0->GTM ->LTM-1->ESA P1,
S1,S2-> External SIEM DR Flow: Routed to all ESAs in
the DR Site Protector 9.1.0.0/10.0.0->GTM ->LTM-2->ESA
S3, S4,S5 -> External SIEM |
The table below summarizes the key measurements for the recommended model architecture across various dimensions.
Table 4. Key measurements for the recommended model architecture across various dimensions
| Measurement | Policy | Insight | Criteria summary |
| Extensibility | √ | √ | The current architecture allows easy addition of new features, capabilities, or functionalities without requiring significant changes to the existing architecture. |
| Vertical Scalability | √ | √ | The current architecture allows enabling a node to expand its capacity by adding additional resources such as processing power, memory, or storage. |
| Horizontal Scalability | X | √ | The current architecture has the ability to distribute the load among multiple machines to improve the system's reliability and performance through a static consistent routing. But for Policy, it is always recommended to perform authoring and modification only from Primary ESA. Hence, policy does not support horizontal scalability. |
| High Availability | X | √ | For Policy, HA is not supported as there is no real time replication of changes in policy to other ESAs from the Primary ESA. There is a dependency on TAC replication job for replication. For Insight, audit logs are replicated to all the ESAs in a round robin fashion and there are replicas available in each of the ESAs handled by OpenSearch. |
| Disaster Recovery | √ | √ | The architecture meets the necessary criteria for disaster recovery, but it is important to understand that an appropriate DR plan is ready and tested by the user. The solution relies on the external SIEM for a complete log retention to be in place. |
| Federation | √ | √ | The current architecture has the ability to manage policy (monitor nodes), analyse events, and access logs to monitor performance as well as troubleshoot potential issues at the enterprise level (single sheet of glass). This criterion is met due to the use of an external SIEM. |
These measurements underscore the importance and effectiveness of adhering to a well-defined model architecture, ensuring resiliency, fault tolerance, scalability, security, and maintainability and adaptable to changes.
Feedback
Was this page helpful?