Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
6040
Views
0
Helpful
0
Comments

AMP for Endpoints Bandwidth Consumption and Considerations

dkrull
Cisco Employee
Cisco Employee

on ‎07-07-2020 09:49 PM

 

 

Note: This guide is provided as a best effort to better help users understand the potential impact running multiple clients with TETRA, SPERO, ETHOS, DFC and SHA256 Lookups enabled and their bandwidth usage. The sizes in these guides are subjected to fluctuation. Units are expressed in Bytes (B), Gigabytes (GB) and Kilobytes (KB).

Quick Overview of TETRA on AMP for Endpoints

TETRA is a full antivirus replacement and should never be enabled if another antivirus engine is installed. TETRA can also consume significant bandwidth when downloading definition updates, so caution should be exercised before enabling it in a large deployment.

To enable TETRA and adjust settings go to Advanced Settings > TETRA in your policy.

Please see the AMP for Endpoints User Guide – Chapter 4 for more information on TETRA here: https://console.amp.cisco.com/docs

TETRA AV Signature Bandwidth Consumption

TETRA requires a minimum of 1GB of storage space per endpoint. Please see the chart below:

500MB – 550MB Initial TETRA Signature Download after installing a TETRA enabled connector Only downloaded once as the base definition set.
~ 1MB to 8MB

Incremental Signature Updates

 ~ 4 to 8 updates are pushed per day.*

* Note: Depending on the Content Update Interval configured in the policy under Advanced Settings > TETRA will affect how often these are downloaded and thus bandwidth usage within the environment. Automatic Content Updates must be enabled to receive updates.

Quick Overview of ETHOS, SPEROS, DFC and SHA256 Lookup

ETHOS is the Cisco file grouping engine.

SPERO is the Cisco machine-based learning system.

Device Flow Correlation (DFC) allows you to monitor network activity.

SHA256 Lookup Files and applications are hashed and sent to the cloud for disposition lookup and cached.

Please see the AMP for Endpoints User Guide – Chapter 4 for more information on these here: https://console.amp.cisco.com/docs

ETHOS, SPEROS, DFC and SHA256 Lookup Bandwidth Consumption

Since these engines use minimal bandwidth.

Expected Average Client generates roughly 54 queries per day per client.

Considerations

Take care of WAN links and AMP installation in locations that have limited bandwidth. Deploying many endpoints at one time could impact availability to other network services.

TETRA

If installing into a location that has bandwidth concerns it may be worth installing a local TETRA Update Server as needed to lessen the demand on the WAN up-link. The TETRA server will act as a local network location for your endpoints to retrieve the necessary updates. This will drastically reduce bandwidth consumption over the WAN link.

Please see AMP Update Server Configuration Steps here: https://www.cisco.com/c/en/us/sup-port/docs/security/amp-endpoints/213237-amp-tetra-on-prem-server-configuration-s.html

ETHOS, SPEROS, DFC and SHA256 Lookup

Unless the bandwidth is extremely limited these engines do not need to be considered as their demand on the network is very limited. The expected traffic volume for a 5,000 Endpoint environment is ~139MB per day.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents