Minimum System Requirements

This section summarizes the minimum infrastructure requirements for deploying the Forcepoint Data Security Posture Management (DSPM) platform and its optional add-on modules, based on the current internal sizing matrix. All values represent minimum starting points for a production deployment; additional capacity may be required depending on data volumes, enabled features, and integration scope.

Basic pre-requisites

Ensure the following items are in place and configured properly:

  • Domain Name Service (DNS) with public name resolution enabled.
  • Network Time Protocol (NTP)
  • Software Update Service- access to a network-based repository for software update packages.
  • Fixed private IPv4 address
  • Unique static host name

Operating System

The commands have been tested on following OS versions:
Ubuntu 24.04, 22.04
RHEL 8.x,9.x
Note: Only Server edition versions are supported. No Desktop Environment installed. No other Linux distributions are supported.

Other Requirements

Note: For hardened systems, see: Deploying Product in CIS hardened OS or K3s. Refer to the official K3s documentation and our troubleshooting guide for additional setup.
Ubuntu
  • disable ufw, systemd-resolved, apparmor
  • /var partition should not have noexec flag
RHEL/CentOS/Oracle Linux
  • firewalld
    systemctl disable firewalld --now
  • fapolicyd
    
systemctl disable fapolicyd.service
  • nm-cloud-setup
    systemctl disable nm-cloud-setup.service nm-cloud-setup.timer
reboot
  • If you are using a dedicated partition (/var/lib/rancher) to run K3s make sure to NOT have mounted it using noexec flag inside /etc/fstab file.
  • Check FIPS mode

    If you have FIPS mode enabled is necessary to disable it otherwise some of our workloads running in K3s will crash at start up. To check if FIPS is enabled run:

    sysctl crypto.fips_enabled

    Value of 1 means FIPS mode is enabled, in order to disable, please refer to the steps as mentioned in below article: How to disable FIPS in RHEL/CentOS.

  • Check if running iptables newer than 1.8.4
    RHEL like systems have buggy version of iptables 1.8.4 which is causing issues with firewall, service routing and external network reachability as well as performance issues. It is required to configure k3s to use bundled version by modifying k3s service( same for k3s-agent service on worker nodes in HA deployments) file and adding --prefer-bundled-bin option to service’s cmd and restarting service. 
    ~$ cat  /etc/systemd/system/k3s.service
ExecStart=/usr/local/bin/k3s \
    server \
	'--node-name=local-01' \
	'--prefer-bundled-bin' \


~$ sudo systemctl daemon-reload
~$ sudo systemctl stop k3s
~$ sudo systemctl start k3s
~$

Also, firewalldnm-cloud-setup.service and nm-cloud-setup.timer must be disabled and the server must be restarted before the installation, click here for more information.

Hardware requirements

Note: Minimum requirement for the a single node Kubernetes cluster is one virtual machine for supporting up to 5000 users.
Note: Sizes mentioned below are meant to be sufficient for both structured and unstructured data.

Minimum resource requirements

The following table lists per-component minimum resource requirements.
Component CPU (vCPUs) Memory (GB) Storage (GB)
Base DSPM platform 20 80 1200
FDC add-on 4 16 500
DDR add-on 8 16 500
Structured add-on 12 32 500

All add-on requirements are incremental to the base DSPM platform sizing shown above.

Sample configurations

These examples illustrate how to combine the component values to size a deployment.

Example 1 – DSPM only

A deployment that uses only the core DSPM platform (no add-ons) requires:

  • CPU: 20 vCPUs
  • Memory: 80 GB
  • Storage: 1200 GB
Example 2 – DSPM with FDC

A deployment that enables DSPM and the FDC add-on (no DDR or Structured) requires:

  • CPU: 24 vCPUs (20 + 4)
  • Memory: 96 GB (80 + 16)
  • Storage: 1700 GB (1200 + 500)

The same method can be used to derive totals for any combination of add-on modules by summing the per-component CPU, memory, and storage values in the table above.

Filesystem inode guidance

For deployments on filesystems with a specified inode limit, allocate at least 50 million inodes for the basic configuration.

Plan for an additional 25 million inodes for each additional component or add-on that is enabled to avoid inode exhaustion as the platform scales.

Capacity planning and review

The values in this document are minimum requirements intended to provide a safe starting point for initial deployment and proof-of-concept work.

During a PoC engagement and after that every six months of production use, customers should utilization to validate assumptions and adjust capacity as needed.

It is recommended to incorporate this utilization data into the organization’s standard capacity-planning process to ensure the platform can accommodate future data growth, additional connectors, and new use cases.

When in doubt, engage Forcepoint representatives or support to review sizing and growth plans before making major changes to the environment.

Storage and partition details
  • Only SSD storage is supported
  • Locally mounted storage is mandatory (NAS or network-attached storage is not supported).
  • Performance baseline (minimum):
    • IOPS: ≥ 4,500 sustained
    • Throughput: ≥ 250 MB/s sustained
    • Latency: Low (< 1 ms typical for NVMe/SSD; NAS introduces bursty throttling and is unsuitable).
  • Recommended type: NVMe SSDs (preferred) or enterprise-grade locally mounted SSDs.
  • SWAP must be disabled
  • / root requires at least 20GB
  • /var requires at least 20GB
  • /var/lib/rancher requires at least 500GB (in case of EDC, use the correct disk space according to the type of deployment shown above).
  • /tmp requires at least 75GB
Note:
  1. if neither /var nor /var/lib/rancher /tmp is specifically assigned to a partition you must assign the full 500GB to root
  2. if /var is specifically assign to a partition but /var/lib/rancher is not, then you must assign the 500GB to /var
  3. if /var/lib/rancher is specifically assign to a partition but /var is not, then you must assign the 500GB to /var/lib/rancher

Networking Specifications

To download application artifacts (Docker images and binaries), updates, and configuration files, the cluster requires a public internet connection with a minimum download speed of 40 mbps and an upload speed of 8 mbps. For a faster initial setup, a download speed of 100 mbps or more is recommended. The cluster needs a public internet connection to download Docker images, binaries, updates, and configuration files.

K3s needs port 443/TCP open **inbound** and this is needed for any user accessing the dashboard and any endpoint where the agent wants to connect from. It does not have to be publicly accessible, if all users of dashboard / users of agents are on company VPN for example, then this port only needs to be open on the internal network.

Your network should be configured to allow the following public URLs to be accessible by the server over the outbound 443 (HTTPS) and HTTPS traffic bypassed (NOT intercepted) i.e. SSL inspection must be disabled:

https://assets.master.k3s.getvisibility.com (Custom K3s installation files)
https://images.master.k3s.getvisibility.com (Private Docker registry) 
https://charts.master.k3s.getvisibility.com (Private Helm registry) 
https://prod-eu-west-1-starport-layer-bucket.s3.eu-west-1.amazonaws.com (Docker registry AWS CDN)
https://rpm.rancher.io (Rancher RPM repo for configuring SELinux packages. Only required during K3s install and only on RHEL systems)
https://agents.master.k3s.getvisibility.com (Agent client binaries and OfficeAddins)
https://api.master.k3s.getvisibility.com (Private API server)
https://rancher.$RESELLER_NAME.k3s.getvisibility.com (Rancher management server, $RESELLER_NAME, depending on license/reseller will be one of: master, forcepointemea, fpemea, forcepointapac, forcepointus, saas, forcepointpocemea, forcepointpocapac, forcepointpocus)
https://registry2.getvisibility.com/content/artifacts
Note: K3s running on the customer server might try to reach to "git.rancher.io" since it is the default hard-coded repository, but we have our own private repository with all our charts. So, it is ok, to block it as we cannot disable it.

Downloads

Note: Below file downloads are also needed for Rancher and helm online type of deployments.

Download following file sets:

K3s and Antivirus

It is recommended to disable antivirus or any other third party software before proceeding with installation. See section Degraded performance due to Antivirus for issues when antivirus is not disabled.