Limits

Flows and Endpoints

Metric

Limit

8RU/39RU/SaaS/-

Number of concurrent servers (virtual machine or bare metal) from which telemetry data can be analyzed by Secure Workload

  • Up to 10,000 with detailed flow telemetry

    Up to 20,000 with conversation-only flow telemetry

8RU

  • Up to 37,500 with detailed flow telemetry

    Up to 75,000 with conversation-only flow telemetry

39RU

Number of flow events that can be processed by Secure Workload per second

up to 500,000 per second

8RU

up to 2 million per second

39RU

Tenants, Child Scopes, Inventory Filters, and Roles

Metric

Limit

8RU/39RU

Number of workloads in full fidelity mode

10000

8RU

37500

39RU

Number of tenants

7

8RU

35

39RU

Number of child scopes per tenant

1000 *

8RU

5000

39RU

Number of child scopes across tenants

7000

8RU

35000

39RU

Number of workspaces per tenant

1000 *

8RU

3500 *

39RU

Number of workspaces across tenants

5000

8RU

20000

39RU

Number of inventory filters per tenant

1000 *

8RU

5000 *

39RU

Number of inventory filters across tenants

7000 *

8RU

35000 *

39RU

Number of Roles per child scope

6

8RU

6

39RU

Note

* If conversation mode is enabled on all agents, Secure Workload supports up to two times the mentioned limits for limits marked with an asterisk (*). For details, see Conversation Mode.

Cloud Connectors

Cloud Connectors

Metric

Limit

Scale

Virtual Networks

Kubernetes Clusters

AWS Connector

Total number of flows exported by AWS connector

15000 flows per second

5 accounts per connector

5 per account

5 per account

Azure Connector

Total number of flows exported by Azure connector

15000 flows per second

5 subscriptions per connector

5 per subscription

5 per subscription

Google Cloud Platform

Total number of flows exported by GCP connector

15000 flows per second

5 projects per connector

5 per project

5 per project

Note

  • A maximum of 50 connectors, including cloud connectors, can be configured in a cluster across all tenants.

  • The workloads managed by cloud connectors in Secure Workload require workload licenses, therefore, ensure that your total workloads are licensed and within the cluster limits.

Connectors


Note

  • A maximum of 50 connectors, including cloud connectors, can be configured in a cluster across all tenants.

  • For limits applicable to individual connectors, see What are Connectors.

Connector

Metric

Limit

AnyConnect Connector

Total number of AnyConnect endpoints supported by one AnyConnect connector

5000 endpoints

Note

 

The number of AnyConnect endpoints across all AnyConnect Proxy sensors is limited by the number of sensors supported by the Secure Workload appliance.

AnyConnect Connector

Number of LDAP attributes that could be labelled on inventories of AnyConnect endpoints

6 attributes

AWS Connector

Total number of flows exported by AWS connector

15000 flows per second

F5 Connector

Total number of flows exported by F5 connector

15000 flows per second

NetFlow Connector

Total number of flows exported by one NetFlow connector

15000 flows per second

NetScaler Connector

Total number of flows exported by NetScaler connector

15000 flows per second

Connector

Metric

Limit

AnyConnect Connector

Total number of AnyConnect endpoints supported by one AnyConnect connector

5000 endpoints

Note

 

The number of AnyConnect endpoints across all AnyConnect Proxy sensors is limited by the number of sensors supported by the Secure Workload appliance.

AnyConnect Connector

Number of LDAP attributes that could be labelled on inventories of AnyConnect endpoints

6 attributes

AWS Connector

Total number of flows exported by AWS connector

15000 flows per second

F5 Connector

Total number of flows exported by F5 connector

15000 flows per second

NetFlow Connector

Total number of flows exported by one NetFlow connector

15000 flows per second

NetScaler Connector

Total number of flows exported by NetScaler connector

15000 flows per second

ERSPAN Connector

Total number of flows exported by ERSPAN connector

15000 flows per second

Secure Workload Virtual Appliances for Connectors

Appliance

Metric

Limit

Secure Workload Ingest Appliance

Number of connectors on one appliance

3

Number of appliances per root scope

100

Number of appliances per cluster

500

Secure Workload Edge Appliance

Number of connectors on one appliance

6

Number of appliances per root scope

1

Number of appliances per cluster

Number of root scopes

Label Limits

Feature

Metric

Limit

8RU/39RU/SaaS/-

Label limits

Maximum number of IP Addresses that can be labeled across all root scopes

1,500,000 *

39RU

500,000 *

8RU

Maximum number of subnets that can be labeled across all root scopes

200,000

39RU

50,000

8RU

Maximum number of IP Addresses that can be labeled per tenant (CMDB only)

6,000 / 100 licenses (SaaS only)

Maximum number of subnets that can be labeled per tenant (CMDB only)

120 / 100 licenses (SaaS only)

Note

* If conversation mode is enabled on all agents, Secure Workload supports up to two times the mentioned limits for limits marked with an asterisk (*). For details, see Conversation Mode.

Limits Related to Policies

Feature

Metric

Limit

8RU/39RU/SaaS/-

Automatic policy discovery (formerly ADM)

 Maximum number of member workloads (endpoints) allowed for automatic policy discovery run

5000

-
Maximum number of conversations allowed for automatic policy discovery run

10,000,000

-

Maximum number of member workloads (endpoints) allowed for automatic policy discovery run with deep policy generation option selected

25,000

-

Maximum number of conversations allowed for automatic policy discovery run with deep policy generation option selected

20,000,000

-

Maximum number of total unique workloads (endpoints) allowed for automatic policy discovery run

15,000,000

-

Maximum number of exclusion filters in Default Policy Discovery config

100

-

Maximum number of exclusion filters allowed per workspace

100

-

Concrete policies

Aggregate size of policies on agents installed on non-Kubernetes workloads

2.5 MB

(About 2000 policies, depending on complexity)

-

Aggregate size of policies on agents installed on Kubernetes nodes

7.5 MB

(About 6000 policies, depending on complexity)

-

Other Features

Feature

Metric

Limit

8RU/39RU/SaaS/-

Alerts

Number of instances supported within a root scope

256

-

Number of instances supported across root scopes

1024

-

Number of latest alerts that are displayed on UI per root scope

5000

-

Maximum alert rate to preview in UI

60 per minute

Note

 

If more than 60 alerts are sent per minute then UI will show a summary message indicating that alerts were sent to the DataTap but are suppressed in UI. Note that the 60 alerts per minute applies to the rate at which alerts are sent to datataps, and does not apply to the alert time nor event time and is unrelated to any specific batch of data.

-

Number of alerts configured per root scope (via modal)

1000

-

Maximum number of alerts processed by Alerts App per minute batch

20000

-

Compliance App

Number of workspaces supported

128

-

Neighborhood App

Number of root scopes on which Neighborhood app can be enabled

256

-

Maximum number of alert configurations per type per root scope.

Note

 

Ensure that the number of alert configurations that you have currently for each type under Neighborhood app per root scope is within 30.

30

-

Maximum number of live analysis filters and clusters per scope

500

-

Feature

Metric

Limit

8RU/39RU/-

Number of tracked inventory items

Maximum number of IP Addresses that can be tracked across all root scopes

1,500,000 *

39RU

500,000 *

8RU

Maximum number of subnets that can be tracked across all root scopes

200,000

39RU

50,000

8RU

Data-In or Data-Out

Feature

Metric

Limit

8RU/39RU/SaaS/-

Data Taps

Number of data taps supported per appliance

10

-