Sandfly uses a server to manage the user interface and database. Scanning nodes are used to do the actual connection to remote systems to hunt for intruders on your network.

In order to get the best performance, we recommend the following.

Server Requirements

The server runs Docker containers for the User Interface (UI) and PostgreSQL database. They have been tested to work on many Linux distributions as long as they can run the latest version of Docker or Podman on an amd64 architecture.

We recommend using a system with at least 8GB of RAM and two or more CPU cores dedicated to it. A SSD drive is recommended for the best performance.

If you are running a very large number of systems you will need to scale this figure up appropriately. Conversely, a small test environment or home lab with a small quantity of scanned hosts should be able to get by with lower resources.

A server that is under-powered will have database timeout issues. If the UI is taking a long time to load data, then you have too little resources and need to upgrade the RAM and/or CPU cores.

❗️

IMPORTANT: Latest Version of Docker Required

Regardless of what version of Linux you want to use to run the Server and Node, they must be running the latest version of Docker. Some Linux distributions have very old versions of Docker in their package repositories. Please use the Sandfly Docker install scripts to be sure you are running only the latest version of Docker and not an out of date version.

Node Requirements

The scanning nodes are Docker containers that are multi-threaded. Depending on the amount of free memory, multiple node containers can be run on a single system instance.

The node containers have been tested to work on many Linux distributions as long as they can run the latest version of Docker or Podman on an amd64 architecture.

For best performance we recommend that each of these system instances have at least 4GB of RAM.

Under the above configuration up to 3 scanning node containers can comfortably run. Each scanning node container has 500 threads running. Therefore, running 3 node containers will give you 1500 scanning threads available to monitor hosts in your environment.

Of course you can increase RAM even more to add more scanning node containers. Or you can start a second virtual machine (VM) instance and run nodes there for even more redundancy in case one of them goes offline for whatever reason. Conversely, a small test environment or home lab with a small quantity of scanned hosts should be able to get by with lower resources.

The nodes communicate with the server to automatically handle connections and load management. As long as the node containers can see the server then they will organize themselves correctly regardless of where they are running.

For further details on scaling, especially for large deployments, please refer to the Sandfly Scaling Guide.