We are about to start testing Rogue Sensors in our network. However, I have a question about the optimal settings that we should us for Rogue Sensors. I don't want to overload the ePO server so am looking for advice from other people who are using Rogue Sensors.
Our network consists of a lot of Vlans with a potential for over 7,000 devices. I am currently thinking of just taking the defaults of 2 active sensors per Vlan. What is confusing me is the other settings.\
What are other people setting the following options too.
Sensors Detected system cache lifetime: the default is 5 minutes - what would be the best time to set this too?
Reporting time for active sensors: the default is 5 minutes - what is the optimal time to set this too?
We are thinking of just selection the option "Use ePO server to determine the active sensors".
We just want to monitor the network but no to performing any scanning. So we are thinking of turing off the option "scan detected systems for OS details".
Are there any other settings that we may want to consider? We are trying to not impact the network or any systems that may have the sensors installed on them. Are there any pitfalls with Rogue Sensors that we need to be aware off?
Personally I would start with the defaults, and modify them if you feel it necessary - generally speaking the defaults are a good starting point.
The one big, big thing to avoid though is deploying large numbers of sensors at once. The first time a sensor communicates with ePO the server needs to generate a key pair, which is a very CPU-intensive task. If a lot of sensors try this at the same time it can have a very marked performance impact on the ePO server. Instead I'd deploy the sensors in batches - say a 50 at a time, and monitor the ePO server as they come online to make sure you're not impacted.