External PostgreSQL with Tenable Security Center Director
Note: When reviewing external PostgreSQL documentation, ensure that you use the appropriate documentation version for the PostgreSQL version you deployed.
Requirements
If your Tenable Security Center Director installation manages more than 100,000 assets, Tenable strongly recommends that you use an external PostgreSQL server for performance. Depending on deployment complexity or usage, Tenable Support may recommend that you use an external PostgreSQL server for improved performance, even if you manage fewer than 100,000 assets.
Migration Between Internal and External PostgreSQL
You can use the Tenable-provided script and instructions to migrate between an internal and external PostgreSQL implementations with Tenable Security Center Director.
Responsibility Matrix
You are responsible for the following when you use an external PostgreSQL server with Tenable Security Center Director:
-
Installing and configuring PostgreSQL
-
Backing up PostgreSQL
-
Securing PostgreSQL
-
Patching and upgrading PostgreSQL
Tenable is responsible for:
-
The Tenable Security Center Director database and structure within PostgreSQL
-
Data integrity and database-level configuration
You must not access or modify the Tenable Security Center Director database within PostgreSQL directly.
Installation
You may use any currently supported version of PostgreSQL. These include:
-
PostgreSQL 13.x
-
PostgreSQL 14.x
-
PostgreSQL 15.x
-
PostgreSQL 16.x (preferred)
-
PostgreSQL 17.x
Tenable follows the PostgreSQL lifecycle and removes support after that major version's final version is released. For example, Tenable will not support PostgreSQL 13.x after November 2025.
Caution: If you use an external PostgreSQL 17, Tenable does not currently support migrating back to an internal PostgreSQL database.
Follow the PostgreSQL documentation for installation instructions.
You may choose a managed (by a cloud vendor or other) instance of PostgreSQL, as long as you meet the requirements listed above.
Note: When you use an external PostgreSQL database and you uninstall Tenable Security Center Director, the associated PostgreSQL database remains. Contact your Database Administrator to remove the database properly and completely, and ensure you take and maintain any required backups.
Configuration
External PostgreSQL Resource Requirements
For hardware requirements for PostgreSQL with Tenable Security Center Director, see Hardware Requirements
The table below shows the sizing requirements for Tenable Security Center Director based on the asset count. Tenable uses this information to determine the appropriate PostgreSQL configuration parameters needed for optimal Tenable Security Center Director performance.
| # of Hosts Managed by Tenable Security Center Director | CPU Cores | Memory | Minimum Disk Space Required for PostgreSQL Data |
|---|---|---|---|
| 2,500 active IPs | 4 | 16 GB RAM | 20 GB |
| 10,000 active IPs | 8 | 32 GB RAM | 50 GB |
| 25,000 active IPs | 16 | 64 GB RAM | 100 GB |
| 100,000 active IPs | 32 | 128 GB RAM | 400 GB |
| 250,000 active IPs | 64 | 256 GB RAM | 1 TB |
You can set PostgreSQL configuration items using various methods. Review the PostgreSQL documentation for information on how to apply these configuration changes.
The following are recommended settings for various Tenable Security Center Director sizes:
4 vCPUs/16 GB RAM, Cloud Equivalent- m6g.xlarge (2,500 active IPs and ~2 million Vulnerabilities)
max_connections=50
max_worker_processes=4
max_parallel_workers_per_gather=2
max_parallel_maintenance_workers=2
max_parallel_workers=4
shared_buffers=4GB
work_mem=128MB
maintenance_work_mem=1024MB
effective_cache_size=12GB
default_statistics_target=100
checkpoint_completion_target=0.9
wal_buffers=128MB
max_wal_size=6GB
min_wal_size=3GB
checkpoint_timeout=15min
wal_writer_flush_after=4MB
wal_writer_delay=10ms
effective_io_concurrency=200
random_page_cost=1.1
8 vCPUs/32 GB RAM, Cloud Equivalent- m6g.2x large (10,000 active IPs and ~8 million Vulnerabilities)
max_connections=50
max_worker_processes=8
max_parallel_workers_per_gather=4
max_parallel_maintenance_workers=4
max_parallel_workers=8
shared_buffers=8GB
work_mem=256MB
maintenance_work_mem=2048MB
effective_cache_size=24GB
default_statistics_target=100
checkpoint_completion_target=0.9
wal_buffers=128MB
max_wal_size=6GB
min_wal_size=3GB
checkpoint_timeout=15min
wal_writer_flush_after=4MB
wal_writer_delay=10ms
effective_io_concurrency=200
random_page_cost=1.1
16 vCPUs/64 GB RAM, Cloud Equivalent- m6g.4x large (25,000 active IPs)
max_connections=50
max_worker_processes=16
max_parallel_workers_per_gather=4
max_parallel_maintenance_workers=4
max_parallel_workers=16
shared_buffers=32GB
work_mem=1024MB
maintenance_work_mem=2048MB
effective_cache_size=96GB
default_statistics_target=100
checkpoint_completion_target=0.9
wal_buffers=128MB
max_wal_size=6GB
min_wal_size=3GB
checkpoint_timeout=15min
wal_writer_flush_after=4MB
wal_writer_delay=10ms
effective_io_concurrency=200
random_page_cost=1.1
32 vCPUs/128 GB RAM, Cloud Equivalent- m6g.8x large (70,000 Hosts and ~40 million Vulnerabilities)
max_connections=50
max_worker_processes=32
max_parallel_workers_per_gather=4
max_parallel_maintenance_workers=4
max_parallel_workers=32
shared_buffers=32GB
work_mem=1024MB
maintenance_work_mem=2048MB
effective_cache_size=96GB
default_statistics_target=100
checkpoint_completion_target=0.9
wal_buffers=128MB
max_wal_size=6GB
min_wal_size=3GB
checkpoint_timeout=15min
wal_writer_flush_after=4MB
wal_writer_delay=10ms
effective_io_concurrency=200
random_page_cost=1.1
64 vCPUs/256 GB RAM, Cloud Equivalent- m6g.16x large
max_connections=50
max_worker_processes=64
max_parallel_workers_per_gather=4
max_parallel_maintenance_workers=4
max_parallel_workers=64
shared_buffers=64GB
work_mem=1024MB
maintenance_work_mem=2048MB
effective_cache_size=192GB
default_statistics_target=100
checkpoint_completion_target=0.9
wal_buffers=128MB
max_wal_size=6GB
min_wal_size=3GB
checkpoint_timeout=15min
wal_writer_flush_after=4MB
wal_writer_delay=10ms
effective_io_concurrency=200
random_page_cost=1.1
Security
Tenable recommends that you implement an applicable PostgreSQL security baseline—such as the Center for Internet Security (CIS) PostgreSQL Benchmark or the Crunchy Data PostgreSQL STIG—if you host your own PostgreSQL instance. Tenable does not provide support for implementing these benchmarks, and some configurations may impact Tenable Security Center Director performance or functionality.
Implementation of security benchmarks may require adding external extensions, for example, pgaudit and pgcrypto, to PostgreSQL. Tenable does not provide support or documentation on how to install or configure these extensions.
Patching and Upgrades
Note: You must shut down Tenable Security Center Director before you patch or upgrade PostgreSQL.
Tenable recommends you do the following:
-
Monitor PostgreSQL Security Updates and apply the relevant security patches after testing.
-
Take a backup of the Tenable Security Center Director database before you patch or upgrade PostgreSQL.