External PostgreSQL with Tenable Security Center Director

Note: When reviewing external PostgreSQL documentation, ensure that you use the appropriate documentation version for the PostgreSQL version you deployed.

Requirements

If your Tenable Security Center Director installation manages more than 100,000 assets, Tenable strongly recommends that you use an external PostgreSQL server for performance. Depending on deployment complexity or usage, Tenable Support may recommend that you use an external PostgreSQL server for improved performance, even if you manage fewer than 100,000 assets.

Migration Between Internal and External PostgreSQL

You can use the Tenable-provided script and instructions to migrate between an internal and external PostgreSQL implementations with Tenable Security Center Director.

Responsibility Matrix

You are responsible for the following when you use an external PostgreSQL server with Tenable Security Center Director:

  • Installing and configuring PostgreSQL

  • Backing up PostgreSQL

  • Securing PostgreSQL

  • Patching and upgrading PostgreSQL

Tenable is responsible for:

  • The Tenable Security Center Director database and structure within PostgreSQL

  • Data integrity and database-level configuration

You must not access or modify the Tenable Security Center Director database within PostgreSQL directly.

Installation

You may use any currently supported version of PostgreSQL. These include:

  • PostgreSQL 13.x

  • PostgreSQL 14.x

  • PostgreSQL 15.x

  • PostgreSQL 16.x (preferred)

Tenable follows the PostgreSQL lifecycle and removes support after that major version's final version is released. For example, Tenable will not support PostgreSQL 13.x after November 2025.

Follow the PostgreSQL documentation for installation instructions.

You may choose a managed (by a cloud vendor or other) instance of PostgreSQL, as long as you meet the requirements listed above.

Note: When you use an external PostgreSQL database and you uninstall Tenable Security Center Director, the associated PostgreSQL database remains. Contact your Database Administrator to remove the database properly and completely, and ensure you take and maintain any required backups.

Configuration

External PostgreSQL Resource Requirements

For hardware requirements for PostgreSQL with Tenable Security Center Director, see Hardware Requirements

The table below shows the sizing requirements for Tenable Security Center Director based on the asset count. Tenable uses this information to determine the appropriate PostgreSQL configuration parameters needed for optimal Tenable Security Center Director performance.

# of Hosts Managed by Tenable Security Center Director CPU Cores Memory Minimum Disk Space Required for PostgreSQL Data
2,500 active IPs 4 16 GB RAM 20 GB
10,000 active IPs 8 32 GB RAM 50 GB
25,000 active IPs 16 64 GB RAM 100 GB
100,000 active IPs 32 128 GB RAM 400 GB
250,000 active IPs 64 256 GB RAM 1 TB

You can set PostgreSQL configuration items using various methods. Review the PostgreSQL documentation for information on how to apply these configuration changes.

The following are recommended settings for various Tenable Security Center Director sizes:

Security

Tenable recommends that you implement an applicable PostgreSQL security baseline—such as the Center for Internet Security (CIS) PostgreSQL Benchmark or the Crunchy Data PostgreSQL STIG—if you host your own PostgreSQL instance. Tenable does not provide support for implementing these benchmarks, and some configurations may impact Tenable Security Center Director performance or functionality.

Implementation of security benchmarks may require adding external extensions, for example, pgaudit and pgcrypto, to PostgreSQL. Tenable does not provide support or documentation on how to install or configure these extensions.

Patching and Upgrades

Note: You must shut down Tenable Security Center Director before you patch or upgrade PostgreSQL.

Tenable recommends you do the following:

  • Monitor PostgreSQL Security Updates and apply the relevant security patches after testing.

  • Take a backup of the Tenable Security Center Director database before you patch or upgrade PostgreSQL.