Support Center > Search Results > SecureKnowledge Details
Disk space tips and tricks for SecurePlatform / Gaia / IPSO / Linux OS
Solution

The root cause of excessive disk consumption may be one of a number of factors, and it may vary depending on the host's function (Security Gateway, Security Management, Log Server, SmartEvent, etc.).

The list below presents only some of the most common causes of excessive disk consumption. This list should not be construed as an exhaustive list.

First of all, refer to sk91060 - Removing old Check Point packages and files after an upgrade on Security Gateway / Security Management Server.

The items on this list are numbered only for convenience. These numbers do not designate the order of carrying out the steps.

  1. Determine the mount point that is most severely affected by disk constraints.

    Use the 'df' command to view the partition table and its associated utilization:

    Gaia / SecurePlatform / Linux OS:
    [Expert@HostName]# df -h
    Filesystem            Size  Used Avail Use% Mounted on
    /dev/sda6            1004M  257M  697M  27% /
    /dev/sda1             145M   17M  121M  13% /boot
    /dev/sda5              14G  1.7G   12G  13% /opt
    /dev/sda2             2.0G  1.4G  545M  72% /sysimg
    /dev/sda7              80G  1.3G   75G   2% /var
    [Expert@HostName]#
    
    IPSO OS:
    HostName[admin]# df -h
    Filesystem               Size    Used   Avail Capacity  Mounted on
    /dev/mirror/gmroots1f    1.9G    319M    1.5G    17%    /
    devfs                    1.0K    1.0K      0B   100%    /dev
    /dev/mirror/gmroots1a     38M    102K     35M     0%    /config
    /dev/mirror/gmroots1d     21G    567M     18G     3%    /var
    /dev/mirror/gmroots1e    3.8G    649M    2.8G    18%    /opt
    procfs                   4.0K    4.0K      0B   100%    /proc
    HostName[admin]# 
    
    Note: The virtual /proc filesystem will always be 100% full.
  2. Once a problematic partition is identified, begin analyzing the contents of that partition.

    Use the 'du' command to examine disk space utilization at directory-level.
    This provides a starting point for further examination.

    For example, let us examine the '/opt' partition:

    Gaia / SecurePlatform / Linux OS:
    Either the "du -h" command: Or run the "du -b" command:
    [Expert@HostName]# du -h --max-depth=1 /opt | sort -n -r
    440M    /opt/spwm
    440K    /opt/CPsplatIS-R75.20
    360M    /opt/CPsuite-R75.20
    150M    /opt/CPrt-R75.20
    129M    /opt/CPshrd-R75.20
    63M     /opt/KAV
    60M     /opt/CPportal-R75.20
    35M     /opt/CPV40Cmp-R75.20
    30M     /opt/CPNacPortal
    29M     /opt/aspam_engine
    29M     /opt/CPSG80CMP-R75.20
    24M     /opt/CPR7540CMP-R75.20
    24K     /opt/SecurePlatform
    23M     /opt/CPUserCheckPortal
    23M     /opt/CPEdgecmp-R75.20
    20M     /opt/CPSmartLog-R75.20
    18M     /opt/CPR7520CMP-R75.20
    17M     /opt/CPR75CMP-R75.20
    16M     /opt/CPadvr-R75.20
    16M     /opt/CPR71CMP-R75.20
    16K     /opt/lost+found
    15M     /opt/CPNGXCMP-R75.20
    14M     /opt/CPCON66CMP-R75.20
    8.0K    /opt/CPshared
    6.1M    /opt/postfix
    4.2M    /opt/CPInstLog
    2.1M    /opt/MegaRAID
    1.9M    /opt/CPinfo-10
    1.5G    /opt
    [Expert@HostName]#
    
    [Expert@HostName]# du -b --max-depth=1 /opt | sort -n -r
    588183040       /opt
    460406784       /opt/spwm
    377487360       /opt/CPsuite-R75.20
    157171712       /opt/CPrt-R75.20
    134565888       /opt/CPshrd-R75.20
    65155072        /opt/KAV
    62816256        /opt/CPportal-R75.20
    35860480        /opt/CPV40Cmp-R75.20
    30670848        /opt/CPNacPortal
    30134272        /opt/CPSG80CMP-R75.20
    29581312        /opt/aspam_engine
    25001984        /opt/CPR7540CMP-R75.20
    23605248        /opt/CPUserCheckPortal
    23220224        /opt/CPEdgecmp-R75.20
    20656128        /opt/CPSmartLog-R75.20
    17948672        /opt/CPR7520CMP-R75.20
    17629184        /opt/CPR75CMP-R75.20
    16322560        /opt/CPadvr-R75.20
    16084992        /opt/CPR71CMP-R75.20
    14798848        /opt/CPNGXCMP-R75.20
    13770752        /opt/CPCON66CMP-R75.20
    [Expert@HostName]#
    
    IPSO OS:
    HostName[admin]# du -h -d 1 /opt | sort -n -r
    649M    /opt
    300M    /opt/CPsuite-R75.20
    253M    /opt/packages
     27M    /opt/CPSG80CMP-R75.20
     15M    /opt/CPR75CMP-R75.20
     14M    /opt/CPV40Cmp-R75.20
     13M    /opt/CPR71CMP-R75.20
     12M    /opt/CPNGXCMP-R75.20
    6.0K    /opt/image
    5.8M    /opt/CPuag-R75.20
    5.4M    /opt/CPInstLog
    2.0K    /opt/CPshared
    2.0K    /opt/.snap
    1.9M    /opt/CPinfo-10
    1.5M    /opt/CPUninstall
    HostName[admin]#
    

 


 

These are some common factors in excessive disk utilization and their associated remediation.

  1. Check and remove old database revisions:

    1. A quick way to check the number of database revisions on a Security Management server is:

      Gaia / SecurePlatform / Linux / IPSO OS:
      # ls -1 $FWDIR/conf/db_versions/repository/ | wc -l
    2. Check the disk utilization by database revisions:

      Gaia / SecurePlatform / Linux OS:
      [Expert@HostName]# du -h --max-depth=0 $FWDIR/conf/db_versions
      IPSO OS:
      HostName[admin]# du -h -d 0 $FWDIR/conf/db_versions

    While it is possible to manually delete legacy database revisions from the CLI, Check Point recommends that legacy database revisions be removed through SmartDashboard ('File' menu - 'Database Revision Control...'). This ensures that the pointer is updated accordingly.

  2. Check for unprocessed SmartEvent records:

    1. The following command counts the number of records:

      Gaia / SecurePlatform / Linux / IPSO OS:
      # ls -l $RTDIR/distrib/* | wc -l
    2. Stop the Eventia / SmartEvent:

      Gaia / SecurePlatform / Linux / IPSO OS:
      # evstop
    3. Purge this directory of stale records:

      Gaia / SecurePlatform / Linux / IPSO OS:
      # cd $RTDIR/distrib/
      # rm -r $RTDIR/distrib/*
    4. Start the Eventia / SmartEvent:

      Gaia / SecurePlatform / Linux / IPSO OS:
      # evstart

    Related solutions:

  3. Find and delete old core dump files:

    Gaia / SecurePlatform / Linux OS:
    [Expert@HostName]# ls -lR /var/log/dump/usermode/
    [Expert@HostName]# ls -lR /var/crash/
    IPSO OS:
    HostName[admin]# find "/" -iname \*core -type f -exec ls -l {} \; | grep -v '\/image\/'
  4. Remove old rotated FireWall logs from $FWDIR/log/ directory on Security Management Server:

    Gaia / SecurePlatform / Linux / IPSO OS:
    # cd $FWDIR/log/
    # ls -l *.log

    This example removes all log files from year 2009:
    # rm 2009*.log*

  5. Remove old upgrade_export files:

    These files can be very large. Locate any old backups that you do not need anymore and delete them.
    Typically, these files reside somewhere in /var partition and end with a .tgz extension.
  6. Remove any legacy compiled policies on Security Management Server for Security Gateways that are no longer in production:

    On Security Management Server, within $FWDIR/conf/ directory, there are subdirectories for each managed Security Gateway. These subdirectories contains copies of the compiled policy. For any Security Gateways that are no longer in production, delete the corresponding subdirectory.
  7. Remove temporary files for Anti-Virus engine:

    On Gaia / SecurePlatform installations, there is a directory named /opt/CA/avengine/tmp/ArcTemp.
    This is commonly a cause of excessive disk consumption. You might want to delete the files in that directory.

    Gaia / SecurePlatform OS:
    [Expert@HostName]# rm -r /opt/CA/avengine/tmp/ArcTemp/*
  8. Remove specific temporary files in the $CPDIR/tmp/ directory:

    On Gaia / SecurePlatform installations, there is a directory named /opt/CPshrd-RXX/tmp.
    This directory - not currently symbolically linked to the /var/log partition - might contain temporary files named "filexxxx":

    [Expert@HostName]# ls -l $CPDIR/tmp/file*

    This is commonly a cause of excessive disk consumption.
    You might want to delete these temporary files named "filexxxx"
    (do NOT blindly delete other files - Check Point software will not be able to run).

    Related solutions:

  9. Remove Identity Awareness Captive Portal logs in /opt/NacPortal/log/ directory.

    Follow sk113619 - Identity Awareness Captive Portal page is not loading.
  10. On Gaia OS: Remove previous Takes of Jumbo Hotfix Accumulator from CPUSE repository.

    Note: This suggestion applies to Jumbo Hotfix Accumulators mentioned in sk98028.

    1. Connect to the Gaia Portal and obtain the lock over the configuration database.

    2. Navigate to "Upgrades (CPUSE)" pane (in Gaia R77.20 and above) / to "Software Updates" pane (in Gaia R77.10 and lower) - click on "Status and Actions".

    3. Use the filter button near the help icon and select the "Installed" packages.

    4. Select the previous Take of Jumbo Hotfix Accumulator - on the toolbar, click on "More" button - click on "Delete From Disk".

 


 

Related solutions:

Applies To:
  • This SK replaces sk39927.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment