Вы находитесь на странице: 1из 5

Disk space tips and tricks for SecurePlatform / Gaia / IPSO / Linux OS

Solution ID:

sk60080

Product:

Security Gateway, Security Management

Version:

NGX R65, R70, R71, R75, R76, R77, R77.10, R77.20

OS:

SecurePlatform, SecurePlatform 2.6, Gaia, Linux, IPSO 3.x, IPSO 4.x, IPSO 6.2

Platform / Model:

All

Date Created:

16-Jan-2011

Last Modified:

10-Feb-2015

Rate this document


[1=Worst,5=Best]

SYMPTOMS

Excessive disk consumption.

CAUSE

The root cause may be one of a number of factors and it may vary dependent upon the host's function
(Security Gateway, Security Management, Log Server, SmartEvent, etc).

SOLUTION

First of all, refer to sk91060 (Removing old Check Point packages and files after an upgrade on
Security Gateway / Security Management Server).
The list below presents only some of the most common causes of excessive disk utilization. This list
should not be construed as an exhaustive list.
The items on this list are numbered only for convenience. These numbers do not designate the order
of carrying out the steps.
1.

Determine the mount point that is most severely affected by disk constraints. Use the ' df'
command to view the partition table and its associated utilization:
SecurePlatform / Gaia / Linux OS:

[Expert@HostName]# df -h
Filesystem
Size
/dev/sda6
1004M
/dev/sda1
145M
/dev/sda5
14G
/dev/sda2
2.0G
/dev/sda7
80G
[Expert@HostName]#

Used Avail Use% Mounted on


257M 697M 27% /
17M 121M 13% /boot
1.7G
12G 13% /opt
1.4G 545M 72% /sysimg
1.3G
75G
2% /var

IPSO OS:

HostName[admin]# df -h
Filesystem
/dev/mirror/gmroots1f

Size
1.9G

Used
319M

Avail Capacity
1.5G
17%

Mounted on
/

devfs
1.0K
1.0K
0B
/dev/mirror/gmroots1a
38M
102K
35M
/dev/mirror/gmroots1d
21G
567M
18G
/dev/mirror/gmroots1e
3.8G
649M
2.8G
procfs
4.0K
4.0K
0B
HostName[admin]#
Note: The virtual /proc filesystem will always be 100% full.

2.

100%
0%
3%
18%
100%

/dev
/config
/var
/opt
/proc

Once a problematic partition is identified, begin analyzing the contents of that partition. Use
the 'du' command to examine disk space utilization at directory-level. This provides a starting
point for further examination.
For example, let us examine the '/opt' partition:
SecurePlatform / Gaia / Linux OS:

[Expert@HostName]# du -h --max-depth=1 /opt | sort -n -r


440M
/opt/spwm
440K
/opt/CPsplatIS-R75.20
360M
/opt/CPsuite-R75.20
150M
/opt/CPrt-R75.20
129M
/opt/CPshrd-R75.20
63M
/opt/KAV
60M
/opt/CPportal-R75.20
35M
/opt/CPV40Cmp-R75.20
30M
/opt/CPNacPortal
29M
/opt/aspam_engine
29M
/opt/CPSG80CMP-R75.20
24M
/opt/CPR7540CMP-R75.20
24K
/opt/SecurePlatform
23M
/opt/CPUserCheckPortal
23M
/opt/CPEdgecmp-R75.20
20M
/opt/CPSmartLog-R75.20
18M
/opt/CPR7520CMP-R75.20
17M
/opt/CPR75CMP-R75.20
16M
/opt/CPadvr-R75.20
16M
/opt/CPR71CMP-R75.20
16K
/opt/lost+found
15M
/opt/CPNGXCMP-R75.20
14M
/opt/CPCON66CMP-R75.20
8.0K
/opt/CPshared
6.1M
/opt/postfix
4.2M
/opt/CPInstLog
2.1M
/opt/MegaRAID
1.9M
/opt/CPinfo-10
1.5G
/opt
[Expert@HostName]#
or

[Expert@HostName]# du -b --max-depth=1 /opt | sort -n -r


588183040
/opt
460406784
/opt/spwm
377487360
/opt/CPsuite-R75.20
157171712
/opt/CPrt-R75.20
134565888
/opt/CPshrd-R75.20
65155072
/opt/KAV

62816256
/opt/CPportal-R75.20
35860480
/opt/CPV40Cmp-R75.20
30670848
/opt/CPNacPortal
30134272
/opt/CPSG80CMP-R75.20
29581312
/opt/aspam_engine
25001984
/opt/CPR7540CMP-R75.20
23605248
/opt/CPUserCheckPortal
23220224
/opt/CPEdgecmp-R75.20
20656128
/opt/CPSmartLog-R75.20
17948672
/opt/CPR7520CMP-R75.20
17629184
/opt/CPR75CMP-R75.20
16322560
/opt/CPadvr-R75.20
16084992
/opt/CPR71CMP-R75.20
14798848
/opt/CPNGXCMP-R75.20
13770752
/opt/CPCON66CMP-R75.20
[Expert@HostName]#
IPSO OS:

HostName[admin]# du -h -d 1 /opt | sort -n -r


649M
/opt
300M
/opt/CPsuite-R75.20
253M
/opt/packages
27M
/opt/CPSG80CMP-R75.20
15M
/opt/CPR75CMP-R75.20
14M
/opt/CPV40Cmp-R75.20
13M
/opt/CPR71CMP-R75.20
12M
/opt/CPNGXCMP-R75.20
6.0K
/opt/image
5.8M
/opt/CPuag-R75.20
5.4M
/opt/CPInstLog
2.0K
/opt/CPshared
2.0K
/opt/.snap
1.9M
/opt/CPinfo-10
1.5M
/opt/CPUninstall
HostName[admin]#

These are some common factors in excessive disk utilization and their associated remediation.
1.

Check and remove old database revisions:


A. A quick way to check the number of database revisions on a Security Management
server is:
SecurePlatform / Gaia / Linux / IPSO OS:

# ls -1 $FWDIR/conf/db_versions/repository/ | wc -l

B. Check the disk utilization by database revisions:


SecurePlatform / Gaia / Linux OS:

[Expert@HostName]# du -h --max-depth=0 $FWDIR/conf/db_versions


IPSO OS:

HostName[admin]# du -h -d 0 $FWDIR/conf/db_versions

2.
While it is possible to manually delete legacy database revisions from the CLI, Check Point
recommends that legacy database revisions be removed through SmartDashboard (' File'
menu 'Database Revision Control...'). This ensures that the pointer is updated
accordingly.
3.

Check for unprocessed SmartEvent records:


A. The following command counts the number of records:
SecurePlatform / Gaia / Linux / IPSO OS:

# ls -l $RTDIR/distrib/* | wc -l

B. Stop the Eventia / SmartEvent:


SecurePlatform / Gaia / Linux / IPSO OS:

# evstop

C. Purge this directory of stale records:


SecurePlatform / Gaia / Linux / IPSO OS:

# cd $RTDIR/distrib/
# rm -r $RTDIR/distrib/*

D. Start the Eventia / SmartEvent:


SecurePlatform / Gaia / Linux / IPSO OS:

# evstart
4.
Related solution: sk66575 (How to remove delete an Analyzer or SmartEvent database)
5.

Find and delete old core dump files:


SecurePlatform / Gaia / Linux OS:

[Expert@HostName]# ls -lR /var/log/dump/usermode/


[Expert@HostName]# ls -lR /var/crash/
IPSO OS:

HostName[admin]# find "/" -iname \*core -type f -exec ls -l {} \; | grep


-v '\/image\/'

6.

Remove old rotated FireWall logs from $FWDIR/log/ directory on Security Management

Server,:
SecurePlatform / Gaia / Linux / IPSO OS:

# cd $FWDIR/log/
# ls -l *.log
This example removes all log files from year 2009:

# rm 2009*.log*
7.

Remove old upgrade_export files:


These files can be very large. Locate any old backups that you do not need anymore and
delete them. Typically, these files reside somewhere in /var partition and end with
a .tgz extension.

8.

Remove any legacy compiled policies on Security Management Server for Security Gateways
that are no longer in production:
On Security Management Server, within $FWDIR/conf/ directory, there are subdirectories for
each managed Security Gateway. These subdirectories contains copies of the compiled policy.
For any Security Gateways that are no longer in production, delete the corresponding
subdirectory.

9.

Remove temporary files for Anti-Virus engine:


On SecurePlatform/Gaia installations, there is a directory
named /opt/CA/avengine/tmp/ArcTemp. This is commonly a cause of excessive disk
consumption. You might want to delete the files in that directory.
SecurePlatform / Gaia OS:

[Expert@HostName]# rm -r /opt/CA/avengine/tmp/ArcTemp/*

10. Remove temporary files in the $CPDIR/tmp directory:


On SecurePlatform/Gaia installations, there is a directory named /opt/CPshrd-RXX/tmp.
This directory - not currently symbolically linked to the /var/log partition - contains
temporary files and environment files. Specifically, this directory may become filled with
temporary files named "filexxxx". This is commonly a cause of excessive disk consumption.
You might want to deleted these temporary files.
Related solutions:
A. sk68561 (Root partition on Security Management server is full)
B. sk36754 ($CPDIR/tmp/ directory is filled with 'CKP_mutex::_opt_CPsuiteRXX_fw1_log__...' files)