Disk usage and cleanup audit report

Don_Paterson — Wed, 20 May 2026 17:11:28 GMT

Is there anything better than this out there?

It's the age old disk space monitoring and clean-up story.

If anyone wants to test this:

Save the script to:

cp_safe_cleanup_report.sh

dos2unix cp_safe_cleanup_report.sh

chmod 700 cp_safe_cleanup_report.sh

./cp_safe_cleanup_report.sh

The script file is attached.

Example output (from lab):

[Expert@A-SMS:0]# ./cp_safe_cleanup_report.sh Check Point Management Server — Cleanup Audit (REPORT ONLY) Timestamp: 20260520_180058 Hostname: A-SMS Report: /var/log/cp_cleanup_report_20260520_180058.txt Files older than 30 days and ≥ 10 MB are flagged. NO FILES WILL BE DELETED. ============================================================== 0. DISK USAGE OVERVIEW ============================================================== df -h (local filesystems): Filesystem Type Size Used Avail Use% Mounted on /dev/mapper/vg_splat-lv_current xfs 30G 14G 17G 45% / /dev/sda2 ext3 291M 58M 218M 21% /boot /dev/mapper/vg_splat-lv_log xfs 90G 5.7G 85G 7% /var/log Top 10 directories under / by size (excluding /proc, /sys): 14G / 9.7G /opt 3.0G /opt/CPshrd-R81.20 2.5G /opt/CPsuite-R81.20 2.1G /var 1.2G /var/lib 1.2G /opt/CPDiffReportServer 944M /usr 921M /var/opt 784M /opt/CPrt-R81.20 Top 10 directories under /var/log by size: 5.7G /var/log 2.0G /var/log/opt 1.5G /var/log/AutoUpdater 1.4G /var/log/opt/CPsuite-R81.20/fw1 1.4G /var/log/opt/CPsuite-R81.20 1.3G /var/log/AutoUpdater/repository 1.2G /var/log/CPDepInst/repository 1.2G /var/log/CPDepInst 926M /var/log/CPda 876M /var/log/CPda/metadata ============================================================== 1. UNMANAGED FILES (candidates for manual deletion) ============================================================== --- cpinfo bundles (TAC diagnostic dumps) --- Base path: / Pattern: cpinfo*.tgz Filter: -mtime +30 -size +10M No matches. --- cpinfo bundles (alternate naming) --- Base path: / Pattern: cpinfo*.tar.gz Filter: -mtime +30 -size +10M No matches. --- tcpdump capture files (.cap) --- Base path: / Pattern: *.cap Filter: -mtime +30 -size +10M No matches. --- tcpdump capture files (.pcap) --- Base path: / Pattern: *.pcap Filter: -mtime +30 -size +10M No matches. --- fw monitor captures (typically in /var/log) --- Base path: /var/log Pattern: fwmonitor* Filter: -mtime +30 -size +10M No matches. --- Core dumps --- Searching common core-dump locations... No core dumps found. --- Stale tarballs in /home (admin uploads, exports) --- Base path: /home Pattern: *.tgz Filter: -mtime +30 -size +10M No matches. --- Stale tarballs in /home (.tar.gz) --- Base path: /home Pattern: *.tar.gz Filter: -mtime +30 -size +10M No matches. --- Stale files in /tmp --- Base path: /tmp Pattern: * Filter: -mtime +30 -size +10M No matches. --- Stale files in /var/tmp --- Base path: /var/tmp Pattern: * Filter: -mtime +30 -size +10M No matches. --- Compressed rotated logs (.gz) in /var/log (non-CP) --- Base path: /var/log Pattern: *.gz Filter: -mtime +30 No matches. --- migrate_server / upgrade_export outputs in /var/log/mgmt_migrate --- Base path: /var/log/mgmt_migrate Pattern: *.tgz (path does not exist on this system — skipping) --- Upgrade tools output (in /var/log/upgrade*) --- Base path: /var/log Pattern: upgrade_export*.tgz No matches. ============================================================== 1.5 UPDATE/INSTALL SUBSYSTEMS (informational — see notes per system) ============================================================== Three distinct subsystems write to /var/log: 1. CPUSE (Check Point Upgrade Service Engine) Paths: /var/log/CPda/repository + /opt/CPda/backup Holds: JHF bundles, full-image upgrade packages, Blink images Clean: clish -c "installer delete <num>" List: clish -c "show installer packages all" 2. AutoUpdater (CME, signature, Maestro auto-updates) Path: /var/log/AutoUpdater/repository Holds: CloudGuard CME, ThreatCloud, signature/blade auto-updates Clean: DO NOT manually delete — this is automatically managed by the AutoUpdater service. If genuinely bloated, open a TAC case rather than touching the directory. 3. CPDepInst (Deployment Agent install/staging working dirs) Path: /var/log/CPDepInst/repository + /var/log/tmp/CPDepInst_* Holds: Transient staging from deployment operations; can leak empty directories over time (see CheckMates discussions). Clean: For empty CPDepInst_<id> dirs under /var/log/tmp/, cleanup is safe. For /var/log/CPDepInst/repository content, treat as managed and verify with TAC before deletion. --- Directory sizes --- CPUSE: 50M /var/log/CPda/repository 0 /opt/CPda/backup AutoUpdater: 1.5G /var/log/AutoUpdater 1.3G /var/log/AutoUpdater/repository 284M /var/log/AutoUpdater/metadata CPDepInst: 1.2G /var/log/CPDepInst 1.2G /var/log/CPDepInst/repository Empty CPDepInst_* dirs in /var/log/tmp: 0 (safe to remove) Non-empty CPDepInst_* dirs in /var/log/tmp: 0 (inspect before removing) --- CPUSE installer status --- ** ************************************************************************* ** ** Connection error. Packages list might be incomplete ** ** ************************************************************************* ** Show packages: no packages to display Note: the Deployment Agent reported a connection error or empty list. This typically means one of: - The system has no internet egress to the Check Point cloud right now - The DA service ($DADIR/scripts/DAService) is not running or is unhealthy - The local repository genuinely has no packages tracked Run $DADIR/scripts/DAService status and check /var/log/CPda/cpda.elg for detail. Rule of thumb: keep the currently-installed JHF backup and the immediately prior one in /opt/CPda/backup/...#BUNDLE_..._JUMBO_HF_MAIN#nn/. Older Jumbo backups can usually be removed via 'installer delete' — but verify with 'show installer packages all' first. ============================================================== 2. GAIA SNAPSHOTS (managed — use clish 'delete snapshot' if needed) ============================================================== Snapshots consume space in /var/log/CPsnapshot and /boot. NEVER delete snapshot files directly from the filesystem. Use clish: delete snapshot <name> Output of 'clish -c "show snapshots"': Restore points: --------------- snapshot1 Creation of an additional restore point will need 15.464G Amount of space available for restore points is 73.97G Snapshots present: 1 Actual snapshot storage (LVM): Note: snapshots are LVM logical volumes in the vg_splat volume group, not files in /var/CPsnapshot. The directories below hold only metadata and will appear small even when snapshots are gigabytes. Logical volumes in vg_splat: LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert lv_current vg_splat -wi-ao---- 30.00g lv_log vg_splat -wi-ao---- 90.00g lv_snapshot1 vg_splat -wi-a----- 17.04g Volume group summary: VG #PV #LV #SN Attr VSize VFree vg_splat 1 3 0 wz--n- 244.02g 106.97g Authoritative capacity figures (from 'show snapshots' above): Creation of an additional restore point will need 15.464G Amount of space available for restore points is 73.97G Snapshot metadata directories (small — bookkeeping only, not the snapshot): 84K /var/log/CPsnapshot 21M /var/CPsnapshot ============================================================== 3. SUMMARY & RECOMMENDED NEXT STEPS ============================================================== Full report written to: /var/log/cp_cleanup_report_20260520_180058.txt Recommended workflow: 1. Review the report. For each flagged file, confirm it is not needed (TAC case open? Audit retention requirements? Recent troubleshooting?) 2. For unmanaged files (Section 1): plain 'rm' is safe once you have confirmed the file is not in use. For .log files specifically, stop log writers first ('cpstop' — incurs downtime per sk63361 Exception 2). 3. For snapshots (Section 2): use clish delete snapshot <name>. Never 'rm -rf' snapshot directories. 4. After cleanup, re-run this script to confirm space recovered, or run 'df -h' directly. Audit complete. No files were modified. [Expert@A-SMS:0]#

Re: Disk usage and cleanup audit report

Don_Paterson — Wed, 20 May 2026 16:53:15 GMT

Acknowledging a recent post and replies:

https://community.checkpoint.com/t5/Firewall-and-Security-Management/System-Clean-up/m-p/267101

Re: Disk usage and cleanup audit report

CaseyB — Wed, 20 May 2026 19:39:26 GMT

Very cool, thank you!

Ran without issues for me.

Re: Disk usage and cleanup audit report

the_rock — Wed, 20 May 2026 19:45:30 GMT

Excellent stuff, Don.

topic Re: Disk usage and cleanup audit report in Firewall and Security Management

Disk usage and cleanup audit report

Re: Disk usage and cleanup audit report

Re: Disk usage and cleanup audit report

Re: Disk usage and cleanup audit report