Is there anything better than this out there?
It's the age old disk space monitoring and clean-up story.
If anyone wants to test this:
Save the script to:
cp_safe_cleanup_report.sh
dos2unix cp_safe_cleanup_report.sh
chmod 700 cp_safe_cleanup_report.sh
./cp_safe_cleanup_report.sh
The script file is attached.
Example output (from lab):
[Expert@A-SMS:0]# ./cp_safe_cleanup_report.sh
Check Point Management Server — Cleanup Audit (REPORT ONLY)
Timestamp: 20260520_180058
Hostname: A-SMS
Report: /var/log/cp_cleanup_report_20260520_180058.txt
Files older than 30 days and ≥ 10 MB are flagged.
NO FILES WILL BE DELETED.
==============================================================
0. DISK USAGE OVERVIEW
==============================================================
df -h (local filesystems):
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current xfs 30G 14G 17G 45% /
/dev/sda2 ext3 291M 58M 218M 21% /boot
/dev/mapper/vg_splat-lv_log xfs 90G 5.7G 85G 7% /var/log
Top 10 directories under / by size (excluding /proc, /sys):
14G /
9.7G /opt
3.0G /opt/CPshrd-R81.20
2.5G /opt/CPsuite-R81.20
2.1G /var
1.2G /var/lib
1.2G /opt/CPDiffReportServer
944M /usr
921M /var/opt
784M /opt/CPrt-R81.20
Top 10 directories under /var/log by size:
5.7G /var/log
2.0G /var/log/opt
1.5G /var/log/AutoUpdater
1.4G /var/log/opt/CPsuite-R81.20/fw1
1.4G /var/log/opt/CPsuite-R81.20
1.3G /var/log/AutoUpdater/repository
1.2G /var/log/CPDepInst/repository
1.2G /var/log/CPDepInst
926M /var/log/CPda
876M /var/log/CPda/metadata
==============================================================
1. UNMANAGED FILES (candidates for manual deletion)
==============================================================
--- cpinfo bundles (TAC diagnostic dumps) ---
Base path: /
Pattern: cpinfo*.tgz
Filter: -mtime +30 -size +10M
No matches.
--- cpinfo bundles (alternate naming) ---
Base path: /
Pattern: cpinfo*.tar.gz
Filter: -mtime +30 -size +10M
No matches.
--- tcpdump capture files (.cap) ---
Base path: /
Pattern: *.cap
Filter: -mtime +30 -size +10M
No matches.
--- tcpdump capture files (.pcap) ---
Base path: /
Pattern: *.pcap
Filter: -mtime +30 -size +10M
No matches.
--- fw monitor captures (typically in /var/log) ---
Base path: /var/log
Pattern: fwmonitor*
Filter: -mtime +30 -size +10M
No matches.
--- Core dumps ---
Searching common core-dump locations...
No core dumps found.
--- Stale tarballs in /home (admin uploads, exports) ---
Base path: /home
Pattern: *.tgz
Filter: -mtime +30 -size +10M
No matches.
--- Stale tarballs in /home (.tar.gz) ---
Base path: /home
Pattern: *.tar.gz
Filter: -mtime +30 -size +10M
No matches.
--- Stale files in /tmp ---
Base path: /tmp
Pattern: *
Filter: -mtime +30 -size +10M
No matches.
--- Stale files in /var/tmp ---
Base path: /var/tmp
Pattern: *
Filter: -mtime +30 -size +10M
No matches.
--- Compressed rotated logs (.gz) in /var/log (non-CP) ---
Base path: /var/log
Pattern: *.gz
Filter: -mtime +30
No matches.
--- migrate_server / upgrade_export outputs in /var/log/mgmt_migrate ---
Base path: /var/log/mgmt_migrate
Pattern: *.tgz
(path does not exist on this system — skipping)
--- Upgrade tools output (in /var/log/upgrade*) ---
Base path: /var/log
Pattern: upgrade_export*.tgz
No matches.
==============================================================
1.5 UPDATE/INSTALL SUBSYSTEMS (informational — see notes per system)
==============================================================
Three distinct subsystems write to /var/log:
1. CPUSE (Check Point Upgrade Service Engine)
Paths: /var/log/CPda/repository + /opt/CPda/backup
Holds: JHF bundles, full-image upgrade packages, Blink images
Clean: clish -c "installer delete <num>"
List: clish -c "show installer packages all"
2. AutoUpdater (CME, signature, Maestro auto-updates)
Path: /var/log/AutoUpdater/repository
Holds: CloudGuard CME, ThreatCloud, signature/blade auto-updates
Clean: DO NOT manually delete — this is automatically
managed by the AutoUpdater service. If genuinely bloated,
open a TAC case rather than touching the directory.
3. CPDepInst (Deployment Agent install/staging working dirs)
Path: /var/log/CPDepInst/repository + /var/log/tmp/CPDepInst_*
Holds: Transient staging from deployment operations; can leak
empty directories over time (see CheckMates discussions).
Clean: For empty CPDepInst_<id> dirs under /var/log/tmp/,
cleanup is safe. For /var/log/CPDepInst/repository content,
treat as managed and verify with TAC before deletion.
--- Directory sizes ---
CPUSE:
50M /var/log/CPda/repository
0 /opt/CPda/backup
AutoUpdater:
1.5G /var/log/AutoUpdater
1.3G /var/log/AutoUpdater/repository
284M /var/log/AutoUpdater/metadata
CPDepInst:
1.2G /var/log/CPDepInst
1.2G /var/log/CPDepInst/repository
Empty CPDepInst_* dirs in /var/log/tmp: 0 (safe to remove)
Non-empty CPDepInst_* dirs in /var/log/tmp: 0 (inspect before removing)
--- CPUSE installer status ---
** ************************************************************************* **
** Connection error. Packages list might be incomplete **
** ************************************************************************* **
Show packages: no packages to display
Note: the Deployment Agent reported a connection error or empty list.
This typically means one of:
- The system has no internet egress to the Check Point cloud right now
- The DA service ($DADIR/scripts/DAService) is not running or is unhealthy
- The local repository genuinely has no packages tracked
Run $DADIR/scripts/DAService status and check /var/log/CPda/cpda.elg for detail.
Rule of thumb: keep the currently-installed JHF backup and the
immediately prior one in /opt/CPda/backup/...#BUNDLE_..._JUMBO_HF_MAIN#nn/.
Older Jumbo backups can usually be removed via 'installer delete' — but
verify with 'show installer packages all' first.
==============================================================
2. GAIA SNAPSHOTS (managed — use clish 'delete snapshot' if needed)
==============================================================
Snapshots consume space in /var/log/CPsnapshot and /boot.
NEVER delete snapshot files directly from the filesystem.
Use clish: delete snapshot <name>
Output of 'clish -c "show snapshots"':
Restore points:
---------------
snapshot1
Creation of an additional restore point will need 15.464G
Amount of space available for restore points is 73.97G
Snapshots present: 1
Actual snapshot storage (LVM):
Note: snapshots are LVM logical volumes in the vg_splat volume
group, not files in /var/CPsnapshot. The directories below hold only
metadata and will appear small even when snapshots are gigabytes.
Logical volumes in vg_splat:
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
lv_current vg_splat -wi-ao---- 30.00g
lv_log vg_splat -wi-ao---- 90.00g
lv_snapshot1 vg_splat -wi-a----- 17.04g
Volume group summary:
VG #PV #LV #SN Attr VSize VFree
vg_splat 1 3 0 wz--n- 244.02g 106.97g
Authoritative capacity figures (from 'show snapshots' above):
Creation of an additional restore point will need 15.464G
Amount of space available for restore points is 73.97G
Snapshot metadata directories (small — bookkeeping only, not the snapshot):
84K /var/log/CPsnapshot
21M /var/CPsnapshot
==============================================================
3. SUMMARY & RECOMMENDED NEXT STEPS
==============================================================
Full report written to: /var/log/cp_cleanup_report_20260520_180058.txt
Recommended workflow:
1. Review the report. For each flagged file, confirm it is not needed
(TAC case open? Audit retention requirements? Recent troubleshooting?)
2. For unmanaged files (Section 1): plain 'rm' is safe once you have
confirmed the file is not in use. For .log files specifically, stop
log writers first ('cpstop' — incurs downtime per sk63361 Exception 2).
3. For snapshots (Section 2): use clish delete snapshot <name>.
Never 'rm -rf' snapshot directories.
4. After cleanup, re-run this script to confirm space recovered, or run
'df -h' directly.
Audit complete. No files were modified.
[Expert@A-SMS:0]#
