Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Best practice for storing packet captures/debug files etc

During troubleshooting, a series of files can be generated (packet captures, cpinfo files, debug logs etc.). The problem with all of those files is that unless the administrator either deletes those files manually or with a cronjob, they end up consuming a lot of disk space.

So my question is, what is Check Point's recommendation on where to store such files? Would it be advisable to store them inside the /tmp directory or the $FWDIR/tmp one instead where I believe the files included there get cleared upon reboot? Or is there a best practice that I could be referred to?

Many thanks in advance.

0 Kudos
6 Replies
Highlighted
Sapphire

Out of my experience, such logs are gathered manually (if we exclude automatic packet captures). After switching off the debugs or end of troubleshooting, i would suggest to copy the debug / cpinfo / fw monitor files to another place to be able to store it for the needed time and delete them from the GW / SMS.

Highlighted

Agreed. Typically /var/log is the biggest partition so you might want to consider that when saving logs locally instead of using /home/xxxxx

Highlighted
Sapphire

Also, using CLI # df will show that /var/log has the most free space available, so usually i direct debug output to the /var/log/tmp directory...

Highlighted

Would it be a good idea then to create a "dedicated" subfolder inside the /var/log/ directory just to store troubleshooting-related items? This would theoretically be easier to manage with a cron job automatically without the slightest possibility of affecting any other files?

0 Kudos
Highlighted
Sapphire

Looks like a good idea to me - i can delete the content of /var/log/tmp but i do not know if any deleted item will later be missed 😉

Highlighted

Thanks very much gents!

0 Kudos