- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Cleanup Check Point Security Management (& Securit...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cleanup Check Point Security Management (& Security Gateways)
Hello,
Is there a script capable of analyzing old files, logs, and unnecessary objects (for example, files left over from upgrades between releases) both in the Management and Security Gateways, to identify and delete anything that can be removed and keep the environments clean?
Alternatively, could you point me to any articles that might assist with the above (if available)?
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best is a clean install, especially for SMS using migrate_server when many local upgrades have been made during history. sk108902: Best Practices - Backup on Gaia OS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For logs, you can set log retention policy - you can decide how long to retain log files / index files.
For upgrade packages / JHF, there's no tool that does that AFAIK but you can delete packages you don't need anymore via CPUSE in webUI.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More than old packages, I think the question is about the "CPsuite-R80.40" and "CPsuite-R81" and "CPsuite-R81.10" folders which get left around when you upgrade a system in place. I mostly see them in /var/log/opt, so at least they don't clutter up snapshots.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At least from traffic logging POV it will delete the oldest logs, even if they appear on older versions directories. It usually has a symbolic link to it in the new version's directory.
With that reasoning I will assume that stuff without symbolic links might be copies of same content from each directory but every single thing needs to be validated with owner to be so. But compared to logging I will assume that it will not be as significant from storage POV.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's definitely not the case with R81.10 or R81.20. The old logs are left on the box forever. Log rotation doesn't clean them up. For example, I have a firewall I upgraded in-place from R81.10 to R81.20 about 50 days ago. It still has /var/log/opt/CPshrd-R81.10/cpview_services with a 1.2 GB cpview history database which can no longer be accessed. It also has a few hundred megabytes of junk in /var/log/opt/CPsuite-R81.10/fw1/tmp.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log retention is for traffic logs which is much more significant on storage, GBs per day. You can check if you have such logs by running "ls -lh /opt/CPsuite-R81.10/fw1/log/2024*.log" . For comparison you can check your current version.
IMO, I think that a lot of the files that remain has to do with the ability to revert back. They do not have proper means of removal. I think that this is supported by the fact that when doing advanced upgrade (export DB, clean install, import DB) would not leave such directories and function properly with all the information it needs.
I would say that deleting files from version you would not revert to anymore is probably possible but I don't think the risk worth it. Until the amount of storage taken is tens of GBs it's insignificant in comparison to modern size of storage and storage taken by traffic logs. If you have storage issues I would consider expanding it to solve long run.
Much more significant in lab environments if /var/log is very limited.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've noticed files in old /var/log/opt/CPsuite-R**.**/fw1/log directories years after an upgrade. In my experience, the log rotation on firewalls only checks the current version's $FWDIR/log. I don't care about traffic logs, though; they can obviously be trashed. All the other junk in /var/log/opt is a bigger question, because it's not all logs. It would just be nice if upgrades cleaned up after themselves, or if there was a tool to clean up after an upgrade.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I always found its safe to delete those old packages.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You got good responses so far. As far as script, I dont believe there is an official one offered by CP, but you can always create a cron job yourself, thats an option.
Andy