have one file found ... 

[Expert@1mem-fwmgmt:0]# find /var/log -size +500M
/var/log/CPda/repository/CheckPoint#CPUpdates#All#6.0#5#3#BUNDLE_R81_10_JUMBO_HF_MAIN#130/Check_Point_R81_10_JUMBO_HF_MAIN_Bundle_T130_FULL.tgz
[Expert@1mem-fwmgmt:0]#

Can you do ls -lh on it to see how large is the file? Im positive that one is safe to remove. Just to be 100% on the safe side, would still take the backup beforehand.

[Expert@1mem-fwmgmt:0]# ls -lh

total 8.0K
-rw-r--r-- 1 admin users 9 Dec 10 2024 iot_cpdiag.xml
-rw-rw---- 1 admin root 238 Feb 22 2024 remove_log4j.elg
[Expert@1mem-fwmgmt:0]#

32GB could work for /var/log, but when it comes to major upgrades, eventually, will be an issue, for sure.

Thanks for pointing that out Tal.

Working with the server group to schedule them taking a snapshot. They will then add additional space. Hopefully get me to at least 500G. Have like 175G at the moment. 

Good idea. 32 GBs for /var/log definitely may not be enough in a long run, specially now with R82.10 out.

Btw, you can do same find command for any dir, maybe worth doing it for /var/log. just replace 500 with say 200 or 300, see what you get.

I did a find on /var/log for files over 500 (find /var/log -size +500M) and it did find one. I am not a unix guy so need assistance in going through the entire file system.  

No problem, we are here to help! Idea is the same, you can use ANY dir instead of /var/log, can be /, can be /opt, anything

File size can also be anything. Just make sure it sin Linux format, cause you cant do say $FWDIR/log, you can cd into it, then do pwd to see the format.

say you can run -> find /opt -size +700M

I have been tinkering ... Only thing that seems to come back is the Jumbo Hot Fix in /var

[Expert@1mem-fwmgmt:0]# find / -size +500M
/proc/kcore
find: /proc/2380/task/2380/fd/10: No such file or directory
find: /proc/2380/task/2380/fdinfo/10: No such file or directory
find: /proc/2380/fd/10: No such file or directory
find: /proc/2380/fdinfo/10: No such file or directory
/var/log/CPda/repository/CheckPoint#CPUpdates#All#6.0#5#3#BUNDLE_R81_10_JUMBO_HF_MAIN#130/Check_Point_R81_10_JUMBO_HF_MAIN_Bundle_T130_FULL.tgz
[Expert@1mem-fwmgmt:0]#

You could save it locally from the fw, then remove it, but definitely take a backup.

As in the "hard drive" presented to your system is only ~175 GB? Yeah, that's uncomfortably small for a management server.

You will probably need to export your config, reinstall the OS, then import your config again to be able to upgrade. At that point, you may as well export the config, install R82 or R82.10, then import the config to the new version. It takes a while, but should leave you with a clean system which can be upgraded later.

When installing the OS, the installer lets you specify the size of lv_current and lv_log. Leave at least 2x the size of lv_current unallocated. This unallocated space is where snapshots go. 32 GB is normally plenty of space for lv_current, so that would mean at least 64 GB unallocated to ensure you can take at least two snapshots.

From what I have been told this was originally setup to manage just two firewalls in a cluster formation. Now we are looking at adding 6 more in cluster pairs. 

I should be able to export the config, install 82.10 and import config without impacting the cluster currently in production correct? That may be the way to go and let the server guys bump me up to at least 500G total space.It is just that while 1T required space they freaked out over originally. It seems to be either this or use the LVM_Manager to expand things. 

• https://support.checkpoint.com/results/sk/sk95566 (SK For LVM_Manager)

I would definitely make sure to follow an official CP documentation.

See below:

https://support.checkpoint.com/results/sk/sk94671

lvm_manager only lets you use the unallocated space in the original drive space. It doesn't let you go from a 175 GB drive to a 500 GB drive. To do that, you need a procedure like the one in sk165122. Every time I've tested a process like that, upgrades fail with a message saying my partitions aren't in Check Point standard format. It works for getting past an immediate issue, but it only lets you defer the reinstallation until you want to upgrade.

Since the reason you want to expand the disk is to upgrade, may as well skip straight to the reinstallation.

Here is best advice I can give to anyone when it comes to deleting files on the fw. PLEASE, I REPEAT, PLEASE...make sure to have at least backup AND snapshot (if possible) and DO NOT delete anything related to database files, because if thats done inadvertantly, guess what, once device is rebooted, its not coming back up the way you would expect.

Only way to make it work at that point is restore the working backup.

I need to go back and look through the recommended specs. I believe it was like 1T but do not remember if that was for a given number of firewalls. I suspect this is way bigger than the number we are expecting. At the moment we are looking to move to 10 units and maxing out at 25. Is there a rule of thumb for specs such as these? I am going to ask for at least 500G and guess we can go back through the rebuild process if / when that runs out.

As Im sure you know, snapshot literally "copies" everything in the same state, as long as versions match and its SAME physical appliance. Otherwise, backup is good, even if jumbo is different, would work fine. There is command, cant recall now what it is, but you need to run if if it complains about the jumbo take, it would skip the checking.

Objects and rules go into the management database, which is stored in lv_current. My biggest management is only using 37 GB in lv_current for quite a lot of firewalls.

What consumes a lot of storage is the logs, and those grow based on traffic volume, not firewall count. If you have an external log storage system like Splunk, you usually don't need a lot of log storage on the management.

For 25 firewalls, I would definitely be comfortable with 500 GB of storage. I would do 32 to lv_current, maybe 100 GB to lv_log, log cleanup set to keep 15 GB free, and the rest unallocated.

Now I just need to find the right R82 OVA 

Should be here.

https://support.checkpoint.com/results/sk/sk181127

Downloading CloudGuard R82 Security Management for VMware ESXi now. 

Sounds good, keep us posted.

Backup running on old 81 platform while waiting for new 82 server install to finish 

OK .. Now TAC is saying that I need to do a migration instead of backup / restore process type thing. 

Here is some relevant documentation on this process.

Migrating Database Between R82 Security Management Servers

Using the migrate_server commands, you should be able to migrate from an R81 to R82 server.