Keeping hard drive consumption low

Overview

NG Firewall's Reports are highly detailed and, as such, can take up a great deal of hard drive space. Here are a few things you can do to reduce the amount of space that reporting takes up.

Lower the Data Retention period

This setting is found in Apps > Reports > Data. As you can imagine, the more time you're keeping reporting data available, the more disk space you're taking up. Data older than the retention period setting is discarded and no longer available to view in the NG Firewall Reports app.

mceclip0.png

Automatic Reports stopping

As of version 16.3, NG Firewall will automatically stop the Reports service when free space drops below 5 GB. When this happens, you'll see an admin alert at the top right-hand corner advising you that Reports has stopped. You can use the Delete All Reports Data button to remove all Reports and clear up most of the drive space.

Note that you will need to disable and re-enable the Reports app once the database has been dropped. The Reports service is not restarted automatically.

 

Disable extraneous logging options

These settings are found in Config > Network > Advanced.

These options can create a lot of logging data, particularly the 'bypassed' and 'blocked' options. 'Log blocked sessions' refers only to traffic that's blocked by iptables, so that's traffic that never makes it to the applications. Anything blocked by applications will still be logged in that application's report. ('Local outbound' refers to outbound traffic created by the NG Firewall itself: callbacks to the license servers and DNS lookups, mainly.)

 

Limit the number of alerts being logged

The setting for this is in Config > Events > Alerts, under the rule 'Free disk space is low'. The default setting is diskFreePercent < .2, or 20% free disk space; if your appliance has a 500GB hard drive, that's still 100GB of HDD space free. For these larger disks, we usually recommend setting the diskFreePercent condition to .1 (or even smaller!); that would cut down on the number of alerts you'd see and still allow for a pretty sizable amount of free disk space.

free_disk_space_alert.png

Reduce the amount of logging being done by applications

Any application which scans traffic will generate Reports events. Some applications don't do anything by default except log; a notable example is the Firewall application. If a given application isn't being used, we recommend uninstalling it altogether (which will also help with NG Firewall's general performance).

Bypass some traffic

Some devices probably don't need their traffic scanned by all our applications: VoIP phones, network printers, NAS devices, PoS terminals, IoT devices like smart speakers & light bulbs, &c. (Basically, anything that doesn't have a web browser.) Bypassing those devices not only cuts down on Reports data but can improve both their performance and NG Firewall's performance. Instructions on bypassing devices are here: How To Bypass Traffic From Filtering

 

Streamline remote syslog settings

If you're using remote syslog, double-check your settings. If you're using the default 'All events' rule, you're effectively doubling the amount of reporting the NG Firewall is doing. Many events reported to syslog may not be very informative or useful, so this default rule tends to consume a large amount of hard drive space for relatively little benefit.

We recommend using more specific rules and only sending the events you definitely want to be aware of.

remote_syslog_with_callout.png

 

Clearing the Reports database manually

If you have command-line access to your NG Firewall, you can also use this script to clear all currently-stored Reports data, but do be warned that this script can be hard on the disk if it's run frequently. It's better to shorten your retention period and store less data than have to clear it all!

Follow
Was this article helpful?
3 out of 3 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Powered by Zendesk