Yesterday I realized (after checking the backup of one of my gateways was failing) that the /var/log partition was 100% full:

[Expert@vsx1:0]# df -h
Filesystem 			Size 	Used 	Avail 	Use% 	Mounted on
/dev/mapper/vg_splat-lv_current 31G 	21G 	9.0G 	70% 	/
/dev/md0 			289M 	130M 	145M 	48% 	/boot 
tmpfs 				32G 	0 	32G 	0% 	/dev/shm
/dev/mapper/vg_splat-lv_log 	146G 	146G 	0 	100% 	/var/log

Surprinsingly, it used to have only 20G used more or less out of 146G. Trying to better define the folder and files that are filling the disk, this was the conclusion:

[Expert@vsx1:0]# du -csh /var/log/opt/CPsuite-R80/fw1/CTX/
136G /var/log/opt/CPsuite-R80/fw1/CTX/
136G total

[Expert@vsx1:0]# du -csh //var/log/opt/CPsuite-R80/fw1/CTX/*
653M //var/log/opt/CPsuite-R80/fw1/CTX/CTX00001
290M //var/log/opt/CPsuite-R80/fw1/CTX/CTX00002
238M //var/log/opt/CPsuite-R80/fw1/CTX/CTX00003
112M //var/log/opt/CPsuite-R80/fw1/CTX/CTX00004
135G //var/log/opt/CPsuite-R80/fw1/CTX/CTX00005
240M //var/log/opt/CPsuite-R80/fw1/CTX/CTX00006
48M //var/log/opt/CPsuite-R80/fw1/CTX/CTX00007
136G total

[Expert@vsx1:0]# du -csh //var/log/opt/CPsuite-R80/fw1/CTX/CTX00005/* | grep G
130G //var/log/opt/CPsuite-R80/fw1/CTX/CTX00005/forensics
4.0G //var/log/opt/CPsuite-R80/fw1/CTX/CTX00005/tmp
135G total

A Checkpoint engineer suggested to check if i had the “Packet Capture” option enabled in any Threat Prevention policy. So it was…

And clarified that this behavior is by design. I decided to disable the “Packet capture” and it started to free space immediately

After some minutes some Gigs have been freed and still…

/dev/mapper/vg_splat-lv_log	146G	106G	33G	77%	/var/log

After en hour more or less, again only 20% used