Query About To Increase VM-Firewall Disk Storage Size

Sethupathi · ‎09-13-2020

Hi Team,

We deployed a VM series firewall in azure and it's in production now.
Presently the VM-Firewall OS disk storage size is 60GB and there is no Data Disk used.

Since the customer is need a 6 months of log retention period.
As customer isn't ready to forward the logs to any external syslog server or panorama.

So we planed to increse a disk size of an existing VM-firewall to store all the logs in local firewall itself for 6 month of retention period.

The query is what is the best practice to increase disk storage of the existing VM-firewall ?

1. To increase a OS Disk storage or purchase a data disk and attach it to the existing VM?

2. If we have a sperate data disk attached to the existing VM-firewall, does the firewall automaticaly stores all logs to the data disk?
3. If we increase the firewall OS disk storage, does it will affect the firewall performance?

_
Regards
Sethupathi M

Sethupathi · ‎09-21-2020

Hi Team,

I added extra DATA DISK post turn off the VM on Azure then firewall will consider extra disk space for logging purpose.

Before adding disk:
rahul@rahultestha> show system disk-space
Filesystem Size Used Avail Use% Mounted on
/dev/root 7.0G 3.8G 2.9G 58% /
none 6.9G 120K 6.9G 1% /dev
/dev/sda5 16G 1.1G 15G 7% /opt/pancfg
/dev/sda6 8.0G 991M 6.6G 13% /opt/panrepo
tmpfs 4.8G 4.4G 483M 91% /dev/shm
cgroup_root 6.9G 0 6.9G 0% /cgroup
/dev/sda8 21G 183M 20G 1% /opt/panlogs <<<

After adding disk:

ahul@rahultestha> show system disk-space
Filesystem Size Used Avail Use% Mounted on
/dev/root 7.0G 3.8G 2.9G 58% /
none 6.9G 136K 6.9G 1% /dev
/dev/sda5 16G 1.1G 15G 7% /opt/pancfg
/dev/sda6 8.0G 991M 6.6G 13% /opt/panrepo
tmpfs 4.8G 4.4G 483M 91% /dev/shm
cgroup_root 6.9G 0 6.9G 0% /cgroup
/dev/sdc1 99G 199M 94G 1% /opt/panlogs

I have also replicated the same behavior on AWS platform, so we can go ahead and increase the disk size on Azure for logging storage.

_

Regards,

Sethupathi M

View solution in original post

S.Cantwell · ‎09-14-2020

Hello

I am not sure that we are supposed to be increasing the default size of the FWs.

The customer should make a decision to purchase either a Azure-based Panorama (for collecting the logs), implement a Cortex Data Lake (for collecting logs and machine learning analysis), or consider what logs need to be tracked.

30% of the hard drive is partitioned for Traffic logs.

16% of the hardware is partitioned for Threat Logs

4% for Configuration Logs

4% for System logs.

MUST ALL traffic from the be logged? Example of traffic that would not needed to be (web-browsing, dns, ssl), as these are applications that log quickly, filling up the hardware drive. With proper planning, perhaps a balance could be determined to see IF there is a need to change the % of the partitions around.

From the gui of the FW, the person should go to the Device Log --> Setup --> Logging and Reporting (it is the 3rd tile DOWN within setup).... Modify this section,which by default does not have any days for logs to last, as shown in my example below

After the commit, one should (1x/week) ssh into the FW to issue this command

> show system logdb-quota

The output (in about 30 secs or less) will tell you what percentage you have configured for traffic, and it also tell you how much you have used to date.

Quotas:
system: 0.75%, 0.032 GB Expiration-period: 30 days
config: 0.75%, 0.032 GB Expiration-period: 30 days
alarm: 0.75%, 0.032 GB Expiration-period: 30 days
appstat: 0.75%, 0.032 GB Expiration-period: 30 days
hip-reports: 0.75%, 0.032 GB Expiration-period: 30 days
traffic: 48.39%, 2.056 GB Expiration-period: 180 days
threat: 25.00%, 1.062 GB Expiration-period: 180 days

Disk usage:
traffic: Logs and Indexes: 2.1G Current Retention: 96 days
threat: Logs and Indexes: 1.1G Current Retention: 48 days
system: Logs and Indexes: 32M Current Retention: 4 days
config: Logs and Indexes: 33M Current Retention: 12 days

Help the community: Like helpful comments and mark solutions

Sethupathi · ‎09-21-2020

Hi Team,

I added extra DATA DISK post turn off the VM on Azure then firewall will consider extra disk space for logging purpose.

Before adding disk:
rahul@rahultestha> show system disk-space
Filesystem Size Used Avail Use% Mounted on
/dev/root 7.0G 3.8G 2.9G 58% /
none 6.9G 120K 6.9G 1% /dev
/dev/sda5 16G 1.1G 15G 7% /opt/pancfg
/dev/sda6 8.0G 991M 6.6G 13% /opt/panrepo
tmpfs 4.8G 4.4G 483M 91% /dev/shm
cgroup_root 6.9G 0 6.9G 0% /cgroup
/dev/sda8 21G 183M 20G 1% /opt/panlogs <<<

After adding disk:

ahul@rahultestha> show system disk-space
Filesystem Size Used Avail Use% Mounted on
/dev/root 7.0G 3.8G 2.9G 58% /
none 6.9G 136K 6.9G 1% /dev
/dev/sda5 16G 1.1G 15G 7% /opt/pancfg
/dev/sda6 8.0G 991M 6.6G 13% /opt/panrepo
tmpfs 4.8G 4.4G 483M 91% /dev/shm
cgroup_root 6.9G 0 6.9G 0% /cgroup
/dev/sdc1 99G 199M 94G 1% /opt/panlogs

I have also replicated the same behavior on AWS platform, so we can go ahead and increase the disk size on Azure for logging storage.

_

Regards,

Sethupathi M

Unlock your full community experience!

Query About To Increase VM-Firewall Disk Storage Size

Query About To Increase VM-Firewall Disk Storage Size

Disk usage:traffic: Logs and Indexes: 2.1G Current Retention: 96 daysthreat: Logs and Indexes: 1.1G Current Retention: 48 dayssystem: Logs and Indexes: 32M Current Retention: 4 daysconfig: Logs and Indexes: 33M Current Retention: 12 days

Show your appreciation!

Disk usage:
traffic: Logs and Indexes: 2.1G Current Retention: 96 days
threat: Logs and Indexes: 1.1G Current Retention: 48 days
system: Logs and Indexes: 32M Current Retention: 4 days
config: Logs and Indexes: 33M Current Retention: 12 days