cancel
Showing results for 
Search instead for 
Did you mean: 

Delete ASM policy push message from /var

THE_BLUE
Cirrus
Cirrus

I noticed that /var partion is full because of ASM , so does f5 save the push message after aplaying policy ? can i delete the unessassary files? 

i saw the following link, does this will affect the policy? i mean does this will delete the parameters, urls and so on from my policy? and is it recommend to do this? 

https://support.f5.com/csp/article/K17344

4 REPLIES 4

Sebastiansierra
Cirrocumulus
Cirrocumulus

Hi Again,

As the article says, it is a bug detected in the system, and the workaround is to create a cron job to delete the files generated by ASM in two cases:

1. When you select the Apply Policy button in a security policy repeatedly and frequently
2. When you enable automatic policy building for one or more policies with several frequent changes.

The BIG-IP ASM system creates files in the /var/ts/var/cluster/send directory, which is cleaned up at regular intervals.it is possible to fill the disk partition before this cleanup occurs. And this is the reason why you need to create a Crontab Job.

These files that the article recommends you delete, don´t affect your policy, by default this information is deleted automatically by the system, but you ASM are generating these files more quickly than the system deletes it.

If you have your policy in atuomatic learning, you must modify this parameter when release the policy in a production environment, Aitomatic learning without human validation can dissabled security control over the policy in a masive atack from differents source.

Hi, 

many thanks for your input. 

accordding to below link :

https://support.f5.com/csp/article/K15125052

policy history is saved under this path /var/ts/dms/policy/policy_versions, i have deleted them and there was no affect in my policy. But still there is sth which i can't define it which cause the /var go full for 100% then by itself can decrease to 95% for example.

Sebastiansierra
Cirrocumulus
Cirrocumulus

Hi,

Try accessing the device using winscp to determine the largest files in the /var partition a look if these can be deleted, in many cases are the backups, try to look at it and tell us what you see.

i have run the below command : 

find /var/ -xdev -type f -exec du {} \; | sort -rn | head -20 

i got reslut sth like /var/ts/var/sync ( the largest file) , i have checked them with winscp but the file was about 107mb only . the strange is the /var go full 100% then 96% by itself .