NG Firewall's Reports are highly detailed and, as such, can take up a great deal of hard drive space. Here are a few things you can do to reduce the amount of space that reporting takes up.
Lower the Data Retention period
This setting is found in Apps > Reports > Data. As you can imagine, the more time you're keeping reporting data available, the more disk space you're taking up. Data older than the retention period setting is discarded and no longer available to view in the NGFW's Reports app.
Automatic Reports stopping
As of version 16.3, NGFW will automatically stop the Reports service when free space drops below 5 GB. When this happens, you'll see an admin alert at the top right-hand corner advising you that Reports has stopped. You can use the Delete All Reports Data button to remove all Reports and clear up most of the drive space.
Note that you will need to disable and re-enable the Reports app once the database has been dropped. The Reports service is not restarted automatically.
Disable extraneous logging options
These settings are found in Config > Network > Advanced.
These options can create a lot of logging data, particularly the 'bypassed' and 'blocked' options. 'Log blocked sessions' refers only to traffic that's blocked by iptables, so that's traffic that never makes it to the applications. Anything blocked by applications will still be logged in that application's report. ('Local outbound' refers to outbound traffic created by the NGFW itself: callbacks to the license servers and DNS lookups, mainly.)
Limit the number of alerts being logged
The setting for this is in Config > Events > Alerts, under the rule 'Free disk space is low'. The default setting is diskFreePercent < .2, or 20% free disk space; if your appliance has a 500GB hard drive, that's still 100GB of HDD space free. For these larger disks, we usually recommend setting the diskFreePercent condition to .1 (or even smaller!); that would cut down on the number of alerts you'd see and still allow for a pretty sizable amount of free disk space.
Reduce the amount of logging being done by applications
Any application which scans traffic will generate Reports events. Some applications don't do anything by default except log; a notable example is the Firewall application. If a given application isn't being used, we recommend uninstalling it altogether (which will also help with the NGFW's general performance).
Bypass some traffic
Some devices probably don't need their traffic scanned by all our applications: VoIP phones, network printers, NAS devices, PoS terminals, IoT devices like smart speakers & light bulbs, &c. (Basically, anything that doesn't have a web browser.) Bypassing those devices not only cuts down on Reports data but can improve both their performance and the NGFW's performance. Instructions on bypassing devices are here: How To Bypass Traffic From Filtering
Streamline remote syslog settings
If you're using remote syslog, double-check your settings. If you're using the default 'All events' rule, you're effectively doubling the amount of reporting the NG Firewall is doing. Many events reported to syslog may not be very informative or useful, so this default rule tends to consume a large amount of hard drive space for relatively little benefit.
We recommend using more specific rules and only sending the events you definitely want to be aware of.
Clearing the Reports database manually
If you have command-line access to your NGFW, you can also use this script to clear all currently-stored Reports data, but do be warned that this script can be hard on the disk if it's run frequently. It's better to shorten your retention period and store less data than have to clear it all!Follow