Wednesday, February 18, 2026

Paloalto 100% full /opt/pancfg


On Palo Alto Networks firewalls, a 100% full /opt/pancfg partition is a known critical issue and can break commits, upgrades, and logging. Your output shows exactly that:


rizky@PANOS> show system disk-space

Filesystem      Size  Used Avail Use% Mounted on
/dev/nvme0n1p3   32G  6.8G   23G  23% /
none             16G   72K   16G   1% /dev
/dev/nvme0n1p5   63G   62G    1G 100% /opt/pancfg

So here is the quickfix, first of all always backup before performing any changes in the configuration :

rizky@PANOS> config
rizky@PANOS# save config to RIZKY-CONFIG

Config saved to RIZKY-CONFIG
[edit]

1) Check disk space, specifically /opt/pancfg :

rizky@PANOS> show system disk-space

Filesystem      Size  Used Avail Use% Mounted on
/dev/nvme0n1p3   32G  6.8G   23G  23% /
none             16G   72K   16G   1% /dev
/dev/nvme0n1p5   63G   62G    1G 100% /opt/pancfg
/dev/nvme0n1p6   32G  7.9G   22G  27% /opt/panrepo
tmpfs            16G  5.6G  9.9G  36% /dev/shm
cgroup_root      16G     0   16G   0% /cgroup
/dev/nvme0n1p8  267G   25G  228G  10% /opt/panlogs


2) Enable Aggressive Log Cleaning :
 
rizky@PANOS> debug software disk-usage aggressive-cleaning enable
This will automatically purge all old log files if disk hits 95% occupancy. Do you accept this potential loss of debuggability? (y or n) y

Verify :

rizky@PANOS> show system state | match aggressive-cleaning
cfg.debug-sw-du.config: { 'aggressive-cleaning': True, }

3) Enable deep cleaning at 90% :

rizky@PANOS> debug software disk-usage cleanup deep threshold 90

3) Clean unused/old update :

rizky@PANOS> debug pancfg-directory-usage clean
> config            Clean unused saved configurations
> dynamic-updates   Clean unused dynamic updates
> software-images   software-images

Clean old backup config :

rizky@PANOS> debug pancfg-directory-usage clean config saved
  DEFAULT                            2024/02/10 10:01:23     2176.8K
  DEFAULT-10FEB2024                  2024/02/10 10:01:33     2176.8K
  PaloAlto-3010-17JAN24-LB           2024/01/17 19:20:08     2032.8K
  PaloAlto-3010-17JAN24-LB-PRD       2024/01/17 19:45:14     2029.4K
  PaloAlto-3010-17JAN24-LBNET        2024/01/17 19:42:49     2033.2K
  autosave-10.2-20230728.xml         2023/07/28 14:32:09     1823.0K
  <value>                      Filename

rizky@PANOS> debug pancfg-directory-usage clean config saved PaloAlto-3010-17JAN24-LB

Clean old anti-virus update :

rizky@PANOS> debug pancfg-directory-usage clean dynamic-updates anti-virus update panup-all-antivirus-xxxx-xxxx.tgz

successfully removed panup-all-antivirus-xxxx-xxxx.tgz


Clean old content update :

rizky@PANOS> debug pancfg-directory-usage clean dynamic-updates content update panupv2-all-contents-xxxx-xxxx.tgz

successfully removed panupv2-all-contents-xxxx-xxxx.tgz


Clean old software update :

rizky@PANOS> debug pancfg-directory-usage clean software-images version 10.x.x-hxx

Successfully removed image


Barakallahu fiikum,
Wa jazakumullahu khair.



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Paloalto 100% full /opt/pancfg

﷽ On Palo Alto Networks firewalls, a 100% full /opt/pancfg partition is a known critical issue and can break commits, upgrades, and logging....