How to increase disk size of Trend Micro IWSVA (InterScan Web Security Virtual Appliance)

Trend Micro IWSVA is a web proxy that has lots of security feature such as antivirus, antimalware, but it is also a web filter, similar to WebSense Web Filter where URL categories can be blocked to protect the end users, and of course to avoid browsing non-productive web sites inside the company. However, if you download the VMware image, the disk image is quite small and could get full easily if your environment has lots of user and HTTP traffic to process, and of course, logs as well.

Below is a procedure to increase the disk size in a VMware vSphere environment.

1. Check first the partition disk size usage using the command: df -lh

[root@iwsva65 ~]# df -lh
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/IWSVA-root
2.0G 309M 1.6G 17% /
tmpfs 1.7G 93M 1.6G 6% /dev/shm
/dev/sda1 97M 28M 64M 31% /boot
/dev/mapper/IWSVA-os_conf
124M 6.6M 112M 6% /os_conf
/dev/mapper/IWSVA-app_bin
5.0G 1.7G 3.1G 36% /usr
/dev/mapper/IWSVA-app_data
36G 2.4G 32G 7% /var
tmpfs 2.0G 0 2.0G 0% /var/iwss/tmp/tmpfs
tmpfs 512M 0 512M 0% /var/iwss/tmp/v_tmpfs

The most common partition that becomes full is: /dev/mapper/IWSVA-app_data

2. Check the directory sizes that are mounted on /dev/mapper/IWSVA-app_data such as:

* /var
* /var/iwss/tmp/tmpfs
* /var/iwss/tmp/v_tmpfs

The most common directory inside /var that becomes full are the following:

* /var/iwss/log
* /var/iwss/postgres/pgdata

The /var/iwss/log becomes full if debugging has been left enable.

Make sure that the following parameters in /etc/iscan/intscan.ini are set to verbose=0. Use vi editor to open intscan.ini.

[ftp]
#Switch for debug log.
# 1 -> turn on
# 0 -> turn off
verbose=0
[http]
#Switch for debug log.
# 1 -> turn on
# 0 -> turn off
verbose=0

The /var/iwss/postgres/pgdata contains database files.

However, if the IWSVA has not been sized properly, you can increase the disk size.

3. Add new disk to the IWSVA VM in VMware vCenter

Before adding a disk, list the existing disks, using the command: cat /proc/partitions

[root@iwsva65 ~]# cat /proc/partitions
major minor #blocks name
8 0 54525952 sda
8 1 102400 sda1
8 2 54422528 sda2
---output ommitted---

sda is the disk 1.
Shutdown the IWSVA VM before adding disk. Choose to add disk and NOT expand disk.

Select the IWSVA VM > Actions > Edit Settings… > Select > New Hard Disk > Add > Enter the amount of Disk Size > OK

1

2

3

Note: Consult with your VMware Administrator to choose the Disk Provisioning (Thin Provision / Thick Provision)

Power on IWSVA VM.

Login to IWSVA using root (You can use SSH client).

List the existing disks again, using the command: cat /proc/partitions

[root@iwsva65 ~]# cat /proc/partitions
major minor #blocks name
8 0 54525952 sda
8 1 102400 sda1
8 2 54422528 sda2
8 16 52428800 sdb
---output omitted---

Note that there is new disk sdb.

Go to clish mode command line interface, using the command: clish
Go to enable mode, using the command: enable

4

Add new hard disk and extend IWSVA data partition space, using the command: configure system harddisk

5

Below is the sample result.

6

To exit clish mode, use the following command twice: exit

Verify the new disk partition size, using the command: df -lh

[root@iwsva65 ~]# df -lh
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/IWSVA-root
2.0G 309M 1.6G 17% /
tmpfs 1.7G 93M 1.6G 6% /dev/shm
/dev/sda1 97M 28M 64M 31% /boot
/dev/mapper/IWSVA-os_conf
124M 6.6M 112M 6% /os_conf
/dev/mapper/IWSVA-app_bin
5.0G 1.7G 3.1G 36% /usr
/dev/mapper/IWSVA-app_data
85G 2.4G 78G 3% /var
tmpfs 2.0G 0 2.0G 0% /var/iwss/tmp/tmpfs
tmpfs 512M 0 512M 0% /var/iwss/tmp/v_tmpfs

Note that the size of /dev/mapper/IWSVA-app_data increased from 36 GB to 85 GB.

Note: Be sure to have a backup config of your IWSVA and also a clone VM backup just in case something happens. VM snapshot would not help since you cannot modify the VMDK of a VM that has a snapshot.

However, it is still best practice to properly size IWSVA right from the start.

Reference IWSVA Sizing Guide will help you allocate the CPU, Memory, Disk resources according to the size of your users and network traffic.

Advertisements

2 comments

  1. Hello
    According to what you said to check on debugging
    I checked and defined verbose = 0
    But all the time the size of the / var / iwss / log has increased
    what can we do?

    Like

    • Hi sasi,

      Sorry for the very late reply.

      After you set the verbose value to 0, make sure you restart the HTTP daemon.

      /etc/iscan/S99ISproxy stop
      /etc/iscan/S99ISproxy start

      This is required to take effect the new setting.

      Then you can inspect the http.log.. in /etc/iscan/ directory and make sure the log does not contain debug information.

      Usually it is indicated by “D” or “DEBUG” in the log line entries.

      Hope this helps.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s