Disk utilization on /opt/pancfg is hitting 100% because the tags_ip_rev data collection for specific Device Groups is expanding at a high rate
201
Created On 11/17/25 23:01 PM - Last Modified 11/26/25 23:43 PM
Symptom
- "show systm disk-space" shows /opt/pancfg partition using 100% disk usage.
- Unable to log in to Panorama via the Web UI
- in mp-monitor.log (less mp-log mp-monitor.log) show continuous growth of Sizeondisk for mongo pancfg database.
> grep after-context 3 pattern 'Name : \"pancfg\"' mp-log mp-monitor.log
Name : "pancfg"
Sizeondisk : 4165632
Empty : false
- System logs (show log system) display mdb crashes with message "mdb: Exited 4 times, waiting XXX seconds to retry"
- Viewing the pancfg directory, mongo collection tags_ip_rev in pancfg db using most of the space.
Environment
- Panorama
- PAN-OS: versions 11.1.0, 11.0.4, 10.1.12, 11.2.0, 10.2.8, 10.2.7, 11.1.2, 10.1.11-h3 (where PAN-193004 has been fixed)
- Azure or AWS platform
Cause
- If a Notify Group contains Device Group(s) that do not have firewalls mapped to the Device Group, or if the devices in that Device Group are no longer connected to Panorama then entries in the tags_ip_rev for that Device Group will not be removed.
- Eventually the tags_ip_rev collection will fill up the /opt/pancfg or /opt/mongobuffer (in the case of a management-only mode Panorama) partition.
Resolution
- Remove the Device Group(s) with no associated firewalls, or with disconnected firewalls from the Notify Group.
-
- For AWS, Refer to step 2 in "Configure the AWS Plugin for VM Monitoring"
- For Azure, Refer to step2 in "Configure the Azure Plugin for Monitoring"
- The 'tags_ip_rev' collection can be manually removed to clear disk space on '/opt/pancfg' with the following command.
> debug mongo drop collection tags_ip_rev database pancfg instance mdb
- Force AWS or Azure plugin sync:
> request plugins azure sync
> request plugins aws syncAdditional Information
Prevention Measure:
- Ensure that Device Groups containing disconnected firewalls, or no associated firewalls are not added to a Notify Group to prevent the uncontrolled growth of the 'pancfg.tags_ip_rev' collection.