It seems that in Imperva Version (for WAF) running in a VRRP Cluster in some cases Imperva writes temp files in the /tmp directory that should be deleted immediately after creation, but this does not happen. I see this happening in variuos customer deployments.

On a gateway I upgraded a week before, I found > 355.000 files of the format gateway_state.stderr.xxxx.xxxx in that directory using up 22% of inodes.

Imperva support confirmed it’s a know problem and currently handled by engineering.

The files are empty, but the filenames itself uses inodes that could potentially lead to a problem if the max number of indodes is reached.

According to support it’s safe to delete the files – but make sure that the newest files do not get deleted as they still might be used. I use this procedure:

Login as admin on the gateway(s) CLI till you see the # prompt.

cd /tmp

find -name ‚gateway_state.stderr.*‘ -mmin +10 -exec rm -f {} \;

This deletes all files beginning with the name gateway_state.stderr.* that are older than 10 mins. Attention: it might take a while depending upon how many files are in the directory!

Now keep an eye on the directory and repeat as needed!

I delete the files that way for some time now till a solution has been found. Gateway seems to work normal.

Other useful command is df -i that shows the number of inodes used.

Use this information with precaution. There is no guarantee from my side it will work for you. Please talk to Imperva Support and ask them for recommendations!

Update March 9th
Imperva support told the bug will be fixedin 14.7 which will be released in Q2 (they are no more specific than that…)

Martin Schmitz, 15.2.2022 / Updated 23.02.2022 / 9.3.2022