Clean Sophos Firewall Secure Heartbeat Database in Support Cases
This procedure is not a general tuning tip for Sophos Firewall. It describes a narrowly defined support case: The firewall has insufficient free disk space, and Sophos Support confirms that certain tables related to Secure Heartbeat in the corporate database have become unusually large.
In this case, targeted maintenance with VACUUM FULL can reclaim disk space. Since this involves direct access to the firewall’s internal PostgreSQL database, the procedure should only be performed after current confirmation from Sophos Support and within a maintenance window.
When this Guide is Relevant
The procedure is relevant when the Sophos Firewall is running low on disk space, and there is suspicion that database tables related to Secure Heartbeat are occupying an unusually large amount of space.
Typical indicators can include:
- Warnings about high memory usage
- Heavily occupied partitions on the firewall
- Issues with reports, logs, or services due to limited disk capacity
- A notification from Sophos Support that the Secure Heartbeat database has become too large
If it is unclear why the disk is filling up, the general analysis from Check Sophos Firewall Storage and Manage Reports should be conducted first. This database maintenance is only sensible if reports, logs, mail queue, quarantine, virtual disk size, and other obvious causes are not the actual explanation, or if Sophos Support explicitly identifies the database path.
Prerequisites
For this maintenance, you need:
- Administrative access to the Sophos Firewall
- Access to the Advanced Shell
- A specific recommendation or confirmation from Sophos Support
- A maintenance window
- A current configuration backup of the firewall
- Secured logs, in case the issue needs further analysis later
- Sufficient free disk space to complete the database maintenance
If shell access is not yet set up, the guide Connect to Sophos Firewall via SSH explains how to establish an SSH connection to the firewall. When preparing a support case, Secure Sophos Firewall Logs for External Analysis and Open a Sophos Support Ticket are also helpful.
⚠️ These commands directly access the internal PostgreSQL database of the Sophos Firewall. Execution should only be targeted and after current confirmation from Sophos Support for the specific support case.
VACUUM FULLcan lock tables during execution and may take some time depending on the size of the database.
When Not to Execute the Commands
The commands should not be executed if there is only a general storage warning and the cause has not been narrowed down. Storage issues often stem from reports, debug logs, support files, mail protection, quarantine, too small a virtual disk, or general log retention.
Clear stop signals are:
- Sophos Support has not specifically confirmed the two tables: Then the database intervention would be speculative and not case-specific approved.
- No current backup or no maintenance window: In case of an error, there is no clean rollback or the impact affects ongoing operations.
- SSH or Advanced Shell is unstable: An interrupted database command complicates further analysis.
- HA role, serial number, or affected node is unclear: The command may be ineffective on the wrong device or distort the diagnosis.
- Reports, logs, or support archives are being deleted in parallel: It will no longer be clear which measure freed up disk space.
- The firewall is already losing critical services: The current state should first be secured and evaluated with Sophos Support.
The procedure is also unsuitable as regular maintenance, a cron job, or preventive cleaning. If the tables grow significantly again after a short time, it is a symptom, not a normal operating condition. The support case should then be continued with current logs, disk outputs, and time progression.
Support Approval and Abortion Criteria
Before execution, not only should a backup be available, but it should also be clear who approved the step, what error pattern is being addressed, and when the procedure will be aborted.
Sensible minimum details:
- Support Approval: Ticket number, contact person, and specific recommendation.
- Affected Firewall: Serial number, model, firmware version, HA role.
- Error Pattern: Storage warning, affected partition, affected services.
- Start Time: Time before the first command.
- Before Values: Output of
df -h,df -hkm, andsystem diagnostics show disk. - Abortion Criterion: Error message, unusually long runtime, unstable SSH session, or new system errors.
If the SSH connection is unstable, the firewall is already losing critical services, or Sophos Support has not specifically confirmed the tables, database commands should not be experimented with. In such cases, current disk outputs, logs, and a clean support case are more valuable than a half-executed maintenance attempt.
Check Disk Space Before Maintenance
Before database maintenance, check how heavily the partitions are occupied:
df -h
For a more detailed display in megabytes, the following command can also be used:
df -hkm
The output should be documented before maintenance so that it can be compared afterward to see if disk space has been freed. Additionally, the Sophos-specific disk status from the Device Console is helpful:
system diagnostics show disk
In HA clusters, both nodes should be checked separately. Local databases, logs, and free space can differ between Primary and Auxiliary.
Before maintenance, it should also be clear whether other causes are occupying space in parallel. These include old support archives, large report databases, mail queue, quarantine, debug logs, or manually stored files. If these points have not been checked, the Secure Heartbeat database is only a suspicion.
Execute Database Maintenance
The following commands are executed in the Advanced Shell. During execution, the SSH session should remain stable. The firewall should not be restarted while a command is running.
First, the tbleacappcache table is cleaned:
psql -U pgroot -d corporate -c "VACUUM FULL tbleacappcache"
Then, the tblappstoeps table is cleaned:
psql -U pgroot -d corporate -c "VACUUM FULL tblappstoeps"
The commands usually return VACUUM after successful execution. If a command outputs an error message or hangs unusually long, further experimental database commands should not be continued. In this case, the output, time, and current disk status are relevant for Sophos Support.
During execution, no second person should clean up disk space, reports, or database files in parallel. Otherwise, it will not be clear later which measure had which effect. For productive firewalls, a short change entry with start time, command, and result is sensible.
Check Disk Space After Maintenance
After completing the commands, disk space should be checked again:
df -h
If the Secure Heartbeat database was indeed the cause, the occupancy of the affected partition should reduce. The extent of the effect depends on how large the tables were before and how much data PostgreSQL was able to free.
After maintenance, additionally check:
- Does
system diagnostics show diskshow plausible values again? - Are Log Viewer, reports, and affected services usable again?
- Are there new errors in the relevant Services and Logs?
- Does disk usage increase significantly again in the next hours or days?
- Are the executed steps documented in the ticket or change?
For post-checks, a single successful df -h comparison is not always sufficient. If the partition is only briefly relieved and then quickly fills up again, the maintenance is not a conclusion but a diagnostic hint. The time progression with fresh disk outputs, log period, and affected services should then be fed back to Sophos Support.
Important Notes
- This maintenance does not automatically fix the cause of why the tables grew.
- If disk space increases rapidly again afterward, a Sophos support case should be opened.
VACUUM FULLis more intensive than a normalVACUUMbecause tables are rewritten.- The commands should not be used as a regular cron job or routine without diagnosis.
- For productive firewalls, a maintenance window is recommended, as individual functions may respond with delays during database maintenance.
- In HA clusters, it must be clear on which node the maintenance is necessary.
- Before further database commands, Sophos Support should be involved again.
Common Mistakes
Executing Commands Without Diagnosis
A full partition does not automatically mean that Secure Heartbeat is the cause. Before database commands, disk outputs, logs, and obvious disk consumers should be checked.
Not Planning a Maintenance Window
VACUUM FULL can take time depending on table size and lock tables. On productive firewalls, the step should not run casually during a critical operational phase.
Not Monitoring After Cleanup
If disk space is only briefly freed and then increases significantly again, the cause is not resolved. Further analysis with Sophos Support is needed.
Confusing HA Node
In HA environments, the local storage situation can differ per node. Therefore, it should be clear before each command whether you are working on Primary or Auxiliary and which serial number is affected. A command on the wrong node can be ineffective and unnecessarily complicate later analysis.
Case Classification
In the specific support case, the cause was an oversized Secure Heartbeat database. The two mentioned VACUUM FULL commands are intended to specifically clean the affected tables and free up unused disk space. However, this should not be taken as general database maintenance for Sophos Firewall.
The article only addresses this narrow disk space case. If Security Heartbeat is not working, endpoints are not reporting a heartbeat status, Central synchronization fails, or firewall rules with heartbeat conditions do not work as expected, it is a different error pattern. In that case, Sophos Central connection, endpoint status, firewall rule, Log Viewer, and appropriate service logs are more important than a direct database intervention.
For general storage issues, the first step remains the systematic examination of disk space, logs, reports, and support data. For operations around Sophos Central, Connect Sophos Firewall with Sophos Central is also suitable, and for log files, Sophos Firewall Troubleshooting: Services and Logs.
FAQ
Should the Secure Heartbeat database be cleaned regularly?
Is a storage warning sufficient reason for these commands?
What should be secured before VACUUM FULL?
df -h and system diagnostics show disk, ticket number, serial number, firmware version, and HA role.