Tuesday 17 April 2012

Fpolicy in NetApp


Fpolicy

Fpolicy: FPolicy is an infrastructure component of Data ONTAP that enables partner applications connected to your storage systems to monitor and set file access permissions.
FPolicy determines how the storage system handles requests from individual client systems for operations such as create, open, rename, and delete. The storage system maintains a set of properties for FPolicy, including the policy name and whether that policy is active. You can set these properties for FPolicy using the storage system console commands.
File Screening on NAS

Run the following commands to enable the file screening on NAS box to prevent the copying of EXE, JPG, MP3, MP4, PST, AVI, and DAT.
1. Create the file screening policy
fpolicy create <Policy Name> <Policy Type>
E.g. fpolicy create techm screen
2. Add the extensions for scan
fpolicy ext[ension] {exc[lude]|inc[lude]} [add|remove|set|reset|show] <PolicyName> [<ext>[,<ext>]]
E.g. Fpolicy ext inc add techm jpg,exe,dat
3. fpolicy options <PolicyName> required [on|off]
                E.g. fpolicy options techm required on
4. Enable the policy
                fpolicy enable <PolicyName> [-f]
                E.g. fpolicy enable techm –f
5. Enable the File screening Monitor  when users try to write files to the NAS.
fpolicy mon[itor]  [add|remove|set] <PolicyName> [-p {nfs|cifs}] -f op_spec[,op_spec,...,op_spec]
                E.g. fpolicy mon add techm –p cifs –f write
After applying all the above commands you can see the below results using the below command.
:Fpolicy show techm
What is Serverless FPolicy, why would I want it and how does it work?
·         Normally a file policy has an external server to administer the policy
A typical sequence would be to create a policy, configure it, then set up an fpolicy server to administer the policy. As user requests come to the filer, those that fit the criteria of the policy cause the filer to notify the FPolicy server. For example, a quotas policy would cause the filer to notify the FPolicy server when a user did something that reserved or freed disk space.
But, as its name suggests, Serverless FPolicy involves creating a policy with the expectation of not connecting a server to administer the policy.
·         When would someone use Serverless FPolicy?
Serverless FPolicy is used as a "poor man's" file blocking policy. It may not have features or flexibility but it costs nothing and has excellent performance. If you simply want to prevent users from soaking up disk space with their MP3 music files for example, Serverless FPolicy may be perfect for you.
·         How does it work?
Conceptually, the policy is created and configured. Then the policy's option required is turned on. Because user access requires an FPolicy server to validate their request, and because there is no server, 100% of the user requests which fall under this policy will be rejected.
·         Can you give me an example showing how to set it up?
Let's say you want to prevent users from putting MP3 files onto the filer. Note that this example only works for CIFS users because NFS does not do a formal "file create" operation. First, create the policy.
  filer>  fpolicy create MP3Blocker screen
Now configure the policy. Set the extension list to "MP3". Set the operations monitored to "create" and "rename". This will block both creation of MP3 files and the more sneaky method of copying the MP3 under a different name and then renaming it once it is in place. Set the "required" option and enable the policy. Optionally, you can restrict the policy to certain volumes.
  filer> fpolicy ext inc set mp3blocker mp3
  filer> fpolicy monitor set mp3blocker -p cifs create,rename
  filer> fpolicy options mp3blocker required on
  filer> fpolicy volume include set mp3blocker vol0,vol1
  filer> fpolicy enable mp3blocker -f
·         Any further useful pointers you can give?
o    Note that the fpolicy monitor command was provided initially in Ontap 7.1
o    In older releases it is not so simple to set the list of operations controlled by a policy. Basically, you'll need to go into "advanced" mode on the filer console and directly insert values into the filer's registry. (http://now.netapp.com/Knowledgebase/solutionarea.asp?id=kb10098)]. But note that "registry set" is not supported for vfilers so you are just plain out of luck using the registry-hack procedure to set up a Serverless FPolicy for a vfiler.











Fpolicy flow chart:


Posted by at

2 comments:

  1. Anonymous12 October 2013 at 16:26

    Nice post. Should we consider disabling fpolicy after CIFS is enabled if we don't need it in our environment? Are there any side effects of disabling fpolicy if not used.

    ReplyDelete
  2. vipulvajpayee14 October 2013 at 05:36

    if you have created a fpolicy then you can disable it, and there will be no side effect, the only thing that policy will be not applicable because it is disabled.

    ReplyDelete

Subscribe to: Post Comments (Atom)