Skip to main content
Active IQ Unified Manager 9.7
9.7
A newer release of this product is available.

Cluster compliance categories

Contributors

This table describes the cluster security compliance parameters that Unified Manager evaluates, the NetApp recommendation, and whether the parameter affects the overall determination of the cluster being complaint or not complaint.

Having non-compliant SVMs on a cluster will affect the compliance value for the cluster. So in some cases you may need to fix a security issues with an SVM before your cluster security is seen as compliant.

Note that not every parameter listed below appears for all installations. For example, if you have no peered clusters, or if you have disabled AutoSupport on a cluster, then you will not see the Cluster Peering or AutoSupport HTTPS Transport items in the UI page.

Parameter Description Recommendation Affects Cluster Compliance

Global FIPS

Indicates if Global FIPS (Federal Information Processing Standard) 140-2 compliance mode is enabled or disabled. When FIPS is enabled, TLSv1 and SSLv3 are disabled, and only TLSv1.1 and TLSv1.2 are allowed.

Enabled

Yes

Telnet

Indicates if Telnet access to the system is enabled or disabled. NetApp recommends Secure Shell (SSH) for secure remote access.

Disabled

Yes

Insecure SSH Settings

Indicates if SSH uses insecure ciphers, for example ciphers beginning with *cbc.

No

Yes

Login Banner

Indicates if the Login banner is enabled or disabled for users accessing the system.

Enabled

Yes

Cluster Peering

Indicates if communication between peered clusters is encrypted or unencrypted. Encryption must be configured on both the source and destination clusters for this parameter to be considered compliant.

Encrypted

Yes

Network Time Protocol

Indicates if the cluster has one or more configured NTP servers. For redundancy and best service NetApp recommends that you associate at least three NTP servers with the cluster.

Configured

Yes

OCSP

Indicates if there are applications in ONTAP that are not configured with OCSP (Online Certificate Status Protocol) and therefore communications are not encrypted. The non-compliant applications are listed.

Enabled

No

Remote Audit Logging

Indicates if log forwarding (Syslog) is encrypted or not encrypted.

Encrypted

Yes

AutoSupport HTTPS Transport

Indicates if HTTPS is used as the default transport protocol for sending AutoSupport messages to NetApp support.

Enabled

Yes

Default Admin User

Indicates if the Default Admin User (built-in) is enabled or disabled. NetApp recommends locking (disabling) any unneeded built-in accounts.

Disabled

Yes

SAML Users

Indicates if SAML is configured. SAML enables you to configure multi-factor authentication (MFA) as a login method for single sign-on.

No Recommendations

No

Active Directory Users

Indicates if Active Directory is configured. Active Directory and LDAP are the preferred authentication mechanisms for users accessing clusters.

No Recommendations

No

LDAP Users

Indicates if LDAP is configured. Active Directory and LDAP are the preferred authentication mechanisms for users managing clusters over local users.

No Recommendations

No

Certificate Users

Indicates if a certificate user is configured to log into the cluster.

No Recommendations

No

Local Users

Indicates if local users are configured to log into the cluster.

No Recommendations

No