FPolicy configuration types
There are two basic FPolicy configuration types. One configuration uses external FPolicy servers to process and act upon notifications. The other configuration does not use external FPolicy servers; instead, it uses the ONTAP internal, native FPolicy server for simple file blocking based on extensions.
-
External FPolicy server configuration
The notification is sent to the FPolicy server, which screens the request and applies rules to determine whether the node should allow the requested file operation. For synchronous policies, the FPolicy server then sends a response to the node to either allow or block the requested file operation.
-
Native FPolicy server configuration
The notification is screened internally. The request is allowed or denied based on file extension settings configured in the FPolicy scope.
Note: File extension requests that are denied are not logged.
When to create a native FPolicy configuration
Native FPolicy configurations use the ONTAP internal FPolicy engine to monitor and block file operations based on the file's extension. This solution does not require external FPolicy servers (FPolicy servers). Using a native file blocking configuration is appropriate when this simple solution is all that is needed.
Native file blocking enables you to monitor any file operations that match configured operation and filtering events and then deny access to files with particular extensions. This is the default configuration.
This configuration provides a means to block file access based only on the file's extension. For example, to block files that contain mp3
extensions, you configure a policy to provide notifications for certain operations with target file extensions of mp3
. The policy is configured to deny mp3
file requests for operations that generate notifications.
The following applies to native FPolicy configurations:
-
The same set of filters and protocols that are supported by FPolicy server-based file screening are also supported for native file blocking.
-
Native file blocking and FPolicy server-based file screening applications can be configured at the same time.
To do so, you can configure two separate FPolicy policies for the storage virtual machine (SVM), with one configured for native file blocking and one configured for FPolicy server-based file screening.
-
The native file blocking feature only screens files based on the extensions and not on the content of the file.
-
In the case of symbolic links, native file blocking uses the file extension of the root file.
Learn more about FPolicy: Native File Blocking.
When to create a configuration that uses external FPolicy servers
FPolicy configurations that use external FPolicy servers to process and manage notifications provide robust solutions for use cases where more than simple file blocking based on file extension is needed.
You should create a configuration that uses external FPolicy servers when you want to do such things as monitor and record file access events, provide quota services, perform file blocking based on criteria other than simple file extensions, provide data migration services using hierarchical storage management applications, or provide a fine-grained set of policies that monitor only a subset of data in the storage virtual machine (SVM).