Skip to main content
BlueXP classification

Scan Azure NetApp Files volumes with BlueXP classification

Contributors netapp-tonacki amgrissino netapp-ahibbard netapp-bcammett
PDFs

Complete a few steps to get started with BlueXP classification for Azure NetApp Files.

Discover the Azure NetApp Files system that you want to scan

If the Azure NetApp Files system you want to scan is not already in BlueXP as a working environment, you can add it to the canvas at this time.

See how to discover the Azure NetApp Files system in BlueXP.

Deploy the BlueXP classification instance

Deploy BlueXP classification if there isn't already an instance deployed.

BlueXP classification must be deployed in the cloud when scanning Azure NetApp Files volumes, and it must be deployed in the same region as the volumes you wish to scan.

Note: Deploying BlueXP classification in an on-premises location is not currently supported when scanning Azure NetApp Files volumes.

Enable BlueXP classification in your working environments

You can enable BlueXP classification on your Azure NetApp Files volumes.

  1. From the BlueXP left navigation menu, click Governance > Classification.

  2. From the BlueXP classification menu, select Configuration.

    A screenshot of the Configuration tab immediately after deploying the BlueXP classification instance.

  3. Select how you want to scan the volumes in each working environment. Learn about mapping and classification scans:

    • To map all volumes, select Map all Volumes.

    • To map and classify all volumes, select Map & Classify all Volumes.

    • To customize scanning for each volume, select Or select scanning type for each volume, and then choose the volumes you want to map and/or classify.

      See Enable and disable compliance scans on volumes for details.

  4. In the confirmation dialog box, select Approve to have BlueXP classification start scanning your volumes.

Result

BlueXP classification starts scanning the volumes you selected in the working environment. Results will be available in the Compliance dashboard as soon as BlueXP classification finishes the initial scans. The time that it takes depends on the amount of data—​it could be a few minutes or hours. You can track the progress of the initial scan by navigating to the Configuration menu then selecting the Working Environment configuration. The progress of each scan is show as a progress bar. You can also hover over the progress bar to see the number of files scanned relative to the total files in the volume.

Note

  • By default, if BlueXP classification doesn't have write attributes permissions in CIFS, or write permissions in NFS, the system won't scan the files in your volumes because BlueXP classification can't revert the "last access time" to the original timestamp. If you don't care if the last access time is reset, click Or select scanning type for each volume. The resulting page has a setting you can enable so that BlueXP classification will scan the volumes regardless of permissions.

  • BlueXP classification scans only one file share under a volume. If you have multiple shares in your volumes, you'll need to scan those other shares separately as a shares group. See more details about this BlueXP classification limitation.

Verify that BlueXP classification has access to volumes

Make sure that BlueXP classification can access volumes by checking your networking, security groups, and export policies. You'll need to provide BlueXP classification with CIFS credentials so it can access CIFS volumes.

Note For Azure NetApp Files, BlueXP classification can only scan volumes that are in the same region as BlueXP.
Steps

  1. Make sure that there's a network connection between the BlueXP classification instance and each network that includes volumes for Azure NetApp Files.

  2. Ensure the following ports are open to the BlueXP classification instance:

    • For NFS – ports 111 and 2049.

    • For CIFS – ports 139 and 445.

  3. Ensure that NFS volume export policies include the IP address of the BlueXP classification instance so it can access the data on each volume.

  4. If you use CIFS, provide BlueXP classification with Active Directory credentials so it can scan CIFS volumes.

    1. From the BlueXP left navigation menu, select Governance > Classification.

  5. From the BlueXP classification menu, select Configuration.

    A screenshot of the Compliance tab that shows the Scan Status button that's available in the top right of the content pane.

    1. For each working environment, select Edit CIFS Credentials and enter the user name and password that BlueXP classification needs to access CIFS volumes on the system.

      The credentials can be read-only, but providing admin credentials ensures that BlueXP classification can read any data that requires elevated permissions. The credentials are stored on the BlueXP classification instance.

      If you want to make sure your files "last accessed times" are unchanged by BlueXP classification scans, it's recommended the user has Write Attributes permissions in CIFS or write permissions in NFS. If possible, configure the Active Directory user as part of a parent group in the organization which has permissions to all files.

      After you enter the credentials, you should see a message that all CIFS volumes were authenticated successfully.

      A screenshot that shows the Configuration page and one Cloud Volumes ONTAP system for which CIFS credentials were successfully provided.

  6. On the Configuration page, select View Details to review the status for each CIFS and NFS volume and correct any errors.

    For example, the following image shows four volumes; one of which BlueXP classification can't scan due to network connectivity issues between the BlueXP classification instance and the volume.

    A screenshot of the View Details page in the scan configuration that shows four volumes; one of which isn't being scanned because of network connectivity between BlueXP classification and the volume.

Enable and disable compliance scans on volumes

You can start or stop mapping-only scans, or mapping and classification scans, in a working environment at any time from the Configuration page. You can also change from mapping-only scans to mapping and classification scans, and vice-versa. We recommend that you scan all volumes.

Tip New volumes added to the working environment are automatically scanned only when you have set the Map or Map & Classify setting in the heading area. When set to Custom or Off in the heading area, you'll need to activate mapping and/or full scanning on each new volume you add in the working environment.

The switch at the top of the page for Scan when missing "write attributes" permissions is disabled by default. This means that if BlueXP classification doesn't have write attributes permissions in CIFS, or write permissions in NFS, that the system won't scan the files because BlueXP classification can't revert the "last access time" to the original timestamp. If you don't care if the last access time is reset, turn the switch ON and all files are scanned regardless of the permissions. Learn more.

A screenshot of the Configuration page where you can enable or disable scanning of individual volumes.

Steps

  1. From the BlueXP classification menu, select Configuration.

  2. Do one of the following:

    • To enable mapping-only scans on a volume, in the volume area, select Map. To enable on all volumes, in the heading area, select Map.

    • To enable full scanning on a volume, in the volume area, select Map & Classify. To enable on all volumes, in the heading area, select Map & Classify.

    • To disable scanning on a volume, in the volume area, select Off. To disable scanning on all volumes, in the heading area, select Off.