Scanning file shares

Complete a few steps to start scanning non-NetApp NFS or CIFS file shares directly with BlueXP classification. These file shares can reside on-premises or in the cloud.

Quick start

Get started quickly by following these steps, or scroll down to the remaining sections for full details.

One Review file share prerequisites

For CIFS (SMB) shares, ensure that you have credentials to access the shares.

Two Deploy the BlueXP classification instance

Deploy BlueXP classification if there isn’t already an instance deployed.

Three Create a group to hold the file shares

The group is a container for the file shares that you want to scan, and it is used as the working environment name for those file shares.

Four Add the file shares to the group

Add the list of file shares that you want to scan and select the type of scanning. You can add up to 100 file shares at a time.

Reviewing file share requirements

Review the following prerequisites to make sure that you have a supported configuration before you enable BlueXP classification.

  • The shares can be hosted anywhere, including in the cloud or on-premises. In most cases these are file shares that reside on non-NetApp storage systems. However, CIFS shares from older NetApp 7-Mode storage systems can be scanned as file shares.

    Note that BlueXP classification can’t extract permissions or the "last access time" from 7-Mode systems. Additionally, because of a known issue between some Linux versions and CIFS shares on 7-Mode systems, you must configure the share to use only SMB v1 with NTLM authentication enabled.

  • There needs to be network connectivity between the BlueXP classification instance and the shares.

  • Make sure these ports are open to the BlueXP classification instance:

    • For NFS – ports 111 and 2049.

    • For CIFS – ports 139 and 445.

  • You will need the list of shares you want to add in the format <host_name>:/<share_path>. You can enter the shares individually, or you can supply a line-separated list of the file shares you want to scan.

  • For CIFS (SMB) shares, ensure that you have Active Directory credentials that provide read access to the shares. Admin credentials are preferred in case BlueXP classification needs to scan any data that requires elevated permissions.

    If you want to make sure your files "last accessed times" are unchanged by BlueXP classification scans, we recommend that the user has Write Attributes permissions in CIFS or write permissions in NFS. If possible, we recommend making the Active Directory configured user part of a parent group in the organization which has permissions to all files.

Deploying the BlueXP classification instance

Deploy BlueXP classification if there isn’t already an instance deployed.

If you are scanning non-NetApp NFS or CIFS file shares that are accessible over the internet, you can deploy BlueXP classification in the cloud or deploy BlueXP classification in an on-premises location that has internet access.

If you are scanning non-NetApp NFS or CIFS file shares that have been installed in a dark site that has no internet access, you need to deploy BlueXP classification in the same on-premises location that has no internet access. This also requires that the BlueXP Connector is deployed in that same on-premises location.

Upgrades to BlueXP classification software is automated as long as the instance has internet connectivity.

Creating the group for the file shares

You must add a files shares "group" before you can add your file shares. The group is a container for the file shares that you want to scan, and the group name is used as the working environment name for those file shares.

You can mix NFS and CIFS shares in the same group, however, all CIFS file shares in a group need to be using the same Active Directory credentials. If you plan to add CIFS shares that use different credentials, you must make a separate group for each unique set of credentials.

Steps

  1. From the Working Environments Configuration page, click Add Data Source > Add File Shares Group.

    A screenshot of the Scan Configuration page where you can click the Add File Shares Group button.

  2. In the Add Files Shares Group dialog, enter the name for the group of shares and click Continue.

The new File Shares Group is added to the list of working environments.

Adding file shares to a group

You add file shares to the File Shares Group so that the files in those shares will be scanned by BlueXP classification. You add the shares in the format <host_name>:/<share_path>.

You can add individual file shares, or you can supply a line-separated list of the file shares you want to scan. You can add up to 100 shares at a time.

When adding both NFS and CIFS shares in a single group, you’ll need to run through the process twice - once adding NFS shares, and then again adding the CIFS shares.

Steps

  1. From the Working Environments page, click the Configuration button for the File Shares Group.

    A screenshot of the Scan Configuration page where you can select the Configuration button.

  2. If this is the first time adding file shares for this File Shares Group, click Add your first Shares.

    A screenshot showing the Add your first Shares button to add initial shares to the group.

    If you are adding file shares to an existing group, click Add Shares.

    A screenshot showing the Add Shares button to add more shares to the group.

  3. Select the protocol for the file shares you are adding, add the file shares that you want to scan - one file share per line - and click Continue.

    When adding CIFS (SMB) shares, you need to enter the Active Directory credentials that provide read access to the shares. Admin credentials are preferred.

    A screenshot of the Add File Shares page where you can add the shares to be scanned.

    A confirmation dialog displays the number of shares that were added.

    If the dialog lists any shares that could not be added, capture this information so that you can resolve the issue. In some cases you can re-add the share with a corrected host name or share name.

  4. Enable mapping-only scans, or mapping and classification scans, on each file share.

    To: Do this:

    Enable mapping-only scans on file shares

    Click Map

    Enable full scans on file shares

    Click Map & Classify

    Disable scanning on file shares

    Click Off

    The switch at the top of the page for Scan when missing "write attributes" permissions is disabled by default. This means that if BlueXP classification doesn’t have write attributes permissions in CIFS, or write permissions in NFS, that the system won’t scan the files because BlueXP classification can’t revert the "last access time" to the original timestamp. If you don’t care if the last access time is reset, turn the switch ON and all files are scanned regardless of the permissions. Learn more.

Result

BlueXP classification starts scanning the files in the file shares you added, and the results are displayed in the Dashboard and in other locations.

Removing a file share from compliance scans

If you no longer need to scan certain file shares, you can remove individual file shares from having their files scanned at any time. Just click Remove Share from the Configuration page.

A screenshot showing how to remove a single file share from having its files scanned.