Skip to main content
BlueXP classification

Scan file shares with BlueXP classification

Contributors netapp-tonacki amgrissino netapp-ahibbard
PDFs

To scan file shares, you must first create a file shares group in BlueXP classification. File shares groups are for NFS or CIFS (SMB) shares hosted on-premises or in the cloud.

Note Scanning data from non-NetApp file shares is not supported in the BlueXP classification core version.

Prerequisites

Review the following prerequisites to make sure that you have a supported configuration before you enable BlueXP classification.

  • The shares can be hosted anywhere, including in the cloud or on-premises. CIFS shares from older NetApp 7-Mode storage systems can be scanned as file shares.

    • BlueXP classification can't extract permissions or the "last access time" from 7-Mode systems.

    • Because of a known issue between some Linux versions and CIFS shares on 7-Mode systems, you must configure the share to use only SMBv1 with NTLM authentication enabled.

  • There needs to be network connectivity between the BlueXP classification instance and the shares.

  • You can add a DFS (Distributed File System) share as a regular CIFS share. Because BlueXP classification is unaware that the share is built upon multiple servers/volumes combined as a single CIFS share, you might receive permission or connectivity errors about the share when the message really only applies to one of the folders/shares that is located on a different server/volume.

  • For CIFS (SMB) shares, ensure that you have Active Directory credentials that provide read access to the shares. Admin credentials are preferred in case BlueXP classification needs to scan any data that requires elevated permissions.

    If you want to make sure your files "last accessed times" are unchanged by BlueXP classification scans, it's recommended the user has Write Attributes permissions in CIFS or write permissions in NFS. If possible, configure the Active Directory user as part of a parent group in the organization which has permissions to all files.

  • All CIFS file shares in a group must use the same Active Directory credentials.

  • You can mix NFS and CIFS (using either Kerberos or NTLM) shares. You must add the shares to the group separately. That is, you must complete the process twice—once per protocol.

    • You cannot create a file shares group that mixes CIFS authentication types (Kerberos and NTLM).

  • If you're using CIFS with Kerberos authentication, ensure the IP address provided is accessible to the BlueXP classification service. The files shares can't be added if the IP address is unreachable.

Create a file shares group

When you add file shares to the group, you must use the format <host_name>:/<share_path>.

+
You can add file shares individually or you can enter a line-separated list of the file shares you want to scan. You can add up to 100 shares at a time.

Steps

  1. From the BlueXP classification menu, select Configuration.

  2. From the Configuration page, select Add Working Environment > Add File Shares Group.

  3. In the Add File Shares Group dialog, enter the name for the group of shares then select Continue.

  4. Select the protocol for the file shares you are adding.

    A screenshot of the modal to Add shares

.If you're adding CIFS shares with NTLM authentication, enter the Active Directory credentials to access the CIFS volumes. Although read-only credentials are supported, it's recommended you provide full access with administrator credentials. Select Save.

  1. Add the file shares that you want to scan (one file share per line). Then select Continue.

  2. A confirmation dialog displays the number of shares that were added.

    If the dialog lists any shares that could not be added, capture this information so that you can resolve the issue. If the issue pertains to a naming convention, you can re-add the share with a corrected name.

  3. Configure scanning on the volume:

    • To enable mapping-only scans on file shares, select Map.

    • To enable full scans on file shares, select Map & Classify.

    • To disable scanning on file shares, select Off.

      Note The switch at the top of the page for Scan when missing "write attributes" permissions is disabled by default. This means that if BlueXP classification doesn't have write attributes permissions in CIFS or write permissions in NFS, the system won't scan the files because BlueXP classification can't revert the "last access time" to the original timestamp.
      If you switch Scan when missing "write attributes" permissions to On, the scan resets the last accessed time and scans all files regardless of permissions.
      To learn more about the last accessed time stamp, see Metadata collected from data sources in BlueXP classification.
Result

BlueXP classification starts scanning the files in the file shares you added. You can Track the scanning progress and view the results of the scan in the Dashboard.

Note If the scan doesn't complete successfully for a CIFS configuration with Kerberos authentication, check the Configuration tab for errors.

Edit a file shares group

After you create a file shares group, you can edit the CIFS protocol or add and remove file shares.

Edit the CIFS protocol configuration

  1. From the BlueXP classification menu, select Configuration.

  2. From the Configuration page, select the file shares group you want to modify.

  3. Select Edit CIFS Credentials.

    Screenshot of the Edit CIFS credentials menu.

  4. Choose the authentication method: NTLM or Kerberos.

  5. Enter the Active Directory Username and Password.

  6. Select Save to complete the process.

Add file shares to compliance scans

  1. From the BlueXP classification menu, select Configuration.

  2. From the Configuration page, select the file shares group you want to modify.

  3. Select + Add shares.

  4. Select the protocol for the file shares you are adding.

    A screenshot of the modal to Add shares

    If you're adding file shares to a protocol you've already configured, no changes are required.

    If you're adding file shares with a second protocol, ensure you've properly configured the authentication prperly as detailed in the prerequisites.

  5. Add the file shares you want to scan (one file share per line) using the format <host_name>:/<share_path>.

  6. Select Continue to complete adding the file shares.

Remove a file share from compliance scans

  1. From the BlueXP classification menu, select Configuration.

  2. Select the working environment from which you want to remove file shares.

  3. Select Configuration.

  4. From the Configuration page, select the Actions Actions icon for the file share you want to remove.

  5. From the Actions menu, select Remove Share.

Track the scanning progress

You can track the progress of the initial scan.

  1. Select the Configuration menu.

  2. Select the Working Environment Configuration.

    The progress of each scan is shown as a progress bar.

  3. Hover over the progress bar to see the number of files scanned relative to the total files in the volume.