Skip to main content
BlueXP ransomware protection

Protect workloads with BlueXP ransomware protection strategies

Contributors amgrissino netapp-ahibbard
PDFs

You can protect workloads against ransomware attacks by enabling workload-consistent protection or creating ransomware protection strategies in BlueXP ransomware protection.

Required BlueXP role
Organization admin, Folder or project admin, or Ransomware protection admin role. Learn about BlueXP access roles for all services.

Understand BlueXP ransomware protection strategies

BlueXP ransomware protection strategies encompass both detection and protection policies.

  • Detection policies detect ransomware threats and optionally block suspicious file extensions.

  • Protection policies include snapshot and backup policies. Detection and snapshot policies are required in a protection strategy. Backup policies are optional.

    If you're using other NetApp products to protect your workload, BlueXP ransomware protection discovers those and provides the option to either:

    • use a ransomware detection policy and continue to use the snapshot and backup policies created by other NetApp tools, or

    • use BlueXP ransomware protection to manage detection, snapshots, and backups.

Tip For enhanced management and protection of your data estate, you can create group file shares to collectively protect volumes under one strategy.

Protection policies with other NetApp-managed services

Beyond BlueXP ransomware protection, the following services can be used to manage protection:

  • BlueXP backup and recovery for file shares, VM file shares

  • SnapCenter for VMware for VM datastores

  • SnapCenter for Oracle and MySQL

Protection information from these services appears in BlueXP ransomware protection. You can add detection policies to these services with BlueXP ransomware protection. Add a protection policy with BlueXP ransomware protection replaces the existing protection policies.

If a ransomware detection policy is being managed by Autonomous Ransomware Protection (ARP or ARP/AI, depending on the ONTAP version) and FPolicy in ONTAP, those workloads are protected and will continue to be managed by ARP and FPolicy.

Note Backup destinations are not available for workloads in Amazon FSx for NetApp ONTAP. Perform backup operations using the FSx for ONTAP backup service. You set backup policies for workloads in FSx for ONTAP in AWS, not in BlueXP ransomware protection. The backup policies appear in BlueXP ransomware protection and remain unchanged from AWS.

Protection policies for workloads not protected by NetApp applications

If your workload isn't managed by BlueXP backup and recovery, BlueXP ransomware protection, SnapCenter, or SnapCenter Plug-in for VMware vSphere, it may have snapshots taken as part of ONTAP or other products. If ONTAP FPolicy protection is in place, you can change the FPolicy protection using ONTAP.

View ransomware protection on a workload

One of the first steps in protecting workloads is viewing your current workloads and their protection status. You can see the following types of workloads:

  • Application workloads

  • Block workloads

  • File share workloads

  • VM workloads

Steps

  1. From the BlueXP left navigation, select Protection > Ransomware protection.

  2. Do one of the following:

    • From the Data Protection pane on the Dashboard, select View all.

    • From the menu, select Protection.

      Protection page

  3. From this page, you can view and change protection details for the workload.

Note See Add a ransomware protection strategy to learn about using BlueXP ransomware protection when there's an existing protection policy with SnapCenter or BlueXP backup and recovery service.

Understand the Protection page

The Protection page shows the following information about workload protection:

Protection status: A workload can show one of the following protection statuses to indicate whether a policy is applied or not:

  • Protected: A policy is applied. ARP (or ARP/AI depending on the ONTAP version) is enabled on all volumes related to the workload.

  • At risk: No policy is applied. If a workload does not have a primary detection policy enabled, it is "at risk" even if it has a snapshot and backup policy enabled.

  • In progress: A policy is being applied but not completed yet.

  • Failed: A policy is applied but is not working.

Detection status: A workload can have one of the following ransomware detection statuses:

  • Learning: A ransomware detection policy was recently assigned to the workload and the service is scanning workloads.

  • Active: A ransomware detection protection policy is assigned.

  • Not set: A ransomware detection protection policy is not assigned.

  • Error: A ransomware detection policy was assigned, but the service has encountered an error.

    Tip When protection is enabled in BlueXP ransomware protection, alert detection and reporting begins after the ransomware detection policy status changes from Learning mode to Active mode.

Detection policy: The name of the ransomware detection policy appears, if one has been assigned. If the detection policy has not been assigned, "N/A" appears.

Snapshot and backup policies: This column shows the snapshot and backup policies applied to the workload and the product or service that is managing those policies.

  • Managed by SnapCenter

  • Managed by SnapCenter Plug-in for VMware vSphere

  • Managed by BlueXP backup and recovery

  • Name of ransomware protection policy that governs snapshots and backups

  • None

Workload importance

BlueXP ransomware protection assigns an importance or priority to each workload during discovery based on an analysis of each workload. The workload importance is determined by the following snapshot frequencies:

  • Critical: Snapshot copies taken more than 1 per hour (highly aggressive protection schedule)

  • Important: Snapshot copies taken less than 1 per hour but greater than 1 per day

  • Standard: Snapshot copies taken more than 1 per day

Predefined detection policies

You can choose one of the following BlueXP ransomware protection predefined policies, which are aligned with workload importance:

Policy level Snapshot Frequency Retention (Days) # of snapshot copies Total Max # of snapshot copies

Critical workload policy

Quarter hourly

Every 15 min

3

288

309

Daily

Every 1 day

14

14

309

Weekly

Every 1 week

35

5

309

Monthly

Every 30 days

60

2

309

Important workload policy

Quarter hourly

Every 30 mins

3

144

165

Daily

Every 1 day

14

14

165

Weekly

Every 1 week

35

5

165

Monthly

Every 30 days

60

2

165

Standard workload policy

Quarter hourly

Every 30 min

3

72

93

Daily

Every 1 day

14

14

93

Weekly

Every 1 week

35

5

93

Monthly

Every 30 days

60

2

93

Enable application- or VM-consistent protection with SnapCenter

Enabling application- or VM-consistent protection helps you protect your application or VM workloads in a consistent manner, achieving a quiescent and consistent state to avoid potential data loss later if recovery is needed.

This process initiates registering SnapCenter Software Server for applications or SnapCenter Plug-in for VMware vSphere for VMs using BlueXP backup and recovery.

After you enable workload-consistent protection, you can manage protection strategies in BlueXP ransomware protection. The protection strategy includes the snapshot and backup policies managed elsewhere along with a ransomware detection policy managed in BlueXP ransomware protection.

To learn about registering SnapCenter or SnapCenter Plug-in for VMware vSphere using BlueXP backup and recovery, refer to the following information:

Steps

  1. From the BlueXP ransomware protection menu, select Dashboard.

  2. From the Recommendations pane, locate one of the following recommendations and select Review and fix:

    • Register available SnapCenter Server with BlueXP

    • Register available SnapCenter Plug-in for VMware vSphere (SCV) with BlueXP

  3. Follow the information to register the SnapCenter or SnapCenter Plug-in for VMware vSphere host using BlueXP backup and recovery.

  4. Return to BlueXP ransomware protection.

  5. From BlueXP ransomware protection, navigate to the Dashboard and initiate the discover process again.

  6. From BlueXP ransomware protection, select Protection to view the Protection page.

  7. Review details in the snapshot and backup policies column on the Protection page to see that the policies are managed elsewhere.

Add a ransomware protection strategy

There are three approaches to adding a ransomware protection strategy:

  • Create a ransomware protection strategy if you have no snapshot or backup policies.

    The ransomware protection strategy includes:

    • Snapshot policy

    • Ransomware detection policy

    • Backup policy

  • Replace the existing snapshot or backup policies from SnapCenter or BlueXP backup and recovery protection with protection strategies managed by BlueXP ransomware protection.

    The ransomware protection strategy includes:

    • Snapshot policy

    • Ransomware detection policy

    • Backup policy

  • Create a detection policy for workloads with existing snapshot and backup policies managed in other NetApp products or services.

    The detection policy does not change the policies managed in other products.

    The detection policy enables Autonomous Ransomware Protection and FPolicy protection if they are already activated in other services. Learn more about Autonomous Ransomware Protection, BlueXP backup and recovery, and ONTAP FPolicy.

Create a ransomware protection strategy (if you have no snapshot or backup policies)

If snapshot or backup policies do not exist on the workload, you can create a ransomware protection strategy, which can include the following policies that you create in BlueXP ransomware protection:

  • Snapshot policy

  • Backup policy

  • Ransomware detection policy

Steps to create a ransomware protection strategy

  1. From the BlueXP ransomware protection menu, select Protection.

    Manage strategy page

  2. From the Protection page, select a workload then Protect.

    Manage strategies

  3. From the Ransomware protection strategies page, select Add.

    Add strategy page showing the snapshot section

  4. Enter a new strategy name, or enter an existing name to copy it. If you enter an existing name, choose which one to copy and select Copy.

    Note If you choose to copy and modify an existing strategy, the service appends "_copy" to the original name. You should change the name and at least one setting to make it unique.

  5. For each item, select the Down arrow.

    • Detection policy:

      • Policy: Choose one of the predesigned detection policies.

      • Primary detection: Enable ransomware detection to have the service detect potential ransomware attacks.

      • Block file extensions: Enable this to have the service block known suspicious file extensions. The service takes automated snapshot copies when Primary detection is enabled.

        If you want to change the blocked file extensions, edit them in System Manager.

    • Snapshot policy:

      • Snapshot policy base name: Select a policy or select Create and enter a name for the snapshot policy.

      • Snapshot locking: Enable this to lock the snapshot copies on primary storage so that they cannot be modified or deleted for a certain period of time even if a ransomware attack manages its way to the backup storage destination. This is also called immutable storage. This enables quicker restore time.

        When a snapshot is locked, the volume expiration time is set to the expiration time of the snapshot copy.

        Snapshot copy locking is available with ONTAP 9.12.1 and later. To learn more about SnapLock, refer to SnapLock in ONTAP.

      • Snapshot schedules: Choose schedule options, the number of snapshot copies to keep, and select to enable the schedule.

    • Backup policy:

      • Backup policy basename: Enter a new or choose an existing name.

      • Backup schedules: Choose schedule options for secondary storage and enable the schedule.

    Tip To enable backup locking on secondary storage, configure your backup destinations using the Settings option. For details, see Configure settings.

  6. Select Add.

Add a detection policy to workloads with existing snapshot and backup policies managed by SnapCenter or BlueXP backup and recovery

BlueXP ransomware protection enables you to assign either a detection policy or a protection policy to workloads with existing snapshot and backup protection managed in other NetApp products or services. Other services, such as BlueXP backup and recovery and SnapCenter, use policies that govern snapshots, replication to secondary storage, or backups to object storage.

Add a detection policy to workloads with existing backup or snapshot policies

If you have existing snapshot or backup policies with BlueXP backup and recovery or SnapCenter, you can add a policy to detect ransomware attacks. To manage protection and detection with BlueXP ransomware protection, see Protect with BlueXP ransomware protection.

Steps

  1. From the BlueXP ransomware protection menu, select Protection.

    Manage strategy page

  2. From the Protection page, select a workload then select Protect.

  3. BlueXP ransomware protection detects if there are existing active SnapCenter or BlueXP backup and recovery policies.

  4. To leave your existing BlueXP backup and recovery or SnapCenter policies in place and only apply a detection policy, leave the Replace existing policies box unchecked.

  5. To see details of the SnapCenter policies, select the Down arrow.

    Select a detection policy then select Protect.

  6. On the Protection page, review the Detection status to confirm detection is Active.

Replace existing backup or snapshot policies with a BlueXP ransomware protection strategy

You can replace your existing backup or snapshot policies with a BlueXP ransomware protection strategy. This approach removes your externally managed protection and configures detection and protection in BlueXP ransomware protection.

Steps

  1. From the BlueXP ransomware protection menu, select Protection.

    Manage strategy page

  2. From the Protection page, select a workload then select Protect.

  3. BlueXP ransomware protection detects if there are existing active BlueXP backup and recovery or SnapCenter policies. To replace the existing BlueXP backup and recovery or SnapCenter policies, select the Replace existing policies box. When you select the box, BlueXP ransomware protection replaces the list of detection policies with detection policies.

  4. Choose a protection policy. If no protection policy exists, select Add to create a new policy. For information about creating a policy, see Create a protection policy. Select Next.

  5. Select a backup destination or create a new one. Select Next.

  6. Review the new protection strategy then select Protect to apply it.

  7. On the Protection page, review the Detection status to confirm detection is Active.

Assign a different policy

You can replace the existing policy with a different one.

Steps

  1. From the BlueXP ransomware protection menu, select Protection.

  2. From the Protection page, on the workload row, select Edit protection.

  3. If the workload has an existing BlueXP backup and recovery or SnapCenter policy that you want to maintain, uncheck Replace existing policies. To replace the existing policies, check Replace existing policies.

  4. In the Policies page, select the down arrow for the policy you want to assign to review the details.

  5. Select the policy you want to assign.

  6. Select Protect to complete the change.

Group file shares for easier protection

Grouping file shares in a protection group makes it easier to protect your data estate. The service can protect all volumes in a group at the same time rather than protecting each volume separately.

You can create groups regardless of their protection status (that is, groups that are not protected and groups that are protected). When you add a protection policy to a protection group, the new protection policy replaces any existing policy, including policies managed by BlueXP backup and recovery and SnapCenter.

Steps

  1. From the BlueXP ransomware protection menu, select Protection.

    Manage strategy page

  2. From the Protection page, select the Protection groups tab.

    Protection groups page

  3. Select Add.

    Add protection group page

  4. Enter a name for the protection group.

  5. Select the workloads to add to the group.

    Tip To see more details on the workloads, scroll to the right.

  6. Select Next.

    Add protection group - Policy page

  7. Select the policy to govern the protection for this group.

  8. Select Next.

  9. Review the selections for the protection group.

  10. Select Add.

Edit group protection

You can change the detection policy on an existing group.

Steps

  1. From the BlueXP ransomware protection menu, select Protection.

  2. From the Protection page, select the Protection groups tab then select the group whose policy you want to modify.

  3. From protection group's overview page, select Edit protection.

  4. Select an existing protection policy to apply or select Add to create a new protection policy. For more information about adding a protection policy see, Create a protection policy. Then select Save.

  5. In the backup destination overview, select an existing backup destination or Add a new backup destination.

  6. Select Next to review your changes.

Remove workloads from a group

You might later need to remove workloads from an existing group.

Steps

  1. From the BlueXP ransomware protection menu, select Protection.

  2. From the Protection page, select the Protection groups tab.

  3. Select the group from which you want to remove one or more workloads.

    Protection group details page

  4. From the selected protection group page, select the workload you want to remove from the group and select the Actions Actions button option.

  5. From the Actions menu, select Remove workload.

  6. Confirm that you want to remove the workload and select Remove.

Delete the protection group

Deleting the protection group removes the group and its protection but doesn't remove the individual workloads.

Steps

  1. From the BlueXP ransomware protection menu, select Protection.

  2. From the Protection page, select the Protection groups tab.

  3. Select the group from which you want to remove one or more workloads.

    Protection group details page

  4. From the selected protection group page, at the top right, select Delete protection group.

  5. Confirm that you want to delete the group and select Delete.

Manage ransomware protection strategies

You can delete a ransomware strategy.

View workloads protected by a ransomware protection strategy

Before you delete a ransomware protection strategy, you might want to view which workloads are protected by that strategy.

You can view the workloads from the list of strategies or when you are editing a specific strategy.

Steps when viewing the list of strategies

  1. From the BlueXP ransomware protection menu, select Protection.

  2. From the Protection page, select Manage protection strategies.

    The Ransomware protection strategies page displays a list of strategies.

    Ransomware protection strategies screen showing a list of strategies

  3. On the Ransomware protection strategies page in the Protected workloads column, select the down arrow at the end of the row.

Delete a ransomware protection strategy

You can delete a protection strategy that is not currently associated with any workloads.

Steps

  1. From the BlueXP ransomware protection menu, select Protection.

  2. From the Protection page, select Manage protection strategies.

  3. In the Manage strategies page, select the Actions Actions button option for the strategy you want to delete.

  4. From the Actions menu, select Delete policy.