Configuring the ONTAP SVM Data Collector

Contributors netapp-alavoie dgracenetapp Download PDF of this topic

Cloud Secure uses data collectors to collect file and user access data from devices.

Before you begin
  • This data collector is supported on Data ONTAP 9.1 and later versions.

  • An Agent must be configured before you can configure data collectors.

  • A separate subnet must be used for FPolicy traffic.

  • You need the SVM management IP address.

  • You need a username and password to access the SVM.

  • Ensure the correct protocols are set for the SVM.

    security login show -vserver svmname
    Vserver: svmname
    Authentication Acct Is-Nsswitch
    User/Group Name Application Method Role Name Locked Group
    vsadmin http password vsadmin yes no
    vsadmin ontapi password vsadmin yes no
    vsadmin ssh password vsadmin yes no
    3 entries were displayed.

  • Ensure that the SVM has a CIFS server configured:

    clustershell::> vserver cifs show

    The system returns the Vserver name, CIFS server name and additional fields.

  • Set a password for the SVM

    clustershell::> security login password -username vsadmin -vserver svmname

  • Unlock the SVM for external access:

    clustershell::> security login unlock -username vsadmin -vserver svmname

  • Verify that the ONTAP FPolicy framework can connect to the External FPolicy server engine that the Agent system hosts:

    clustershell::> vserver fpolicy show-engine -vserver svmname

    The agent IP address state should be "Connected".

  • Ensure the firewall-policy of the data LIF is set to ‘mgmt’ (not ‘data’).

    clustershell::> network interface modify -lif <SVM_data_LIF_name> -firewall-policy mgmt

  • When a firewall is enabled, you must have an exception defined to allow TCP traffic for the port using the Data ONTAP Data Collector.

    See Agent requirements for configuration information. This applies to on-premise Agents and Agents installed in the Cloud.

  • When an Agent is installed in an AWS EC2 instance to monitor a Cloud ONTAP SVM, the Agent and Storage must be in the same VPC. If they are in separate VPCs, there must be a valid route between the VPC’s.

If you cannot use the "vsadmin" user, create the following roles for the data collector using the "causer" user:

security login show -vserver svmname
security login role create -vserver svmname -role carole -cmddirname DEFAULT -access none
security login role create -vserver svmname -role carole -cmddirname "network interface" -access readonly
security login role create -vserver svmname -role carole -cmddirname version -access readonly
security login role create -vserver svmname -role carole -cmddirname volume -access readonly
security login role create -vserver svmname -role carole -cmddirname vserver -access readonly
security login role create -vserver svmname -role carole -cmddirname "vserver fpolicy" -access all
security login create -user-or-group-name causer -application ontapi -authmethod password -role carole -vserver svmname

Steps for Configuration
  1. Log in as Administrator or Account Owner to your Cloud Insights environment.

  2. Click Admin > Data Collectors > +Data Collectors

    The system displays the available Data Collectors.

  3. Click the NetApp tile.

    Select ONTAP SVM

    The system displays the ONTAP SVM configuration page. Enter the required data for each field.





Unique name for the Data Collector


Select a configured agent from the list or click Add Agent to configure an Agent. See Agent requirements and Agent Installation for configuration information.

SVM Management IP Address

Management IP Address


User name to access the SVM


SVM Password

Enter complete share names to exclude

Comma-separated list of shares to exclude from event collection

Enter complete volume names to exclude

Comma-separated list of volumes to exclude from event collection

After you finish
  • Click Test Configuration to check the status of the collector you configured.

  • In the Installed Data Collectors page, use the options menu on the right of each collector to edit the data collector. You can start, stop, and edit data collector configuration attributes.


Known problems and their resolutions are described in the following table.

Problem: Resolution:

Agent is in Connected State and ONTAP Data collector is in Error State.
"Unable to define the state of datasource with id:<ID>"

Ensure Docker service is running on the agent.

Error message: "Connection to the FPolicy server <IP> is broken. ( reason: "FPolicy server is removed from external engine." )"

In instances where the same SVM was added in two different Cloud Secure environments (tenants), the last one will always succeed. The second collector will configure fpolicy with its own IP address and kick out the first one. So the collector in the first one will stop receiving events and its "audit" service will enter into error state.
To prevent this, configure each SVM on a single environment.