Configuring the ONTAP SVM Data Collector
Workload Security uses data collectors to collect file and user access data from devices.
Before you begin
-
This data collector is supported with the following:
-
Data ONTAP 9.2 and later versions. For best performance, use a Data ONTAP version greater than 9.13.1.
-
SMB protocol version 3.1 and earlier.
-
NFS versions up to and including NFS 4.1 with ONTAP 9.15.1 or later.
-
Flexgroup is supported from ONTAP 9.4 and later versions
-
ONTAP Select is supported
-
-
Only data type SVMs are supported. SVMs with infinite volumes are not supported.
-
SVM has several sub-types. Of these, only default, sync_source, and sync_destination are supported.
-
An Agent must be configured before you can configure data collectors.
-
Make sure that you have a properly configured User Directory Connector, otherwise events will show encoded user names and not the actual name of the user (as stored in Active Directory) in the “Activity Forensics” page.
-
• ONTAP Persistent Store is supported from 9.14.1.
-
For optimal performance, you should configure the FPolicy server to be on the same subnet as the storage system.
-
You must add an SVM using one of the following two methods:
-
By Using Cluster IP, SVM name, and Cluster Management Username and Password. This is the recommended method.
-
SVM name must be exactly as is shown in ONTAP and is case-sensitive.
-
-
By Using SVM Vserver Management IP, Username, and Password
-
If you are not able or not willing to use the full Administrator Cluster/SVM Management Username and Password, you can create a custom user with lesser privileges as mentioned in the “A note about permissions” section below. This custom user can be created for either SVM or Cluster access.
-
o You can also use an AD user with a role that has at least the permissions of csrole as mentioned in “A note about permissions” section below. Also refer to the ONTAP documentation.
-
-
-
Ensure the correct applications are set for the SVM by executing the following command:
clustershell::> security login show -vserver <vservername> -user-or-group-name <username>
Example output:
-
Ensure that the SVM has a CIFS server configured:
clustershell::>vserver cifs show
The system returns the Vserver name, CIFS server name and additional fields.
-
Set a password for the SVM vsadmin user. If using custom user or cluster admin user, skip this step.
clustershell::>security login password -username vsadmin -vserver svmname
-
Unlock the SVM vsadmin user for external access. If using custom user or cluster admin user, skip this step.
clustershell::>security login unlock -username vsadmin -vserver svmname
-
Ensure the firewall-policy of the data LIF is set to ‘mgmt’ (not ‘data’). Skip this step if using a dedicated management lif to add the SVM.
clustershell::>network interface modify -lif <SVM_data_LIF_name> -firewall-policy mgmt
-
When a firewall is enabled, you must have an exception defined to allow TCP traffic for the port using the Data ONTAP Data Collector.
See Agent requirements for configuration information. This applies to on-premise Agents and Agents installed in the Cloud.
-
When an Agent is installed in an AWS EC2 instance to monitor a Cloud ONTAP SVM, the Agent and Storage must be in the same VPC. If they are in separate VPCs, there must be a valid route between the VPC’s.
Prerequisites for User Access Blocking
Keep the following in mind for User Access Blocking:
Cluster level credentials are needed for this feature to work.
If you are using cluster administration credentials, no new permissions are needed.
If you are using a custom user (for example, csuser) with permissions given to the user, then follow the steps below to give permissions to Workload Security to block user.
For csuser with cluster credentials, do the following from the ONTAP command line:
security login role create -role csrole -cmddirname "vserver export-policy rule" -access all security login role create -role csrole -cmddirname set -access all security login role create -role csrole -cmddirname "vserver cifs session" -access all security login role create -role csrole -cmddirname "vserver services access-check authentication translate" -access all security login role create -role csrole -cmddirname "vserver name-mapping" -access all
A Note About Permissions
Permissions when adding via Cluster Management IP:
If you cannot use the Cluster management administrator user to allow Workload Security to access the ONTAP SVM data collector, you can create a new user named “csuser” with the roles as shown in the commands below. Use the username “csuser” and password for “csuser” when configuring the Workload Security data collector to use Cluster Management IP.
To create the new user, log in to ONTAP with the Cluster management Administrator username/password, and execute the following commands on the ONTAP server:
security login role create -role csrole -cmddirname DEFAULT -access readonly
security login role create -role csrole -cmddirname "vserver fpolicy" -access all security login role create -role csrole -cmddirname "volume snapshot" -access all -query "-snapshot cloudsecure_*" security login role create -role csrole -cmddirname "event catalog" -access all security login role create -role csrole -cmddirname "event filter" -access all security login role create -role csrole -cmddirname "event notification destination" -access all security login role create -role csrole -cmddirname "event notification" -access all security login role create -role csrole -cmddirname "security certificate" -access all
security login create -user-or-group-name csuser -application ontapi -authmethod password -role csrole security login create -user-or-group-name csuser -application ssh -authmethod password -role csrole security login create -user-or-group-name csuser -application http -authmethod password -role csrole
Permissions when adding via Vserver Management IP:
If you cannot use the Cluster management administrator user to allow Workload Security to access the ONTAP SVM data collector, you can create a new user named “csuser” with the roles as shown in the commands below. Use the username “csuser” and password for “csuser” when configuring the Workload Security data collector to use Vserver Management IP.
To create the new user, log in to ONTAP with the Cluster management Administrator username/password, and execute the following commands on the ONTAP server. For ease, copy these commands to a text editor and replace the <vservername> with your Vserver name before and executing these commands on ONTAP:
security login role create -vserver <vservername> -role csrole -cmddirname DEFAULT -access none
security login role create -vserver <vservername> -role csrole -cmddirname "network interface" -access readonly security login role create -vserver <vservername> -role csrole -cmddirname version -access readonly security login role create -vserver <vservername> -role csrole -cmddirname volume -access readonly security login role create -vserver <vservername> -role csrole -cmddirname vserver -access readonly
security login role create -vserver <vservername> -role csrole -cmddirname "vserver fpolicy" -access all security login role create -vserver <vservername> -role csrole -cmddirname "volume snapshot" -access all
security login create -user-or-group-name csuser -application ontapi -authmethod password -role csrole -vserver <vservername> security login create -user-or-group-name csuser -application http -authmethod password -role csrole -vserver <vservername>
Protobuf Mode
Workload Security will configure the FPolicy engine in protobuf mode when this option is enabled in the collector's Advanced Configuration settings. Protobuf mode is supported in ONTAP version 9.15 and later.
More details on this feature can be found in the ONTAP documentation.
Specific permissions are required for protobuf (some or all of these may already exist):
Cluster mode:
security login rest-role create -role csrestrole -api /api/protocols/fpolicy -access all -vserver <cluster_name> security login create -user-or-group-name csuser -application http -authmethod password -role csrestrole
Vserver mode:
security login rest-role create -role csrestrole -api /api/protocols/fpolicy -access all -vserver <svm_name> security login create -user-or-group-name csuser -application http -authmethod password -role csrestrole -vserver <svm_name>
Permissions for ONTAP Autonomous Ransomware Protection and ONTAP Access Denied
If you are using cluster administration credentials, no new permissions are needed.
If you are using a custom user (for example, csuser) with permissions given to the user, then follow the steps below to give permissions to Workload Security to collect ARP related information from ONTAP.
For more information, read about Integration with ONTAP Access Denied
Configure the data collector
-
Log in as Administrator or Account Owner to your Data Infrastructure Insights environment.
-
Click Workload Security > Collectors > +Data Collectors
The system displays the available Data Collectors.
-
Hover over the NetApp SVM tile and click *+Monitor.
The system displays the ONTAP SVM configuration page. Enter the required data for each field.
Field |
Description |
Name |
Unique name for the Data Collector |
Agent |
Select a configured agent from the list. |
Connect via Management IP for: |
Select either Cluster IP or SVM Management IP |
Cluster / SVM Management IP Address |
The IP address for the cluster or the SVM, depending on your selection above. |
SVM Name |
The Name of the SVM (this field is required when connecting via Cluster IP) |
Username |
User name to access the SVM/Cluster |
Password |
Password for the above user name |
Filter Shares/Volumes |
Choose whether to include or exclude Shares / Volumes from event collection |
Enter complete share names to exclude/include |
Comma-separated list of shares to exclude or include (as appropriate) from event collection |
Enter complete volume names to exclude/include |
Comma-separated list of volumes to exclude or include (as appropriate) from event collection |
Monitor Folder Access |
When checked, enables events for folder access monitoring. Note that folder create/rename and delete will be monitored even without this option selected. Enabling this will increase the number of events monitored. |
Set ONTAP Send Buffer size |
Sets the ONTAP Fpolicy send buffer size. If an ONTAP version prior to 9.8p7 is used and performance issue is seen, then the ONTAP send buffer size can be altered to get improved ONTAP performance. Contact NetApp Support if you do not see this option and wish to explore it. |
-
In the Installed Data Collectors page, use the options menu on the right of each collector to edit the data collector. You can restart the data collector or edit data collector configuration attributes.
Recommended Configuration for MetroCluster
The following is recommended for MetroCluster:
-
Connect two data collectors, one to the source SVM and another to the destination SVM.
-
The data collectors should be connected by Cluster IP.
-
At any moment of time, one data collector should be in running, another will be in error.
The current ‘running’ SVM’s data collector will show as Running. The current ‘stopped’ SVM’s
data collector will show as Error. -
Whenever there is a switchover, the state of the data collector will change from ‘running’ to ‘error’ and vice versa.
-
It will take up to two minutes for the data collector to move from Error state to Running state.
Service Policy
If using service policy with ONTAP version 9.9.1 or newer, in order to connect to the Data Source Collector, the data-fpolicy-client service is required along with the data service data-nfs, and/or data-cifs.
Example:
Testcluster-1::*> net int service-policy create -policy only_data_fpolicy -allowed-addresses 0.0.0.0/0 -vserver aniket_svm -services data-cifs,data-nfs,data,-core,data-fpolicy-client (network interface service-policy create)
In versions of ONTAP prior to 9.9.1, data-fpolicy-client need not be set.
Play-Pause Data Collector
2 new operations are now shown on kebab menu of collector (PAUSE and RESUME).
If the Data Collector is in Running state, you can Pause collection. Open the "three dots" menu for the collector and select PAUSE. While the collector is paused, no data is gathered from ONTAP, and no data is sent from the collector to ONTAP. This means no Fpolicy events will flow from ONTAP to the data collector, and from there to Data Infrastructure Insights.
Note that if any new volumes, etc. are created on ONTAP while the collector is Paused, Workload Security won’t gather the data and those volumes, etc. will not be reflected in dashboards or tables.
Keep the following in mind:
-
Snapshot purge won’t happen as per the settings configured on a paused collector.
-
EMS events (like ONTAP ARP) won’t be processed on a paused collector. This means if ONTAP identifies a ransomware attack, Data Infrastructure Insights Workload Security won’t be able to acquire that event.
-
Health notifications emails will NOT be sent for a paused collector.
-
Manual or Automatic actions (such as Snapshot or User Blocking) will not be supported on a paused collector.
-
On agent or collector upgrades, agent VM restarts/reboots, or agent service restart, a paused collector will remain in Paused state.
-
If the data collector is in Error state, the collector cannot be changed to Paused state. The Pause button will be enabled only if the state of the collector is Running.
-
If the agent is disconnected, the collector cannot be changed to Paused state. The collector will go into Stopped state and the Pause button will be disabled.
Persistent Store
Persistent store is supported with ONTAP 9.14.1 and later. Note that volume name instructions vary from ONTAP 9.14 to 9.15.
Persistent Store can be enabled by selecting the checkbox in the collector edit/add page. After selecting the checkbox, a text field is displayed for accepting volume name. Volume name is a mandatory field for enabling Persistent Store.
-
For ONTAP 9.14.1, you must create the volume prior to enabling the feature, and provide the same name in the Volume Name field. The recommended volume size is 16GB.
-
For ONTAP 9.15.1, the volume will be created automatically with 16GB size by the collector, using the name provided in in the Volume Name field.
Specific permissions are required for Persistent Store (some or all of these may already exist):
Cluster mode:
security login rest-role create -role csrestrole -api /api/protocols/fpolicy -access all -vserver <cluster-name> security login rest-role create -role csrestrole -api /api/cluster/jobs/ -access readonly -vserver <cluster-name>
Vserver mode:
security login rest-role create -role csrestrole -api /api/protocols/fpolicy -access all -vserver <vserver-name> security login rest-role create -role csrestrole -api /api/cluster/jobs/ -access readonly -vserver <vserver-name>
Troubleshooting
See the Troubleshooting the SVM Collector page for troubleshooting tips.