Skip to main content

Enable ONTAP Autonomous Ransomware Protection by default in new volumes

Contributors netapp-dbagwell netapp-ahibbard netapp-forry netapp-aaron-holt netapp-aherbin netapp-thomi
PDFs

Beginning with ONTAP 9.10.1, you can configure storage VMs (SVMs) so that new volumes are enabled by default with Autonomous Ransomware Protection (ARP). You can modify this setting using System Manager or with the CLI.

If you want to configure only individual new or existing volumes without making ARP the default, see this related ARP procedure.

About this task

By default, new volumes are created with ARP in disabled mode. ARP will only be enabled by default on new volumes created in the SVM after you have enabled anti-ransomware functionality.

ARP will not be automatically enabled on existing volumes. The setting changes described in this procedure only affect new volumes. Learn how to enable ARP for existing volumes.

  • (SAN environments only) For ONTAP 9.17.1 and later with FlexVol volumes
    When you enable ARP using System Manager or the CLI, ARP/AI functionality is automatically enabled. Once enabled on a SAN volume, ARP/AI monitors data continuously during an evaluation period to determine if the workloads are suitable for ARP and sets an optimal encryption threshold for detection.

  • (NAS environments only) For ONTAP 9.16.1 and later with FlexVol volumes
    When you enable ARP using System Manager or the CLI, ARP/AI protection is enabled and active immediately. No learning period is required.

  • (NAS environments only) For ONTAP 9.15.1 to 9.10.1 or ARP with FlexGroup volumes
    By default, new volumes with ARP enabled are set to learning mode (or "dry-run" state) in which the system analyzes the workload to characterize normal behavior. Learning mode can be transitioned to active mode manually (all ARP versions) or automatically (beginning in ARP 9.13.1). With ARP 9.13.1 and later, adaptive learning has been added to ARP analytics so that the switch from learning mode to active mode is done automatically.

Before you begin

  • The correct license must be installed for your ONTAP version.

  • Volumes must be less than 100% full.

  • (NAS environments only) Volumes you want to set ARP on must be protected and have an active junction path.

  • Beginning with ONTAP 9.13.1, it's recommended that you enable multi-admin verification (MAV) so that two or more authenticated user admins are required for anti-ransomware operations. Learn more.

Steps

You can use System Manager or the ONTAP CLI to enable ARP by default on new volumes.

System Manager

  1. Select Storage or Cluster (depending on your environment), select Storage VMs, and select the storage VM that contains volumes you want to protect with ARP.

  2. Navigate to the Settings tab. Under Security, locate the Anti-ransomware tile then select Edit icon.

  3. Check the box to enable anti-ransomware (ARP). Check the additional box to enable ARP on all eligible volumes in the storage VM.

  4. For ONTAP 9.13.1 or later, optionally select Switch automatically from learning to active mode after sufficient learning. This allows ARP to determine the optimal learning period interval and automate the switch to active mode.

CLI

  • Modify an existing SVM to enable ARP by default in new volumes:

    • For NAS environments without ARP/AI or for FlexGroup volumes, use dry-run state so that new volumes start in learning mode.

    • For NAS environments running ONTAP 9.16.1 or later or SAN environments with ONTAP 9.17.1, use enabled state.

      vserver modify -vserver <svm_name> -anti-ransomware-default-volume-state <dry-run|enabled>

  • Create a new SVM with ARP enabled by default for new volumes:

    • For NAS environments without ARP/AI or for FlexGroup volumes, use dry-run state so that new volumes start in learning mode.

    • For NAS environments running ONTAP 9.16.1 or later or SAN environments with ONTAP 9.17.1, use enabled state.

      vserver create -vserver <svm_name> -anti-ransomware-default-volume-state <dry-run|enabled>

  • If you upgraded to ONTAP 9.13.1 through ONTAP 9.15.1 and the default state is dry-run (learning mode), adaptive learning is enabled so that the change to enabled state (active mode) is done automatically. Modify the existing SVM if you do not want this behavior to be automatically enabled:

    vserver modify <svm_name> -anti-ransomware-auto-switch-from-learning-to-enabled false

  • Verify that ARP-enabled volumes show enabled state.

    security anti-ransomware volume show

    Learn more about security anti-ransomware volume show in the ONTAP command reference.

Related information