Skip to main content

Enable Autonomous Ransomware Protection by default in new volumes

Contributors netapp-dbagwell netapp-ahibbard netapp-forry netapp-aaron-holt netapp-aherbin
PDFs

Beginning with ONTAP 9.10.1, you can configure storage VMs (SVMs) so that new volumes are enabled by default with Autonomous Ransomware Protection (ARP). You can modify this setting using System Manager or with the CLI.

If you want to configure only individual new or existing volumes without making ARP the default, see this related ARP procedure.

About this task

By default, new volumes are created with ARP in disabled mode. ARP will only be enabled by default on new volumes created in the SVM after you have enabled ARP for NAS volumes functionality.

ARP will not be automatically enabled on existing volumes. Setting changes described in this procedure only affect new volumes. Learn how to enable ARP for existing volumes.

  • For ONTAP 9.10.1 to 9.15.1 and ARP with FlexGroup volumes
    By default, new volumes enabled with ARP enabled are set to learning mode (or "dry-run") mode in which the system analyzes the workload to characterize normal behavior. Learning mode can be transitioned to active mode manually (all ARP versions) or automatically (beginning in ARP 9.13.1). With ARP 9.13.1 and later, adaptive learning has been added to ARP analytics so that the switch from learning mode to active mode is done automatically.

  • For ONTAP 9.16.1 and later with FlexVol volumes
    When you enable ARP, ARP/AI protection begins immediately in active mode. No learning period is required.

Before you begin

  • The correct license must be installed for your ONTAP version.

  • The volume must be less than 100% full.

  • Junction paths must be active.

  • Beginning in ONTAP 9.13.1, it's recommended you enable multi-admin verification (MAV) so that two or more authenticated user admins are required for anti-ransomware operations. Learn more.

Steps

You can use System Manager or the ONTAP CLI to enable ARP by default on new volumes.

System Manager

  1. Select Storage > Storage VMs then select the storage VM that contains volumes you want to protect with ARP.

  2. Navigate to the Settings tab. Under Security, locate the Anti-ransomware tile then select Edit icon.

  3. Check the box to enable ARP for NAS volumes. Check the additional box to enable ARP on all eligible NAS volumes in the storage VM.

    Note For ONTAP 9.16.1, active mode is automatically enabled by default for new FlexVol volumes and no learning period is required.
    Note In existing volumes, learning and active modes only apply to newly written data, not to already existing data in the volume. The existing data is not scanned and analyzed, because the characteristics of earlier normal data traffic are assumed based on the new data after the volume is enabled for ARP.

  4. If you have upgraded to ARP 9.13.1 or later, optionally select Switch automatically from learning to active mode after sufficient learning. This allows ARP to determine the optimal learning period interval and automate the switch to active mode.

CLI

  • Modify an existing SVM to enable ARP by default in new volumes:

    • For ONTAP 9.15.1 and earlier and FlexGroup volumes, set the default state to dry-run (learning mode):

      vserver modify -vserver <svm_name> -anti-ransomware-default-volume-state dry-run

    • For ONTAP 9.16.1 and later with ARP/AI and FlexVol volumes, set the default state to active (active mode):

      vserver modify -vserver <svm_name> -anti-ransomware-default-volume-state active

  • Create a new SVM with ARP enabled by default for new volumes:

    • For ONTAP 9.15.1 and earlier and FlexGroup volumes, set the default state to dry-run (learning mode):

      vserver create -vserver <svm_name> -anti-ransomware-default-volume-state dry-run <other parameters as needed>

    • For ONTAP 9.16.1 and later with ARP/AI and FlexVol volumes, set the default state to active (active mode):

      vserver modify -vserver <svm_name> -anti-ransomware-default-volume-state active

  • If you upgraded to ONTAP 9.13.1 or later and the default state is dry-run, adaptive learning is enabled so that the change to active state is done automatically. Modify the existing SVM if you do not want this behavior to be automatically enabled:

    vserver modify <svm_name> -anti-ransomware-auto-switch-from-learning-to-enabled false

Related information