Skip to main content

Enable ONTAP Autonomous Ransomware Protection by default in new volumes

Contributors netapp-dbagwell netapp-ahibbard netapp-forry netapp-aaron-holt netapp-aherbin netapp-thomi
PDFs

Beginning with ONTAP 9.10.1, you can configure storage VMs (SVMs) so that new volumes are enabled by default with Autonomous Ransomware Protection (ARP). You can modify this setting using System Manager or with the CLI.

If you want to configure only individual new or existing volumes without making ARP the default, see this related ARP procedure.

About this task

By default, new volumes are created with ARP functionality disabled. You'll need to enable ARP functionality and set it to be enabled by default on new volumes created in the SVM.

Existing volumes without ARP enabled will not change ARP enablement status automatically when you change the default for the SVM. The SVM setting changes described in this procedure only affect new volumes. Learn how to enable ARP for existing volumes.

After you enable ARP, ARP might enter a transitional period depending on your environment and ONTAP version:

Volume type ONTAP version Behavior after enablement

NAS FlexGroup

ONTAP 9.18.1 and later

ARP/AI is active immediately with no learning period

ONTAP 9.13.1 to 9.17.1

ARP starts in learning mode for 30 days

NAS FlexVol

ONTAP 9.16.1 and later

ARP/AI is active immediately with no learning period

ONTAP 9.10.1 to 9.15.1

ARP starts in learning mode for 30 days

SAN volumes

ONTAP 9.17.1 and later

ARP/AI is active immediately, initiating an evaluation period to establish a suitable alert threshold before transitioning from an initial conservative threshold.
Before you begin

Before enabling ARP, ensure your environment has the following:

NAS-specific requirements

  • A storage VM (SVM) with NFS or SMB (or both) protocol enabled.

  • An active junction path for the volume.

SAN-specific requirements

  • A storage VM (SVM) with iSCSI, FC, or NVMe protocol enabled.

General requirements
Steps

You can use System Manager or the ONTAP CLI to enable ARP by default on new volumes.

System Manager

  1. Select Storage or Cluster (depending on your environment), select Storage VMs, and select the storage VM that will contain volumes you want to protect with ARP.

  2. Navigate to the Settings tab. Under Security, locate the Anti-ransomware tile then select Edit icon.

  3. Check the box to enable anti-ransomware (ARP). Check the additional box to enable ARP on all eligible volumes in the storage VM.

  4. For ONTAP versions with a recommended learning period, select Switch automatically from learning to active mode after sufficient learning. This allows ARP to determine the optimal learning period interval and automate the switch to active mode.

CLI
Modify an existing SVM to enable ARP by default in new volumes

Select dry-run if your version of ARP requires a learning period. Otherwise, select enabled.

vserver modify -vserver <svm_name> -anti-ransomware-default-volume-state <dry-run|enabled>
Create a new SVM with ARP enabled by default for new volumes

Select dry-run if your version of ARP requires a learning period. Otherwise, select enabled.

vserver create -vserver <svm_name> -anti-ransomware-default-volume-state <dry-run|enabled>
Modify existing SVM to disable automatic learning to active mode transition

If you upgraded to ONTAP 9.13.1 through ONTAP 9.15.1 and the default state is dry-run (learning mode), adaptive learning is enabled so that the change to enabled state (active mode) is done automatically. You can disable this automatic switch so that you can manually control the switch from learning to active mode for all associated volumes:

vserver modify <svm_name> -anti-ransomware-auto-switch-from-learning-to-enabled false
Verify the ARP state
security anti-ransomware volume show
Related information