Enable ONTAP Autonomous Ransomware Protection

07/18/2025 Contributors

PDFs

Beginning with ONTAP 9.10.1, you can enable Autonomous Ransomware Protection (ARP) on an existing volume or create a new volume and enable ARP from the beginning.

If you want to configure your ONTAP cluster so that all new volumes will be enabled by default for Autonomous Ransomware Protection (ARP), see this related ARP procedure.

About this task

(NAS environments only) For ONTAP 9.10.1 to 9.15.1 or ARP with FlexGroup volumes
For these versions of ONTAP, you should always enable ARP initially in learning mode (or "dry-run" state). When you first enable ARP in learning mode, the system analyzes the workload to characterize normal behavior. Beginning in active mode can lead to excessive false positive reports.

It's recommended that you let ARP run in learning mode for a minimum of 30 days. Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch, which might occur before 30 days.
(NAS environments only) For ONTAP 9.16.1 and later with FlexVol volumes
When you enable ARP using System Manager or the CLI, ARP/AI protection is enabled and active immediately. No learning period is required.
(SAN environments only) For ONTAP 9.17.1 and later with FlexVol volumes
When you enable ARP using System Manager or the CLI, ARP/AI functionality is automatically enabled. Once enabled on a SAN volume, ARP/AI monitors data continuously during an evaluation period to determine if the workloads are suitable for ARP and sets an optimal encryption threshold for detection.

Before you begin

You must have a storage VM (SVM) with protocols enabled:
- NAS: NFS or SMB (or both)
- SAN: iSCSI, FC, or NVMe

The correct license must be installed for your ONTAP version.
You must have NAS or SAN workload with clients configured.
(NAS environments only) The volume you want to set ARP on must have an active junction path.
The volume must be less than 100% full.
It's recommended you configure the EMS system to send email notifications, which will include notices of ARP activity. For more information, see Configure EMS events to send email notifications.
Beginning with ONTAP 9.13.1, it's recommended that you enable multi-admin verification (MAV) so that two or more authenticated user admins are required for Autonomous Ransomware Protection (ARP) configuration. For more information, see Enable multi-admin verification.

Enable ARP on a new or existing volume

You can enable ARP using System Manager or the ONTAP CLI.

System Manager

Steps

Select Storage > Volumes, then select the volume you want to protect.

In the Security tab of the Volumes overview, select Status to switch from Disabled to Enabled.

(NAS environments only) If you are using ARP with ONTAP 9.15.1 or earlier or ONTAP 9.16.1 with FlexGroup volumes, select Enabled in learning-mode in the Anti-ransomware box.

Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch. You can disable this setting on the associated storage VM if you want to control the learning mode to active mode transition manually.

In existing volumes, learning and active modes only apply to newly written data, not to already existing data in the volume. The existing data is not scanned and analyzed, because the characteristics of earlier normal data traffic are assumed based on the new data after the volume is enabled for ARP.

You can verify the ARP state of the volume in the Anti-ransomware box.

To display ARP status for all volumes: In the Volumes pane, select Show/Hide then ensure that Anti-ransomware status is checked.

CLI

The process to enable ARP with the CLI differs if you are enabling it on an existing volume or a new volume.

Enable ARP on an existing volume

Modify an existing volume to enable ransomware protection:
- For NAS environments without ARP/AI or for FlexGroup volumes, use dry-run state so that new volumes start in learning mode.
- For NAS environments running ONTAP 9.16.1 or later or SAN environments with ONTAP 9.17.1, use enabled state.
  security anti-ransomware volume <dry-run|enabled> -volume <vol_name> -vserver <svm_name>
  Learn more about security anti-ransomware volume dry-run in the ONTAP command reference.
If you upgraded a NAS environment to ONTAP 9.13.1 through ONTAP 9.15.1 and the default state is dry-run (learning mode), adaptive learning is enabled so that the change to enabled state (active mode) is done automatically. If you do not want this behavior to be automatically enabled, change the setting at the SVM level on all associated volumes:
```
vserver modify <svm_name> -anti-ransomware-auto-switch-from-learning-to-enabled false
```
Verify the ARP state of the volume.
```
security anti-ransomware volume show
```

Enable ARP on a new volume

Create a new volume with ARP enabled before provisioning data:
- For NAS environments without ARP/AI or for FlexGroup volumes, use dry-run state so that new volumes start in learning mode.
- For NAS environments running ONTAP 9.16.1 or later or SAN environments with ONTAP 9.17.1, use enabled state.
  volume create -volume <vol_name> -vserver <svm_name> -aggregate <aggr_name> -size <nn> -anti-ransomware-state <dry-run|enabled> -junction-path </path_name>
If you upgraded a NAS environment to ONTAP 9.13.1 through ONTAP 9.15.1 and the default state is dry-run (learning mode), adaptive learning is enabled so that the change to enabled state (active mode) is done automatically. If you do not want this behavior to be automatically enabled, change the setting at the SVM level on all associated volumes:
```
vserver modify <svm_name> -anti-ransomware-auto-switch-from-learning-to-enabled false
```
Verify that the volume is set to enabled state.
```
security anti-ransomware volume show
```
Learn more about security anti-ransomware volume show in the ONTAP command reference.

Related information

Switch to active mode after a learning period

Enable ONTAP Autonomous Ransomware Protection

Creating your file...

Enable ARP on a new or existing volume