Skip to main content

Enable Autonomous Ransomware Protection

Contributors netapp-dbagwell netapp-ahibbard netapp-aherbin
PDFs

Beginning with ONTAP 9.10.1, you can enable Autonomous Ransomware Protection (ARP) on an existing volume or create a new volume and enable ARP from the beginning.

If you want to configure your ONTAP cluster so that all new volumes will be enabled by default for Autonomous Ransomware Protection (ARP), see this related ARP procedure.

About this task

  • For ONTAP 9.10.1 to 9.15.1 and ARP with FlexGroup volumes
    For these versions of ONTAP, you should always enable ARP initially in learning mode (or "dry-run" mode). When you first enable ARP in learning mode, the system analyzes the workload to characterize normal behavior. Beginning in active mode can lead to excessive false positive reports.

    It's recommended you let ARP run in learning mode for a minimum of 30 days. Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch, which might occur before 30 days.

  • For ONTAP 9.16.1 and later with FlexVol volumes
    When you enable ARP, ARP/AI protection begins immediately in active mode. No learning period is required.

Note In existing volumes, learning and active modes only apply to newly written data, not to already existing data in the volume. The existing data is not scanned and analyzed, because the characteristics of earlier normal data traffic are assumed based on the new data after the volume is enabled for ARP.
Before you begin

  • You must have a storage VM (SVM) enabled for NFS or SMB (or both).

  • The correct license must be installed for your ONTAP version.

  • You must have NAS workload with clients configured.

  • The volume you want to set ARP on must be protected and have an active junction path.

  • The volume must be less than 100% full.

  • It's recommended you configure the EMS system to send email notifications, which will include notices of ARP activity. For more information, see Configure EMS events to send email notifications.

  • Beginning in ONTAP 9.13.1, it's recommended that you enable multi-admin verification (MAV) so that two or more authenticated user admins are required for Autonomous Ransomware Protection (ARP) configuration. For more information, see Enable multi-admin verification.

Enable ARP on a new or existing volume

You can enable ARP using System Manager or the ONTAP CLI.

System Manager
Steps

  1. Select Storage > Volumes, then select the volume you want to protect.

  2. In the Security tab of the Volumes overview, select Status to switch from Disabled to Enabled.

    • If you are using ARP with ONTAP 9.15.1 or earlier or ONTAP 9.16.1 with FlexGroup volumes, select Enabled in learning-mode in the Anti-ransomware box.

      Note Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch. You can disable this setting on the associated storage VM if you want to control the learning mode to active mode transition manually.

    • If you are using ARP on FlexVol volumes with ONTAP 9.16.1 or later, ARP/AI functionality does not require a learning period and active mode is selected by default.

  3. You can verify the ARP state of the volume in the Anti-ransomware box.

    To display ARP status for all volumes: In the Volumes pane, select Show/Hide then ensure that Anti-ransomware status is checked.

CLI

The process to enable ARP with the CLI differs if you are enabling it on an existing volume versus a new volume.

Enable ARP on an existing volume

  1. Modify an existing volume to enable ransomware protection:

    • For ONTAP 9.15.1 and earlier and ARP with FlexGroup volumes, set the volume state to dry-run (learning mode):

      security anti-ransomware volume dry-run -volume <vol_name> -vserver <svm_name>

    • For ONTAP 9.16.1 and later with ARP/AI and FlexVol volumes, set the volume state to active (active mode):

      security anti-ransomware volume active -volume <vol_name> -vserver <svm_name>

  2. If you upgraded to ONTAP 9.13.1 or later and the ARP default state is dry-run, adaptive learning is enabled so that the change to active state is done automatically. If you do not want this behavior to be automatically enabled, change the setting at the SVM level on all associated volumes:

    vserver modify <svm_name> -anti-ransomware-auto-switch-from-learning-to-enabled false

  3. Verify the ARP state of the volume.

    security anti-ransomware volume show

Enable ARP on a new volume

  1. Create a new volume with ARP enabled before provisioning data:

    • For ONTAP 9.15.1 and earlier and ARP with FlexGroup volumes, set the state to dry-run (learning mode):

      volume create -volume <vol_name> -vserver <svm_name> -aggregate <aggr_name> -size <nn> -anti-ransomware-state dry-run -junction-path </path_name>

    • For ONTAP 9.16.1 and later with ARP/AI and FlexVol volumes, set the state to active (active mode):

      volume create -volume <vol_name> -vserver <svm_name> -aggregate <aggr_name> -size <nn> -anti-ransomware-state active -junction-path </path_name>

  2. If you upgraded to ONTAP 9.13.1 or later and the ARP default state is dry-run, adaptive learning is enabled so that the change to active state is done automatically. If you do not want this behavior to be automatically enabled, change the setting at the SVM level on all associated volumes:

    vserver modify <svm_name> -anti-ransomware-auto-switch-from-learning-to-enabled false

  3. Verify the ARP state of the volume.

    security anti-ransomware volume show

Related information