Release notes
Enable ONTAP Autonomous Ransomware Protection
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
Beginning with ONTAP 9.10.1, you can enable Autonomous Ransomware Protection (ARP) on an existing volume or create a new volume and enable ARP from the beginning.
If you want to configure your ONTAP cluster so that all new volumes will be enabled by default for Autonomous Ransomware Protection (ARP), see this related ARP procedure.
-
For ONTAP 9.10.1 to 9.15.1 and ARP with FlexGroup volumes
For these versions of ONTAP, you should always enable ARP initially in learning mode (or "dry-run" mode). When you first enable ARP in learning mode, the system analyzes the workload to characterize normal behavior. Beginning in active mode can lead to excessive false positive reports.It's recommended you let ARP run in learning mode for a minimum of 30 days. Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch, which might occur before 30 days.
-
For ONTAP 9.16.1 and later with FlexVol volumes
When you enable ARP, ARP/AI protection is enabled and active immediately. No learning period is required.
-
You must have a storage VM (SVM) enabled for NFS or SMB (or both).
-
The correct license must be installed for your ONTAP version.
-
You must have NAS workload with clients configured.
-
The volume you want to set ARP on must be protected and have an active junction path.
-
The volume must be less than 100% full.
-
It's recommended you configure the EMS system to send email notifications, which will include notices of ARP activity. For more information, see Configure EMS events to send email notifications.
-
Beginning with ONTAP 9.13.1, it's recommended that you enable multi-admin verification (MAV) so that two or more authenticated user admins are required for Autonomous Ransomware Protection (ARP) configuration. For more information, see Enable multi-admin verification.
Enable ARP on a new or existing volume
You can enable ARP using System Manager or the ONTAP CLI.
-
Select Storage > Volumes, then select the volume you want to protect.
-
In the Security tab of the Volumes overview, select Status to switch from Disabled to Enabled.
-
If you are using ARP with ONTAP 9.15.1 or earlier or ONTAP 9.16.1 with FlexGroup volumes, select Enabled in learning-mode in the Anti-ransomware box.
Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch. You can disable this setting on the associated storage VM if you want to control the learning mode to active mode transition manually.
In existing volumes, learning and active modes only apply to newly written data, not to already existing data in the volume. The existing data is not scanned and analyzed, because the characteristics of earlier normal data traffic are assumed based on the new data after the volume is enabled for ARP. -
If you are using ARP on FlexVol volumes with ONTAP 9.16.1 or later, ARP/AI functionality is enabled and active immediately. No learning period is required.
-
-
You can verify the ARP state of the volume in the Anti-ransomware box.
To display ARP status for all volumes: In the Volumes pane, select Show/Hide then ensure that Anti-ransomware status is checked.
The process to enable ARP with the CLI differs if you are enabling it on an existing volume versus a new volume.
-
Modify an existing volume to enable ransomware protection:
security anti-ransomware volume dry-run -volume <vol_name> -vserver <svm_name>CliFor ONTAP 9.15.1 and earlier and FlexGroup volumes, new volumes begin in learning mode. For ONTAP 9.16.1 and later with FlexVol volumes, ARP/AI is enabled immediately. In either case, use
dry-runas the value. -
If you upgraded to ONTAP 9.13.1 through ONTAP 9.15.1 and the default state is
dry-run, adaptive learning is enabled so that the change toactivestate is done automatically. If you do not want this behavior to be automatically enabled, change the setting at the SVM level on all associated volumes:vserver modify <svm_name> -anti-ransomware-auto-switch-from-learning-to-enabled falseCli -
Verify the ARP state of the volume.
security anti-ransomware volume showCli
-
Create a new volume with ARP enabled before provisioning data:
volume create -volume <vol_name> -vserver <svm_name> -aggregate <aggr_name> -size <nn> -anti-ransomware-state dry-run -junction-path </path_name>CliFor ONTAP 9.15.1 and earlier and FlexGroup volumes, new volumes begin in learning mode. For ONTAP 9.16.1 and later with FlexVol volumes, ARP/AI is enabled immediately. In either case, use
dry-runas the value. -
If you upgraded to ONTAP 9.13.1 through ONTAP 9.15.1 and the default state is
dry-run, adaptive learning is enabled so that the change toactivestate is done automatically. If you do not want this behavior to be automatically enabled, change the setting at the SVM level on all associated volumes:vserver modify <svm_name> -anti-ransomware-auto-switch-from-learning-to-enabled falseCli -
Verify that the volume is set to
enabledstate.security anti-ransomware volume showCli
