Skip to main content

Enable ONTAP Autonomous Ransomware Protection

Contributors netapp-dbagwell netapp-ahibbard netapp-forry netapp-aherbin netapp-aaron-holt netapp-thomi netapp-barbe
PDFs

Beginning with ONTAP 9.10.1, you can enable Autonomous Ransomware Protection (ARP) on an existing volume or create a new volume and enable ARP from the beginning.

If you want to configure your ONTAP cluster so that all new volumes will be enabled by default for Autonomous Ransomware Protection (ARP), see this related ARP procedure.

About this task

To enable ARP, follow the procedure that matches your environment after you ensure that your environment meets certain requirements:

After you enable ARP, ARP might enter a transitional period depending on your environment and ONTAP version:

Volume type ONTAP version Behavior after enablement

NAS FlexGroup

ONTAP 9.18.1 and later

ARP/AI is active immediately with no learning period

ONTAP 9.13.1 to 9.17.1

ARP starts in learning mode for 30 days

NAS FlexVol

ONTAP 9.16.1 and later

ARP/AI is active immediately with no learning period

ONTAP 9.10.1 to 9.15.1

ARP starts in learning mode for 30 days

SAN volumes

ONTAP 9.17.1 and later

ARP/AI is active immediately, initiating an evaluation period to establish a suitable alert threshold before transitioning from an initial conservative threshold.
Before you begin

Before enabling ARP, ensure your environment has the following:

NAS-specific requirements

  • A storage VM (SVM) with NFS or SMB (or both) protocol enabled.

  • NAS workload with clients configured.

  • An active junction path for the volume.

SAN-specific requirements

  • A storage VM (SVM) with iSCSI, FC, or NVMe protocol enabled.

  • SAN workload with clients configured.

General requirements

Enable ARP on NAS FlexVol volumes

You can enable ARP on NAS FlexVol volumes using System Manager or the ONTAP CLI. The process differs based on your ONTAP version.

ONTAP 9.16.1 and later

Beginning with ONTAP 9.16.1, ARP/AI is active immediately with no learning period required.

System Manager

  1. Select Storage > Volumes, then select the volume you want to protect.

  2. In the Security tab of the Volumes overview, select Status to switch from Disabled to Enabled.

  3. Verify the ARP state of the volume in the Anti-ransomware box.

    To display ARP status for all volumes: In the Volumes pane, select Show/Hide then ensure that Anti-ransomware status is checked.

CLI

Enable ARP on an existing volume:

security anti-ransomware volume enable -volume <vol_name> -vserver <svm_name>

Create a new volume with ARP enabled:

volume create -volume <vol_name> -vserver <svm_name> -aggregate <aggr_name> -size <nn> -anti-ransomware-state enabled -junction-path </path_name>

Verify the ARP state:

security anti-ransomware volume show

Learn more about security anti-ransomware volume show in the ONTAP command reference.

ONTAP 9.10.1 to 9.15.1

For ONTAP 9.10.1 to 9.15.1, you should enable ARP initially in learning mode (or "dry-run" state). The system analyzes the workload to characterize normal behavior. Beginning in active mode can lead to excessive false positive reports.

It's recommended that you let ARP run in learning mode for a minimum of 30 days. Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch, which might occur before 30 days.

System Manager

  1. Select Storage > Volumes, then select the volume you want to protect.

  2. In the Security tab of the Volumes overview, select Status to switch from Disabled to Enabled.

  3. Select Enabled in learning-mode in the Anti-ransomware box.

    Note You can disable automatic learning to active modes transitions on the associated storage VM if you want to control the learning to active mode transition manually.
    Note In existing volumes, learning and active modes only apply to newly written data, not to already existing data in the volume. The existing data is not scanned and analyzed, because the characteristics of earlier normal data traffic are assumed based on the new data after the volume is enabled for ARP.

  4. Verify the ARP state of the volume in the Anti-ransomware box.

    To display ARP status for all volumes: In the Volumes pane, select Show/Hide then ensure that Anti-ransomware status is checked.

CLI

Enable ARP on an existing volume:

security anti-ransomware volume dry-run -volume <vol_name> -vserver <svm_name>

Learn more about security anti-ransomware volume dry-run in the ONTAP command reference.

Create a new volume with ARP enabled:

volume create -volume <vol_name> -vserver <svm_name> -aggregate <aggr_name> -size <nn> -anti-ransomware-state dry-run -junction-path </path_name>

Disable automatic switching (optional):

If you upgraded to ONTAP 9.13.1 through ONTAP 9.15.1 and want to manually control the switch from learning to active mode for all associated volumes, you can do this from the SVM:

vserver modify <svm_name> -anti-ransomware-auto-switch-from-learning-to-enabled false

Verify the ARP state:

security anti-ransomware volume show

Enable ARP on NAS FlexGroup volumes

You can enable ARP on NAS FlexGroup volumes using System Manager or the ONTAP CLI. The process differs based on your ONTAP version.

ONTAP 9.18.1 and later

Beginning with ONTAP 9.18.1, ARP/AI is active immediately for FlexGroup volumes with no learning period required.

System Manager

  1. Select Storage > Volumes, then select the FlexGroup volume you want to protect.

  2. In the Security tab of the Volumes overview, select Status to switch from Disabled to Enabled.

  3. Verify the ARP state of the volume in the Anti-ransomware box.

    To display ARP status for all volumes: In the Volumes pane, select Show/Hide then ensure that Anti-ransomware status is checked.

CLI

Enable ARP on an existing FlexGroup volume:

security anti-ransomware volume enable -volume <vol_name> -vserver <svm_name>

Create a new FlexGroup volume with ARP enabled:

volume create -volume <vol_name> -vserver <svm_name> -aggr-list <aggregate name> -aggr-list-multiplier <integer> -size <nn> -anti-ransomware-state enabled -junction-path </path_name>

Verify the ARP state:

security anti-ransomware volume show
ONTAP 9.13.1 to 9.17.1

For ONTAP 9.13.1 to 9.17.1, FlexGroup volumes start in learning mode. The system analyzes the workload to characterize normal behavior.

It's recommended that you let ARP run in learning mode for a minimum of 30 days. ARP automatically determines the optimal learning period interval and automates the switch, which might occur before 30 days.

System Manager

  1. Select Storage > Volumes, then select the FlexGroup volume you want to protect.

  2. In the Security tab of the Volumes overview, select Status to switch from Disabled to Enabled.

  3. Select Enabled in learning-mode in the Anti-ransomware box.

    Note You can disable automatic learning to active modes transitions if you want to control the learning to active mode transition manually.

  4. Verify the ARP state of the volume in the Anti-ransomware box.

CLI

Enable ARP on an existing FlexGroup volume:

security anti-ransomware volume dry-run -volume <vol_name> -vserver <svm_name>

Create a new FlexGroup volume with ARP enabled:

volume create -volume <vol_name> -vserver <svm_name> -aggr-list <aggregate name> -aggr-list-multiplier <integer> -size <nn> -anti-ransomware-state dry-run -junction-path </path_name>

Disable automatic switching (optional):

If you want to manually control the switch from learning to active mode:

vserver modify <svm_name> -anti-ransomware-auto-switch-from-learning-to-enabled false

Verify the ARP state:

security anti-ransomware volume show

Enable ARP on SAN volumes

Beginning with ONTAP 9.17.1, you can enable ARP on SAN volumes. ARP/AI functionality is automatically enabled and immediately begins actively monitoring and protecting SAN volumes during the evaluation period while simultaneously determining if the workloads are suitable for ARP and setting an optimal encryption threshold for detection.

You can enable ARP on SAN volumes using System Manager or the ONTAP CLI.

System Manager
Steps

  1. Select Storage > Volumes, then select the SAN volume you want to protect.

  2. In the Security tab of the Volumes overview, select Status to switch from Disabled to Enabled.

  3. ARP/AI automatically enters the evaluation period.

  4. Verify the ARP state and evaluation status in the Anti-ransomware box.

    To display ARP status for all volumes: In the Volumes pane, select Show/Hide then ensure that Anti-ransomware status is checked.

CLI

Enable ARP on an existing SAN volume:

security anti-ransomware volume enable -volume <vol_name> -vserver <svm_name>

Create a new SAN volume with ARP enabled:

volume create -volume <vol_name> -vserver <svm_name> -aggregate <aggr_name> -size <nn> -anti-ransomware-state enabled

Verify the ARP state and evaluation status:

security anti-ransomware volume show

Check the Block device detection status field to monitor the evaluation period progress.

Learn more about security anti-ransomware volume show in the ONTAP command reference.