Skip to main content

Adjust settings for automatically generated ARP snapshots

Contributors netapp-dbagwell netapp-aherbin netapp-aaron-holt
PDFs

Beginning with ONTAP 9.11.1, you can use the CLI to control the retention settings for Autonomous Ransomware Protection (ARP) snapshots that are automatically generated in response to suspected ransomware attacks.

Before you begin

You can only modify ARP snapshots options on a node SVM and not on other SVM types.

Steps

  1. Show all current ARP snapshot settings:

    options -option-name arw*

  2. Show selected current ARP snapshot settings:

    options -option-name <arw_setting_name>

  3. Modify ARP snapshot settings:

    options -option-name <arw_setting_name> -option-value <arw_setting_value>

    The following settings are modifiable:

    Note Some of the commands described are deprecated as of ONTAP 9.17.1. Commands introduced in ONTAP 9.17.1 support both NAS and SAN environments.
    Setting Description Supported versions

    arw.snap.max.count

    Specifies the maximum number of ARP snapshots that can exist in a volume at any given time. Older copies are deleted to ensure that the total number of ARP snapshots is within this specified limit.

    ONTAP 9.11.1 and later

    arw.snap.create.interval.hours

    Specifies the interval in hours between ARP snapshots. A new ARP snapshot is created when a data entropy-based attack is suspected and the most recently created ARP snapshot is older than the specified interval.

    ONTAP 9.11.1 and later

    arw.snap.normal.retain.interval.hours

    Specifies the duration in hours for which an ARP snapshot is retained. When an ARP snapshot reaches the retention threshold, it is deleted.

    • ONTAP 9.11.1 to ONTAP 9.16.1

    • Deprecated in ONTAP 9.17.1 and later

    arw.snap.max.retain.interval.days

    Specifies the maximum duration in days for which an ARP snapshot can be retained. Any ARP snapshot older than this duration is deleted when there is no attack reported on the volume.

    Note The maximum retention interval for ARP snapshots is ignored if a moderate threat is detected. The ARP snapshot created in response to the threat is retained until you have responded to the threat. When you mark a threat as a false positive, ONTAP will delete the ARP snapshots for the volume.

    • ONTAP 9.11.1 to ONTAP 9.16.1

    • Deprecated in ONTAP 9.17.1 and later

    arw.snap.create.interval.hours.post.max.count

    Specifies the interval in hours between ARP snapshots when the volume already contains the maximum number of ARP snapshots. When the maximum number is reached, an ARP snapshot is deleted to make room for a new copy. The new ARP snapshot creation speed can be reduced to retain the older copy using this option. If the volume already contains the maximum number of ARP snapshots, the interval specified in this option is used for the next ARP snapshot creation, instead of arw.snap.create.interval.hours.

    • ONTAP 9.11.1 to 9.16.1

    • Deprecated in ONTAP 9.17.1 and later

    arw.snap.low.encryption.retain.duration.hours

    Specifies the retention duration in hours for ARP snapshots created during periods of low encryption activity.

    • ONTAP 9.17.1 and later

    arw.snap.new.extns.interval.hours

    Specifies the interval in hours between the ARP snapshots created when a new file extension is detected. A new ARP snapshot is created when a new file extension is observed; the previous snapshot created upon observing a new file extension is older than this specified interval. On a workload that frequently creates new file extensions, this interval helps control the frequency of the ARP snapshots. This option exists independent of arw.snap.create.interval.hours, which specifies the interval for data entropy-based ARP snapshots.

    • ONTAP 9.11.1 to ONTAP 9.16.1

    • Deprecated in ONTAP 9.17.1 and later

    arw.snap.retain.hours.after.clear.suspect.false.alert

    Specifies the interval in hours an ARP snapshot is retained as a precaution after an attack incident is marked as a false positive by the administrator. After this precautionary retention period expires, the snapshot may be deleted according to the standard retention duration defined by the options arw.snap.normal.retain.interval.hours and arw.snap.max.retain.interval.days.

    • ONTAP 9.16.1 and later

    arw.snap.retain.hours.after.clear.suspect.real.attack

    Specifies the interval in hours an ARP snapshot is retained as a precaution after an attack incident is marked as a real attack by the administrator. After this precautionary retention period expires, the snapshot may be deleted according to the standard retention duration defined by the options arw.snap.normal.retain.interval.hours and arw.snap.max.retain.interval.days.

    • ONTAP 9.16.1 and later

    arw.snap.surge.interval.days

    Specifies the interval in days between ARP snapshots created in response to IO surges. ONTAP creates an ARP snapshot surge copy when there's a surge in IO traffic and the last created ARP snapshot is older than this specified interval. This option also specifies retention period in day for an ARP surge snapshot.

    ONTAP 9.11.1 and later

    arw.high.encryption.alert.enabled

    Enables alerts for high levels of encryption. When this option is set to on (default), ONTAP sends an alert when the percentage of encryption exceeds the threshold specified in arw.high.encryption.percentage.threshold.

    ONTAP 9.17.1 and later

    arw.high.encryption.percentage.threshold

    Specifies the maximum percentage of encryption for a volume. If the percentage of encryption is more than this threshold, ONTAP handles the increase as an attack and creates an ARP snapshot. arw.high.encryption.alert.enabled must be set to on for this option to take effect.

    ONTAP 9.17.1 and later

    arw.snap.high.encryption.retain.duration.hours

    Specifies the retention duration interval in hours for snapshots created during a high encryption threshold event.

    ONTAP 9.17.1 and later

  4. If you are using ARP with a SAN environment, you can also modify the following evaluation period settings:

    Setting Description Supported versions

    arw.block_device.auto.learn.threshold.min_value

    Specifies the minimum encryption threshold percentage value during the auto-learn phase of evaluation for block devices.

    ONTAP 9.17.1 and later

    arw.block_device.auto.learn.threshold.max_value

    Specifies the maximum encryption threshold percentage value during the auto-learn phase of evaluation for block devices.

    ONTAP 9.17.1 and later

    arw.block_device.evaluation.phase.min_hours

    Specifies the minimum interval in hours the evaluation phase must run before the encryption threshold is set.

    ONTAP 9.17.1 and later

    arw.block_device.evaluation.phase.max_hours

    Specifies the maximum interval in hours the evaluation phase must run before the encryption threshold is set.

    ONTAP 9.17.1 and later

    arw.block_device.evaluation.phase.min_data_ingest_size_GB

    Specifies the minimum amount of data in GB that must be ingested during the evaluation phase before the encryption threshold is set.

    ONTAP 9.17.1 and later

    arw.block_device.evaluation.phase.alert.enabled

    Specifies whether alerts are enabled for the evaluation phase of ARP on block devices. Default value is True.

    ONTAP 9.17.1 and later

    arw.block_device.evaluation.phase.alert.threshold

    Specifies the threshold percentage during the evaluation phase of ARP on block devices. If the percentage of encryption exceeds this threshold, an alert is triggered.

    ONTAP 9.17.1 and later
Related information