Modify options for automatic snapshots
Beginning with ONTAP 9.11.1, you can use the CLI to control the retention settings for Autonomous Ransomware Protection (ARP) snapshots that are automatically generated in response to suspected ransomware attacks.
You can only modify ARP snapshots options on a node SVM.
-
To show all current ARP snapshot settings, enter:
vserver options -vserver <svm_name> -option-name arw*
The vserver options
command is a hidden command. To view the man page, enterman vserver options
at the ONTAP CLI. -
To show selected current ARP snapshot settings, enter:
vserver options -vserver <svm_name> -option-name <arw_setting_name>
-
To modify ARP snapshot settings, enter:
vserver options -vserver <svm_name> -option-name <arw_setting_name> -option-value <arw_setting_value>
The following settings are modifiable:
ARW setting Description arw.snap.max.count
Specifies the maximum number of ARP snapshots that can exist in a volume at any given time. Older copies are deleted to ensure that the total number of ARP snapshots are within this specified limit.
The-option-value
parameter accepts integers between 3 and 8, inclusive. The default value is 6.arw.snap.create.interval.hours
Specifies the interval in hours between ARP snapshots. A new ARP snapshot is created when an data entropy-based attack is suspected and the most recently created ARP snapshot is older than the specified interval.
The-option-value
parameter accepts integers between 1 and 48, inclusive. The default value is 4.arw.snap.normal.retain.interval.hours
Specifies the duration in hours for which an ARP snapshot is retained. When an ARP snapshot reaches the retention threshold, any other ARP snapshots copy created before it is deleted. No more than one ARP snapshot older than the retention threshold can exist.
The-option-value
parameter accepts integers between 4 and 96, inclusive. The default value is 48.arw.snap.max.retain.interval.days
Specifies the maximum duration in days for which an ARP snapshot can be retained. Any ARP snapshot older than this duration is deleted when there is no attack reported on the volume.
The maximum retention interval for ARP snapshots is ignored if a moderate threat is detected. The ARP snapshot created in response to the threat is retained until you have responded to the threat. When you mark a threat as a false positive, ONTAP will delete the ARP snapshots for the volume. The -option-value
parameter accepts integers between 1 and 365, inclusive. The default value is 5.arw.snap.create.interval.hours.post.max.count
Specifies the interval in hours between ARP snapshots when the volume already contains the maximum number of ARP snapshots. When the maximum number is reached, an ARP snapshot is deleted to make room for a new copy. The new ARP snapshot creation speed can be reduced to retain the older copy using this option. If the volume already contains the maximum number of ARP snapshots, the interval specified in this option is used for next ARP snapshot creation, instead of
arw.snap.create.interval.hours
.
The-option-value
parameter accepts integers between 4 and 48, inclusive. The default value is 8.arw.surge.snap.interval.days
Specifies the interval in days between ARP snapshots created in response to IO surges. ONTAP creates an ARP snapshot surge copy when there's a surge in IO traffic and the last created ARP snapshot is older than this specified interval. This option also specifies retention period in day for an ARP surge snapshot.
The-option-value
parameter accepts integers between 1 and 365, inclusive. The default value is 5.arw.snap.new.extns.interval.hours
This option specifies the interval in hours between the ARP snapshots created when a new file extension is detected. A new ARP snapshot is created when a new file extension is observed; the previous snapshot created upon observing a new file extension is older than this specified interval. On a workload that frequently creates new file extensions, this interval helps in controlling the frequency of the ARP snapshots. This option exists independent of
arw.snap.create.interval.hours
, which specifies the interval for data entropy-based ARP snapshots.
The-option-value
parameter accepts integers between 24 and 8760. The default value is 48.