Skip to main content

Pause Autonomous Ransomware Protection to exclude workload events from analysis

Contributors netapp-dbagwell netapp-ahibbard netapp-forry netapp-aherbin netapp-barbe

If you are expecting unusual workload events, you can temporarily suspend and resume Autonomous Ransomware Protection (ARP) analysis at any time.

Beginning in ONTAP 9.13.1, you can enable multi-admin verification (MAV) so that two or more authenticated user admins are required to pause the ARP. Learn more.

About this task

During an ARP pause, no events are logged nor are any actions for new writes. However, the analytics operation continues for earlier logs in the background.

Note Do not use the ARP disable function to pause analytics. Doing so disables ARP on the volume and all the existing information around learned workload behavior is lost. This would require a restart of the learning period.
Before you begin
  • ARP is running in learning or active mode.

Example 1. Steps
System Manager
  1. Select Storage > Volumes and then select the volume where you want to pause ARP.

  2. In the Security tab of the Volumes overview, click Pause anti-ransomware in the Anti-ransomware box.

    Note Beginning with ONTAP 9.13.1, if you are using MAV to protect your ARP settings, the pause operation prompts you to obtain the approval of one or more additional administrators. Approval must be received from all administrators associated with the MAV approval group or the operation will fail.
CLI
  1. Pause ARP on a volume:

    security anti-ransomware volume pause -vserver svm_name -volume vol_name

  2. To resume processing, use the resume parameter.

    security anti-ransomware volume resume -vserver svm_name -volume vol_name

Beginning with ONTAP 9.13.1, if you are using MAV to protect your ARP settings, the pause operation prompts you to obtain the approval of one or more additional administrators. Approval must be received from the all administrators associated with the MAV approval group or the operation will fail.

If you are using MAV and an expected pause operation needs additional approvals, each MAV group approver does the following:

  1. Show the request:

    security multi-admin-verify request show

  2. Approve the request:

    security multi-admin-verify request approve -index[number returned from show request]

    The response for the last group approver indicates that the volume has been modified and the state of ARP is paused.

If you are using MAV and you are a MAV group approver, you can reject a pause operation request:

security multi-admin-verify request veto -index[number returned from show request]