Pause Autonomous Ransomware Protection to exclude workload events from analysis
If you are expecting unusual workload events, you can temporarily suspend and resume Autonomous Ransomware Protection (ARP) analysis at any time.
Beginning in ONTAP 9.13.1, you can enable multi-admin verification (MAV) so that two or more authenticated user admins are required to pause the ARP.
During an ARP pause, no events are logged nor are any actions for new writes. However, the analytics operation continues for earlier logs in the background.
Do not use the ARP disable function to pause analytics. Doing so disables ARP on the volume and all the existing information around learned workload behavior is lost. This would require a restart of the learning period. |
You can use System Manager or the ONTAP CLI to pause ARP.
-
Select Storage > Volumes and then select the volume where you want to pause ARP.
-
In the Security tab of the Volumes overview, select Pause anti-ransomware in the Anti-ransomware box.
Beginning with ONTAP 9.13.1, if you are using MAV to protect your ARP settings, the pause operation prompts you to obtain the approval of one or more additional administrators. Approval must be received from all administrators associated with the MAV approval group or the operation will fail.
-
Pause ARP on a volume:
security anti-ransomware volume pause -vserver svm_name -volume vol_name
-
To resume processing, use the
resume
command:security anti-ransomware volume resume -vserver svm_name -volume vol_name
-
If you are using MAV (available with ARP beginning with ONTAP 9.13.1) to protect your ARP settings, the pause operation prompts you to obtain the approval of one or more additional administrators. Approval must be received from all administrators associated with the MAV approval group or the operation will fail.
If you are using MAV and an expected pause operation needs additional approvals, each MAV group approver does the following:
-
Show the request:
security multi-admin-verify request show
-
Approve the request:
security multi-admin-verify request approve -index[number returned from show request]
The response for the last group approver indicates that the volume has been modified and the state of ARP is paused.
If you are using MAV and you are a MAV group approver, you can reject a pause operation request:
security multi-admin-verify request veto -index[number returned from show request]
-