Skip to main content

Switch to active mode in ONTAP ARP after a learning period

Contributors netapp-dbagwell netapp-aaron-holt
PDFs

For NAS environments, manually or automatically switch an ARP-enabled volume from learning mode to active mode. You'll need to switch modes if you are using ARP with ONTAP 9.15.1 and earlier or if your ARP is running on FlexGroup volumes.

After ARP has completed a learning mode run of a recommended minimum of 30 days you can manually switch to active mode. Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch, which might occur before 30 days.

If you are using ARP on FlexVol volumes with ONTAP 9.16.1 or later, ARP/AI protection is enabled and becomes active automatically. No learning period is required.

Note In existing volumes, learning and active modes only apply to newly written data, not to already existing data in the volume. The existing data is not scanned and analyzed, because the characteristics of earlier normal data traffic are assumed based on the new data after the volume is enabled for ARP.

Manually switch to active mode after learning period

For ONTAP 9.10.1 to 9.15.1 and ARP with FlexGroup volumes, you can manually transition from ARP learning mode to active mode using System Manager or the ONTAP CLI after the learning period is complete.

About this task

The manual transition to active mode after a learning period described in this procedure is specific to NAS environments.

Steps

You can use System Manager or the ONTAP CLI to switch from learning mode to active mode.

System Manager

  1. Select Storage > Volumes and then select the volume that is ready for active mode.

  2. In the Security tab of the Volumes overview, select Switch to active mode in the Anti-ransomware box.

  3. You can verify the ARP state of the volume in the Anti-ransomware box.

CLI

  1. Modify the protected volume to switch to active mode if not already done automatically:

    security anti-ransomware volume enable -volume <vol_name> -vserver <svm_name>

    You can also switch to active mode with the modify volume command:

    volume modify -volume <vol_name> -vserver <svm_name> -anti-ransomware-state enabled

  2. Verify the ARP state of the volume.

    security anti-ransomware volume show

Automatic switching from learning mode to active mode

Beginning with ONTAP 9.13.1, adaptive learning has been added to ARP analytics and the switch from learning mode to active mode is done automatically. The autonomous decision by ARP to automatically switch from learning mode to active mode is based on the configuration settings of the following options:

 -anti-ransomware-auto-switch-minimum-incoming-data-percent
 -anti-ransomware-auto-switch-duration-without-new-file-extension
 -anti-ransomware-auto-switch-minimum-learning-period
 -anti-ransomware-auto-switch-minimum-file-count
 -anti-ransomware-auto-switch-minimum-file-extension

If auto-switch is enabled, the volume will switch to active mode automatically after a maximum of 30 days, even if all conditions are not met. This 30-day limit is fixed and cannot be changed.

For more information on ARP configuration options, including default values, see the ONTAP command reference.

Related information