Configure encryption for ONTAP HA traffic

10/06/2025 Contributors

Beginning with ONTAP 9.18.1, you can configure encryption for network traffic between high-availability (HA) pair nodes. This encryption protects customer data and metadata sent between nodes in an HA pair.

About this task

Encryption for HA traffic is disabled by default.
Enabling or disabling HA traffic encryption affects all HA pairs in the cluster. You cannot enable or disable encryption for individual nodes.
When you enable HA traffic encryption, all customer data and metadata transmitted between HA pair nodes is encrypted. Some HA traffic, such as filesystem metadata and heartbeat messages, is not encrypted.
When HA traffic encryption is enabled and new HA pairs are added to the cluster, you need to manually enable HA traffic encryption for the new nodes by rerunning the security ha-network modify -enabled true command.

Before you begin

You must be an ONTAP administrator at the admin privilege level to perform the following procedure.
Before enabling HA traffic encryption, you must Configure external key management.
All nodes in the cluster must be running ONTAP 9.18.1 or later to enable HA traffic encryption.

Steps

View the current encryption status for HA traffic:

security ha-network show

This command shows the current status of HA traffic encryption for each node:

security ha-network show
Node                  Enabled
--------------------- --------------------
node1                 true
node2                 true
node3                 true
node4                 true
4 entries were displayed.

Enable or disable encryption for HA traffic:

security ha-network modify -enabled <true|false>

This command enables or disables encrypted HA traffic for all nodes in the cluster. When new HA pairs are added to the cluster, you will need to rerun this command to enable HA traffic encryption for the new nodes.

Configure encryption for ONTAP HA traffic

Creating your file...