How to configure native Fpolicy in ONTAP to block extensions

https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/How_to_configure_native_Fpolicy_in_ONTAP_…
Updated: Mon, 16 Dec 2024 11:14:51 GMT

Applies to
• ONTAP 9
• Data ONTAP 7-Mode

Description

This article describes the procedure to configure native Fpolicy in ONTAP in order to block a saving of files with
certain extensions: mp3, mp4, flv, wmv and some known ransomware extensions (Technical Report: The NetApp
Solution for Ransomware ). Also allows deletion of existing files.

'NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations
provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations
provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or 1
techniques herein is a customers responsibility and depends on the customers ability to evaluate and integrate them into the customers operational
environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this
document.'
 Procedure

ONTAP 9

• Perform the following steps to configure a Native Fpolicy in order to block particular file extensions.

1. Configure the Policy Event:

::> vserver fpolicy policy event create -vserver SVMNAME -event-name

event1 -protocol cifs -file-operations create,open,rename
::> vserver fpolicy policy event show -vserver SVMNAME -event-name event1
-instance
Vserver: SVMNAME
Event: event1
Protocol: cifs
File Operations: create, open, rename
Filters: -
Is Volume Operation Required: false

Note: In the above command If the protocol is specified as CIFS , then SVM should have CIFS server
created before FPOLICY can be enabled in step 4

2. Configure Policy:

::> vserver fpolicy policy create -vserver SVMNAME -policy-name blockext

-events event1 -engine native -is-mandatory true -allow-privileged-access
no -is-passthrough-read-enabled false
::> vserver fpolicy policy show -vserver SVMNAME -instance
Vserver: SVMNAME
Policy: blockext
Events to Monitor: event1
FPolicy Engine: native
Is Mandatory Screening Required: true
Allow Privileged Access: no
User Name for Privileged Access: -
Is Passthrough Read Enabled: false

© 2023 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 2
 3. Configure Policy Scope:

::> vserver fpolicy policy scope create -vserver SVMNAME -policy-name

blockext -file-extensions-to-include mp3,mp4,flv,wmv,locky -shares-to-
include "*"
::> vserver fpolicy policy scope show -vserver SVMNAME -instance
Vserver: SVMNAME
Policy: blockext
Shares to Include: *
Shares to Exclude: -
Volumes to Include: -
Volumes to Exclude: -
Export Policies to Include: -
Export Policies to Exclude: -
File Extensions to Include: mp3, mp4, flv, wmv, locky
File Extensions to Exclude: -

Note: Only file extensions are matched, not file names (e.g. filename.ext -> all files with .ext get blocked)

4. Enable Policy:

::> vserver fpolicy enable -vserver SVMNAME -policy-name blockext

-sequence-number 1
::> vserver fpolicy show -vserver SVMNAME
Sequence
Vserver Policy Name Number Status Engine
------------- ----------------------- -------- -------- ---------
SVMNAME blockext 1 on native

::*> event log show -time > 2m

Time Node Severity Event

------------------- ---------------- -------------

---------------------------
3/27/2017 10:35:34 NODE-01 INFORMATIONAL mgmt.fpolicy.policy.enabled:
FPolicy policy blockext is enabled on Vserver SVMNAME.

• From ONTAP 9.1+, FPolicy is not applied to files or directories with extension greater than 16 characters,

© 2023 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 3
 see 1019880
◦ After the fix, the max length of a file extension is 256 characters, there is no limit on number of
extensions
◦ Dot character (.) is not supported in file extension.
◦ To ensure that the directory access succeeds while using the native engine, as per the provided
instruction, set the '-is-file-extension-check-on-directories-enabled' parameter to 'true' in the scope
of the policy
• From ONTAP 9.3+ (CONTAP-26863), this value is defaulted to TRUE.

7-Mode:

• Run commands against a desired vFiler: vFiler context <vFilername>

fpolicy create blockext screen

fpolicy extension include set blockext mp3,mp4,flv,wmv,locky
fpolicy monitor set blockext -p cifs create,open,rename
fpolicy options blockext required on
fpolicy enable blockext

• There is a GUI provided by NetApp partner SnapGuard

Additional Information

ONTAP 9 / Clustered Data ONTAP 8:

• Technical Report The NetApp Solution for Ransomware

• Clustered Data ONTAP 8.3 CIFS and NFS Auditing Guide
• FPolicy is not working, files are not getting blocked

7-Mode:

• Using fpolicy

© 2023 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 4
 • Configuring native file blocking

© 2023 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 5