FPolicy is not working, files are not getting blocked

https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/FPolicy_is_not_working_files_are_not_gettin…
Updated: Mon, 16 Dec 2024 16:14:15 GMT

Applies to
• Product Model: FAS8020-R6
• OS: Clustered Data ONTAP 8.3

Issue

FPolicy is not working. Files are not getting blocked.

'NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations
provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations
provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or 1
techniques herein is a customers responsibility and depends on the customers ability to evaluate and integrate them into the customers operational
environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this
document.'
 Cause

Filters for the FPolicy event were not configured correctly.

Solution

The following five steps are involved while configuring FPolicy:

1. Creating the FPolicy external engine or native FPolicy

2. Creating the FPolicy event

3. Creating the FPolicy policy

4. Creating the FPolicy scope

5. Enabling the FPolicy policy

Before configuring and enabling FPolicy on Vserver with FlexVol volumes, the following requirements need to be
considered:

• All nodes in the cluster must be running a version of Data ONTAP that supports FPolicy.

• If you are not using the Data ONTAP native FPolicy engine, you must have external FPolicy servers
installed.

• The external FPolicy servers must be installed on a server accessible from the data LIFs of the Vserver
where FPolicy policies are enabled.

• The IP address of the external FPolicy server must be configured as primary or secondary server in the
FPolicy policy external engine configuration.

• If the external FPolicy servers access data over a privileged data channel, the following requirements must
be met:

◦ CIFS must be licensed on the cluster.

◦ Privileged data access is accomplished using SMB connections.

◦ A user credential must be configured for accessing files over the privileged data channel.

◦ The FPolicy server must run under the credentials configured in the FPolicy configuration.

© 2023 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 2
 ◦ The IP address of the external FPolicy server must be configured as primary or secondary server in the
FPolicy policy external engine configuration.

Best Practices and Recommendations when setting up FPolicy are as follows:

When setting up FPolicy on Storage Virtual Machines (SVMs), you need to be familiar with configuration best
practices and recommendations to ensure that your FPolicy configuration provides robust monitoring
performance and results that meet your requirements.

• External FPolicy servers (FPolicy servers) should be placed in close proximity to the cluster with high-
bandwidth connectivity to provide minimal latency and high-bandwidth connectivity.

• The FPolicy external engine should be configured with more than one FPolicy server to provide resiliency
and high availability of FPolicy server notification processing, especially if policies are configured for
synchronous screening.

• It is recommended that you disable the FPolicy policy before making any configuration changes. For
example, if you want to add or modify an IP address in the FPolicy external engine configured for the
enabled policy, you should first disable the policy.

• The cluster node-to-FPolicy server ratio should be optimized to ensure that FPolicy servers are not
overloaded, which can introduce latencies when the SVM responds to client requests. The optimal ratio
depends on the application for which the FPolicy server is being used.

List of supported file operation and filter combinations that FPolicy can monitor for CIFS:

When you configure your FPolicy event, you need to be aware that only certain combinations of file operations
and filters are supported for monitoring CIFS file access operations.

The list of supported file operation and filter combinations for FPolicy monitoring of CIFS file access events are
provided in the following table:

© 2023 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 3
 First verify if the customer is using external engine or a native engine for FPolicy:

Example and steps that need to verified while Configuring Native Fpolicy in Cluster ONTAP.

Things to be verified if Native Fpolicy is being used.

1. In this case, Run the following command to check to check whether External Fpolicy engine or Native
Engine is used:

2. Verify the FPolicy event details for fields file-operations, filters. Check if appropriate events has file
operations included in the event with correct filters:
For more information on Planning the Event Configuration, see here.

© 2023 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 4
 3. Check the FPolicy scope configuration to see extensions included and excluded for that policy of particular
Vserver:
Verify that you do not include same extension in both Include and Exclude List. Verify if you have not
included '*' symbol in the Exclude list, which means that none of the Extension in the included list will be
checked. This will not give you expected results as all Files will be in excluded list.

Now the FPolicy will work as expected. Attempt accessing the .exe files to see if you are getting access denied
messages.

Things to be verified if External Fpolicy Engine is being used

1. Check the Policy, vserver and Privileged User access and Engine whether it is configured correctly.

2. Check whether correct Primary IP address, Vserver, Engine has been configured

3. Check the status of External Engine and see whether correct server has been connected if no perform

© 2023 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 5
 engine connect with correct IP address

4. Extended information for Fpolicy Engine in-order to verify timeout values.

5. Verify whether correct Privileged user has been configured for access. The same user should be
configured on the Fpolicy Server.

© 2023 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 6
 6. Fpolicy Scope Configuration for External. It can differ as per requirements.
In this FPolicy extension list to scan has been configured on external server.

7. Verify the FPolicy event details for fields file-operations, filters. Check if appropriate events has file
operations included in the event with correct filters:
For more information on Planning the Event Configuration, see here.

Additional Information

Related Links:

• Creating the FPolicy configuration

• Planning the FPolicy Event Configuration
• How FPolicy Works
• Managing FPolicy
• External Connections

© 2023 NetApp.No part of this document covered by copyright may be reproduced in any form or by any means—graphic, electronic, or mechanical,
including photocopying, recording, taping, or storage in an electronic retrieval system—without prior written permission of the copyright owner. For more
information, see Legal Notices. 7