ONTAP 9 Manuals ( CA08871-402 )

Enable Autonomous Ransomware Protection by default in new volumes

Beginning with ONTAP 9.10.1, you can configure storage VMs (SVMs) such that new volumes are enabled by default for Autonomous Ransomware Protection (ARP) in learning mode.

About this task

By default, new volumes are created with ARP in disabled mode. You can modify this setting in ONTAP System Manager and with the CLI. Volumes enabled by default are set to ARP in learning (or dry-run) mode.

ARP will only be enabled on volumes created in the SVM after you have changed the setting. ARP will not be enabled on existing volumes. Learn how to enable ARP in an existing volume.

Beginning in ONTAP 9.13.1, adaptive learning has been added to ARP analytics, and the switch from learning mode to active mode is done automatically. For more information, see Learning and active modes.

Before you begin
  • The correct license must be installed for your ONTAP version.

  • The volume must be less than 100% full.

  • Junction paths must be active.

  • Beginning in ONTAP 9.13.1, it’s recommended you enable multi-admin verification (MAV) so that two or more authenticated user admins are required for anti-ransomware operations. Learn more.

Switch ARP from learning to active mode

Beginning in ONTAP 9.13.1, adaptive learning has been added to ARP analytics. The switch from learning mode to active mode is done automatically. The autonomous decision by ARP to automatically switch from learning mode to active mode is based on the configuration settings of the following options:

 -anti-ransomware-auto-switch-minimum-incoming-data-percent
 -anti-ransomware-auto-switch-duration-without-new-file-extension
 -anti-ransomware-auto-switch-minimum-learning-period
 -anti-ransomware-auto-switch-minimum-file-count
 -anti-ransomware-auto-switch-minimum-file-extension

After 30 days of learning, a volume is automatically switched to active mode even if one or more of these conditions are not satisfied. That is, if auto-switch is enabled, the volume switches to active mode after a maximum of 30 days. The maximum value of 30 days is fixed and not modifiable.

For more information on ARP configuration options, including default values, see the ONTAP command reference.

Steps

You can use ONTAP System Manager or the ONTAP CLI to enable ARP by default.

ONTAP System Manager
  1. Select Storage > Storage VMs then select the storage VM that contains volumes you want to protect with ARP.

  2. Navigate to the Settings tab. Under Security, locate the Anti-ransomware tile then select pen icon

  3. Check the box to enable ARP for NAS volumes. Check the additional box to enable ARP on all eligible NAS volumes in the storage VM.

    If you have upgraded to ONTAP 9.13.1, the Switch automatically from learning to active mode after sufficient learning setting is enabled automatically. This allows ARP to determine the optimal learning period interval and automate the switch to active mode. Turn off the setting if you want to manually transition to active mode.
CLI
  1. Modify an existing SVM to enable ARP by default in new volumes:
    vserver modify -vserver svm_name -anti-ransomware-default-volume-state dry-run

    At the CLI, you can also create a new SVM with ARP enabled by default for new volumes.
    vserver create -vserver svm_name -anti-ransomware-default-volume-state dry-run [other parameters as needed]

    If you upgraded to ONTAP 9.13.1 or later, adaptive learning is enabled so that the change to active state is done automatically. If you do not want this behavior to be automatically enabled, use the following command:

    vserver modify svm_name -anti-ransomware-auto-switch-from-learning-to-enabled false

Top of Page