ONTAP 9 Manuals ( CA08871-402 )

Enable Autonomous Ransomware Protection

Beginning with ONTAP 9.10.1, Autonomous Ransomware Protection (ARP) can be enabled on new or existing volumes. You first enable ARP in learning mode, in which the system analyzes the workload to characterize normal behavior. You can enable ARP on an existing volume, or you can create a new volume and enable ARP from the beginning.

About this task

You should always enable ARP initially in learning (or dry-run) mode. Beginning in active mode can lead to excessive false positive reports.

It’s recommended you let ARP run in learning mode for a minimum of 30 days. Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch, which may occur before 30 days. For more information, see Learning and active modes.

In existing volumes, learning and active modes only apply to newly written data, not to already existing data in the volume. The existing data is not scanned and analyzed, because the characteristics of earlier normal data traffic are assumed based on the new data after the volume is enabled for ARP.
Before you begin
  • You must have a storage VM (SVM) enabled for NFS or SMB (or both).

  • The correct license must be installed for your ONTAP version.

  • You must have NAS workload with clients configured.

  • The volume you want to set ARP on needs to be protected and must have an active junction path.

  • The volume must be less than 100% full.

  • It’s recommended you configure the EMS system to send email notifications, which will include notices of ARP activity. For more information, see Configure EMS events to send email notifications.

  • Beginning in ONTAP 9.13.1, it’s recommended that you enable multi-admin verification (MAV) so that two or more authenticated user admins are required for Autonomous Ransomware Protection (ARP) configuration. For more information, see Enable multi-admin verification.

Enable ARP

You can enable ARP using ONTAP System Manager or the ONTAP CLI.

ONTAP System Manager
Steps
  1. Select Storage > Volumes, then select the volume you want to protect.

  2. In the Security tab of the Volumes overview, select Status to switch from Disabled to Enabled in learning-mode in the Anti-ransomware box.

  3. When the learning period is over, switch ARP to active mode.

    Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch. You can disable this setting on the associated storage VM if you want to control the learning mode to active mode switch manually.
    1. Select Storage > Volumes and then select the volume that is ready for active mode.

    2. In the Security tab of the Volumes overview, select Switch to active mode in the Anti-ransomware box.

  4. You can verify the ARP state of the volume in the Anti-ransomware box.

    To display ARP status for all volumes: In the Volumes pane, select Show/Hide, then ensure that Anti-ransomware status is checked.

CLI

The process to enable ARP with the CLI differs if you are enabling it on an existing volume versus a new volume.

Enable ARP on an existing volume
  1. Modify an existing volume to enable ransomware protection in learning mode:

    security anti-ransomware volume dry-run -volume vol_name -vserver svm_name

    If you’re running ONTAP 9.13.1 or later, adaptive learning is enabled so that the change to active state is done automatically. If you do not want this behavior to be automatically enabled, change the setting at the SVM level on all associated volumes:

    vserver modify svm_name -anti-ransomware-auto-switch-from-learning-to-enabled false

  2. When the learning period is over, modify the protected volume to switch to active mode if not already done automatically:

    security anti-ransomware volume enable -volume vol_name -vserver svm_name

    You can also switch to active mode with the modify volume command:

    volume modify -volume vol_name -vserver svm_name -anti-ransomware-state active

  3. Verify the ARP state of the volume.

    security anti-ransomware volume show

Enable ARP on a new volume
  1. Create a new volume with anti-ransomware protection enabled before provisioning data.

    volume create -volume vol_name -vserver svm_name -aggregate aggr_name -size nn -anti-ransomware-state dry-run -junction-path /path_name

    If you’re running ONTAP 9.13.1 or later, adaptive learning is enabled so that the change to active state is done automatically. If you do not want this behavior to be automatically enabled, change the setting at the SVM level on all associated volumes:

    vserver modify svm_name -anti-ransomware-auto-switch-from-learning-to-enabled false

  2. When the learning period is over, modify the protected volume to switch to active mode if not already done automatically:

    security anti-ransomware volume enable -volume vol_name -vserver svm_name

    You can also switch to active mode with the modify volume command:

    volume modify -volume vol_name -vserver svm_name -anti-ransomware-state active

  3. Verify the ARP state of the volume.

    security anti-ransomware volume show

Top of Page