ONTAP 9 Manuals ( CA08871-402 )

ONTAP System Manager insights

Beginning with ONTAP 9.11.1, ONTAP System Manager displays insights that help you optimize the performance and security of your system.

To view, customize, and respond to insights, refer to Gain insights to help optimize your system

Capacity insights

ONTAP System Manager can display the following insights in response to capacity conditions in your system:

Insight

Severity

Condition

Fixes

Local tiers are lacking space

Remediate risks

One or more local tiers are more than 95% full and quickly growing. Existing workloads might be unable to grow, or in extreme cases, existing workloads might run out of space and fail.

Recommended fix: Perform one of following options.

  • Clear the volume recovery queue.

  • Enable thin provisioning on thick provisioned volumes to free up trapped storage.

  • Move volumes to another local tier.

  • Delete unneeded Snapshot copies.

  • Delete unneeded directories or files in the volumes.

  • Enable Fabric Pool to tier the data to the cloud.

Applications are lacking space

Needs attention

One or more volumes are more than 95% full, but they do not have autogrow enabled.

Recommended: Enable autogrow up to 150% of current capacity.

Other options:

  • Reclaim space by deleting Snapshot copies.

  • Resize the volumes.

  • Delete directories or files.

FlexGroup volume’s capacity is imbalanced

Optimize storage

The size of the constituent volumes of one or more FlexGroup volumes has grown unevenly over time, leading to an imbalance in capacity usage. If the constituent volumes become full, write failures could occur.

Recommended: Rebalance the FlexGroup volumes.

Storage VMs are running out of capacity

Optimize storage

One or more storage VMs are near their maximum capacity. You will not babe able to provision more space for new or existing volumes if the storage VMs reach maximum capacity.

Recommended: If possible, increase the maximum capacity limit of the storage VM.

Security insights

ONTAP System Manager can display the following insights in response to conditions that might jeopardize the security of your data or your system.

Insight

Severity

Condition

Fixes

Volumes are still in anti-ransomware learning mode

Needs attention

One or more volumes have been in the anti-ransomware learning mode for 90 days.

Recommended: Enable the anti-ransomware active mode for those volumes.

Automatic deletion of Snapshot copies is enabled on volumes

Needs attention

Snapshot auto-deletion is enabled on one or more volumes.

Recommended: Disable the automatic deletion of Snapshot copies. Otherwise, in case of a ransomware attack, data recovery for these volumes might not be possible.

Volumes don’t have Snapshot policies

Needs attention

One or more volumes don’t have an adequate Snapshot policy attached to them.

Recommended: Attach a Snapshot policy to volumes that don’t have one. Otherwise, in case of a ransomware attack, data recovery for these volumes might not be possible.

Native FPolicy is not configured

Best practice

Native FPolicy is not configured on one or more NAS storage VMs.

Recommended: IMPORTANT: Blocking extensions might lead to unexpected results. Beginning in 9.11.1, you can enable native FPolicy for storage VMs, which blocks over 3000 file extensions known to be used for ransomware attacks. Configure native FPolicy in NAS storage VMs to control the file extensions that are allowed or not allowed to be written on volumes in your environment.

Telnet is enabled

Best practice

Secure Shell (SSH) should be used for secure remote access.

Recommended: Disable Telnet and use SSH for secure remote access.

Too few NTP servers are configured

Best practice

The number of servers configured for NTP is less than 3.

Recommended: Associate at least three NTP servers with the cluster. Otherwise, problems can occur with the synchronization of the cluster time.

Remote Shell (RSH) is enabled

Best practice

Secure Shell (SSH) should be used for secure remote access.

Recommended: Disable RSH and use SSH for secure remote access.

Login banner isn’t configured

Best practice

Login messages are not configured either for the cluster, for the storage VM, or for both.

Recommended: Setup the login banners for the cluster and the storage VM and enable their use.

Default admin user is not locked

Best practice

Nobody has logged in using a default administrative account (admin or diag), and these accounts are not locked.

Recommended: Lock default administrative accounts when they are not being used.

Secure Shell (SSH) is using nonsecure ciphers

Best practice

The current configuration uses nonsecure CBC ciphers.

Recommended: You should allow only secure ciphers on your web server to protect secure communication with your visitors. Remove ciphers that have names containing "cbc", such as "ais128-cbc", "aes192-cbc", "aes256-cbc", and "3des-cbc".

Global FIPS 140-2 compliance is disabled

Best practice

Global FIPS 140-2 compliance is disabled on the cluster.

Recommended: For security reasons, you should enable Global FIPS 140-2 compliant cryptography to ensure ONTAP can safely communicate with external clients or server clients.

Volumes aren’t being monitored for ransomware attacks

Needs attention

Anti-ransomware is disabled on one or more volumes.

Recommended: Enable anti-ransomware on the volumes. Otherwise, you might not notice when volumes are being threatened or under attack.

Storage VMs aren’t configured for anti-ransomware

Best practice

One or more storage VMs aren’t configured for anti-ransomware protection.

Recommended: Enable anti-ransomware on the storage VMs. Otherwise, you might not notice when storage VMs are being threatened or under attack.

Configuration insights

ONTAP System Manager can display the following insights in response to concerns about the configuration of your system.

Insight

Severity

Condition

Fixes

Cluster isn’t configured for notifications

Best practice

Email, webhooks, or an SNMP traphost is not configured to let you receive notifications about problems with the cluster.

Recommended: Configure notifications for the cluster.

Cluster isn’t configured for automatic updates.

Best practice

The cluster hasn’t been configured to receive automatic updates for the latest disk qualification package, disk firmware, shelf firmware, and SP/BMC firmware files when they are available.

Recommended: Enable this feature.

Cluster firmware isn’t up-to-date

Best practice

Your system doesn’t have the latest update to the firmware which could have improvements, security patches, or new features that help secure the cluster for better performance.

Recommended: Update the ONTAP firmware.

Top of Page