ONTAP 9 Manuals ( CA08871-402 )

What the steps for setting up an FPolicy configuration are

Before FPolicy can monitor file access, an FPolicy configuration must be created and enabled on the storage virtual machine (SVM) for which FPolicy services are required.

The steps for setting up and enabling an FPolicy configuration on the SVM are as follows:

  1. Create an FPolicy external engine.

    The FPolicy external engine identifies the external FPolicy servers (FPolicy servers) that are associated with a specific FPolicy configuration. If the internal “native” FPolicy engine is used to create a native file-blocking configuration, you do not need to create an FPolicy external engine.

    Beginning with ONTAP 9.15.1, you can use the protobuf engine format. When set to protobuf, the notification messages are encoded in binary form using Google Protobuf. Before setting the engine format to protobuf, ensure that the FPolicy server also supports protobuf deserialization. For more information, see Plan the FPolicy external engine configuration

  2. Create an FPolicy event.

    An FPolicy event describes what the FPolicy policy should monitor. Events consist of the protocols and file operations to monitor, and can contain a list of filters. Events use filters to narrow the list of monitored events for which the FPolicy external engine must send notifications. Events also specify whether the policy monitors volume operations.

  3. Create an FPolicy persistent store (optional).

    Beginning with ONTAP 9.14.1, FPolicy allows you to set up persistent stores to capture file access events for asynchronous non-mandatory policies in the SVM. Synchronous (either mandatory or non-mandatory) and asynchronous mandatory configurations are not supported.

    Persistent stores can help decouple client I/O processing from FPolicy notification processing to reduce client latency.

    Beginning with ONTAP 9.15.1, FPolicy persistent store configuration is simplified. The persistent-store-create command automates volume creation for the SVM and configures the volume for the persistent store.

  4. Create an FPolicy policy.

    The FPolicy policy is responsible for associating, with the appropriate scope, the set of events that need to be monitored and for which of the monitored events notifications must be sent to the designated FPolicy server (or to the native engine if no FPolicy servers are configured). The policy also defines whether the FPolicy server is allowed privileged access to the data for which it receives notifications. An FPolicy server needs privileged access if the server needs to access the data. Typical use cases where privileged access is needed include file blocking, quota management, and hierarchical storage management. The policy is where you specify whether the configuration for this policy uses an FPolicy server or the internal “native” FPolicy server.

    A policy specifies whether screening is mandatory. If screening is mandatory and all FPolicy servers are down or no response is received from the FPolicy servers within a defined timeout period, then file access is denied.

    A policy’s boundaries are the SVM. A policy cannot apply to more than one SVM. However, a specific SVM can have multiple FPolicy policies, each with the same or different combination of scope, event, and external server configurations.

  5. Configure the policy scope.

    The FPolicy scope determines which volumes, shares, or export-policies the policy acts on or excludes from monitoring. A scope also determines which file extensions should be included or excluded from FPolicy monitoring.

    Exclude lists take precedence over include lists.

  6. Enable the FPolicy policy.

    When the policy is enabled, the control channels and, optionally, the privileged data channels are connected. The FPolicy process on the nodes on which the SVM participates begin monitoring file and folder access and, for events that match configured criteria, sends notifications to the FPolicy servers (or to the native engine if no FPolicy servers are configured).

If the policy uses native file blocking, an external engine is not configured or associated with the policy.

Top of Page