(C) Schilder IT Consultancy
NetApp Configure AV Cdot
1.1 cDOT Antivirus implementation overview
The off-box antivirus feature provides virus-scanning support to the NetApp clustered Data ONTAP operating system. In this architecture, virus scanning is performed by external servers that host antivirus software from third-party vendors. This feature offers antivirus functionality that is similar to the functionality currently available in Data ONTAP operating in 7-Mode.
The off-box antivirus feature provides two modes of scanning:
· On-access scanning. Triggers in-band notifications to the external virus-scanning servers during various file operations, such as open, close, rename, and write operations. Due to the in-band nature of these notifications, the client’s file operation is suspended until the file scan status is reported back by the virus-scanning server, a Windows Server instance that is referred to as Vscan server.
· On-demand scanning. Introduced in ONTAP 9, this feature enables AV scanning whenever required on files/folders in a specific path through a scheduled job. It leverages the existing AV servers configured for on-access AV scanning to run the scanning job. The on-demand job updates the “scan status” of the files and reduces an additional scan on the same files when accessed next unless the files are modified. It can be used to scan volumes that cannot be configured for on-access scanning, such as NFS exports.
1.2 Components of Vscan Server
Antivirus Software
The antivirus software is installed and configured on the Vscan server to scan files for viruses or other malicious data. The antivirus software must be compliant with clustered Data ONTAP. You must specify the remedial actions to be taken on infected files in the configuration of the antivirus software.
Antivirus Connector
Antivirus Connector is installed on the Vscan server to process scan requests and provide communication between the antivirus software and the storage virtual machines (SVMs; formerly called Vservers) in the storage system running clustered Data ONTAP.
Figure 1) Antivirus solution architecture.
1.3 Components of System Running Clustered Data ONTAP
Scanner Pool
A scanner pool is used to validate and manage the connection between the Vscan servers and the SVMs. You can create a scanner pool for an SVM to define the list of Vscan servers and privileged users that can access and connect to that SVM and to specify a timeout period for scan requests. If the response to a scan request is not received within the timeout period, file access is denied in mandatory scan cases.
Scanner Policy
A scanner policy defines when the scanner pool is active. A Vscan server is allowed to connect to an SVM only if its IP address and privileged user are part of the active scanner pool list for that SVM.
Note: All scanner policies are system defined; you cannot create a customized scanner policy.
A scanner policy can have one of the following values:
· Primary. Makes the scanner pool always active.
· Secondary. Makes the scanner pool active only when none of the primary Vscan servers is connected.
· Idle. Makes the scanner pool always inactive.
On-Access Policy
An on-access policy defines the scope for scanning files when they are accessed by a client. You can specify the maximum file size for files to be considered for virus scanning and file extensions and file paths to be excluded from scanning. You can also choose from the available set of filters to define the scope of scanning.
On-Demand Task
The on-demand scan, introduced in ONTAP 9, runs the AV scanning job on files/folders in a specific path through a scheduled job whenever required. It leverages the existing AV servers configured for on-access AV scanning to run the scanning job.
Vscan File-Operations Profile
The Vscan file-operations profile parameter (-vscan-fileop-profile) defines which file operations on the CIFS share can trigger virus scanning. You must configure this parameter when you create or modify a CIFS share.
1.1 Implementation workflow
Figure 2) workflow
1.2 One time preparations
Create an AntiVirus AD service account
This service account will be used as
· the McAfee Scan Engine service Account (optional)
· the Privileged Account on the Scanner-Pool
· the service account for the AV-Connector on the AV server
Create the account on the cluster for the AV connector
The AV connector will connect to the cluster Mgmt interface to read out the LIFs that are active whithin the Storage Virtual Machine (SVM) This account can be an AD account or a local account
For an AD account must a AD tunnel be active.
Step 1 : Create the security role with read only rights on network interface :
::> security login role create -vserver cluster -role network-readonly -cmddirname "network interface" –access readonly
Step 2 : Create the security account with this particular role :
cluster1::> security login create -vserver cluster1 -username avconnect -application ontapi -authmethod password
1.3 Configure the McAfee Vscan servers
On all Vscan servers install the McAfee VirusScan Enterprise for Storage + the Clustered Data ONTAP Antivirus Connector 1.0.3. Can be downloaded from the NetApp Mysupport website.
Note: In case of doubt of which versions are allowed check the NetApp Support Matrix on http://mysupport.netapp.com/matrix
Antivirus Connector has the following system requirements:
It must be installed on one of the following Windows platforms:
· Windows Server 2012 R2
· Windows Server 2012
· Windows Server 2008 R2
· Windows Server 2008
Note: You can install different versions of the Window platform on different Vscan servers scanning the same SVM.
Note: You must enable SMB 2.0 on the Windows Server instance (Vscan server) on which you install and run Antivirus Connector.
.NET 3.0 or later must be enabled on Windows Server.
After the install of the Clustered Data ONTAP Antivirus Connector open the shortcut and add the Cluster Mgmt IP of the cluster + the local account created on the cluster with network readonly rights.
Note: Don’t forget to update and save the changes in the console
1.4 Configuring Vscan Options in Clustered Data ONTAP
After you set up the Vscan servers, you must configure scanner pools and on-access policies on the storage system running clustered Data ONTAP. You must also configure the Vscan file-operations profile parameter (-vscan-fileop-profile) before you enable virus scanning on an SVM.
Note: You must have completed the CIFS configuration before you begin to configure virus scanning.
The vscan-filelop-profile can be changed per CIFS share and is default standard :
::> vserver cifs share modify -vscan-fileop-profile
no-scan standard strict writes-only
|
Types of file-operations profiles. Profile Type |
File Operations That Trigger Scanning |
|
no_scan |
None |
|
standard |
Open, close, and rename |
|
strict |
Open, read, close, and rename |
|
writes_only |
Close (only for newly created |
Create Scanner Pool
You must create a scanner pool for an SVM or a cluster to define the list of Vscan servers and privileged users that are allowed to access and connect to that SVM or cluster:
· You can create a scanner pool for an individual SVM or for a cluster.
· A scanner pool that you create for a cluster is available to all SVMs within that cluster. However, you must apply the scanner policy individually to each SVM within the cluster.
· You can create a maximum of 20 scanner pools per SVM.
· You can include a maximum of 100 Vscan servers and privileged users in a scanner pool
vscan scanner-pool create -vserver vservername -scanner-pool SP1 -servers 10.*.*.*,10.*.*.* -privileged-users domain\serviceaccount
Note: For the Priviliged User use this syntax : “domain\serviceaccount” instead of “fqdn.nl\serviceaccount”
Create Vscan Policy
A Vscan policy needs to be created to define the purview under which the Vscan acts. There are two ways in which Vscan can be used. These define the policies of Vscan.
· On-access policy
· On-demand policy
On-Access Policy
You must create an on-access policy for an SVM or for a cluster to define the scope of virus scanning. In the policy, you can specify the maximum file size for files to be considered for scanning and the file extensions and file paths to exclude from scanning
You can create an on-access policy for an individual SVM or for a cluster. The on-access policy created for the cluster is available to all SVMs within that cluster. However, you must enable the on-access policy individually on each SVM within the cluster.
To create an on-access policy, complete the following step:
Run the vserver vscan on-access-policy create command.
Note: Check the best practices of rthe recommend exclusions. The option scan-mandatory means that in case the AV servers can’t be contacted, access to the files will be granted.
This example shows how to create an on-access policy named vscan_EZ on the SVM :
::>vserver vscan on-access-policy create -vserver fi1003470 -policy-name av-policy -filters scan-mandatory off -max-file-size 2GB -file-ext-toexclude “dwl","dwl2","ldb","ndf","pst","tmp","trn","vhd","vmdk"
Once the policy is created you need to apply the correct policy to the Scanner Pool of the SVM :
::>vserver vscan scanner-pool apply-policy -vserver fi* -scanner-pool sp-01 -scan-policy av-policy
Disable the default policy and enable the new created one :
::>vscan on-access-policy disable -vserver fi* -policy-name default_CIFS
::>vscan on-access-policy enable -vserver fi* -policy-name av-policy
Apply Scanner Policy to Scanner Pool
You must apply a scanner policy to every scanner pool defined on an SVM. The scanner policy defines when the scanner pool is active. A Vscan server is allowed to connect to the SVM only if the IP address and privileged user of the Vscan server are part of the active scanner pool list for that SVM.
You can apply only one scanner policy per scanner pool at a time. By default, the scanner policy has the value idle. Scanner policies can have two other values, primary and secondary. The primary policy always takes effect, whereas the secondary policy takes effect only if the primary policy fails.
vserver vscan scanner-pool apply-policy -vserver svm-test -scanner-pool SP1 -scanner-policy primary
Enable Vscan on the SVM
Once everything is setup correctly enable vscan on for the particular SVM :
::> vscan enable -vserver svm1
Check if the AV-servers are connected correctly to the SVM :
::vserver vscan connection-status> show-all
Connection
Vserver Node Server Status Disconnect Reason
----------- ----------------- --------------- -------------- -----------------
svm-fsct fi1003470-01 10.40.3.138 disconnected -
svm-fsct fi1003470-02 10.40.3.138 disconnected
If none are connected restart both services on the Scan server (McAfee Virusscan Enterprise for Storage + ONTAP AV connector). If restart of the services is not possible you can reboot the server.
Check again after the resart of the services :
::vserver vscan connection-status> show-all
Connection
Vserver Node Server Status Disconnect Reason
----------- ----------------- --------------- -------------- -----------------
svm-fsct node-01 10.40.3.138 connected -
svm-fsct node-02 10.40.3.138 connected -
2 Monitoring
You can look at the vscan statistics via several ways. The most easy way is via vscan connection-status.
In Diag mode you can look at the extended stats to see the number of scans each servers has done for each SVM :
::> set diag
Warning: These diagnostic commands are for use by NetApp personnel only.
Do you want to continue? {y|n}: y
::*> vserver vscan connection-status show-extended-stats
Connection
Vserver Node Server Status Extended Stats
----------- ----------------- --------------- -------------- -----------------
svm-fsct ntapcl-prod-dcr- 10.254.146.111 connected ts=18:31:59 sep 04,2014
01 scans=sent:2,compok:2,comperr:0,compnotfnd:0,ms/comp:155
avshim-version=1.0.1.0
mempage/s=0, procs=44, threads=683, %cpu=0.05, procqlen=0, diskio/s=1, smbbytes/s=0,
ifmac=00:50:56:AF:2E:9B [VMware], tcpstat=retrans:411,connfail:217,connreset:115,inerr:0
cfg=Host Name:NETAPPPOCDCR11
OS Name:Microsoft Windows Server 2012 R2 Standard
OS Version:6.3.9600 N/A Build 9600
System Boot Time:4-9-2014, 17:00:17
System Manufacturer:VMware, Inc.
System Model:VMware Virtual Platform
System Type:x64-based PC
If you need more statistics regarding scan latency you can create a statistics sample.
::>statistics start -sample-id vscan -object offbox_vscan
::>statistics show -sample-id vscan -vserver vs0
Note: Don’t forget to stop the sample once finished.
3 General Best Practices
Consider the following recommendations for configuring the off-box antivirus functionality in clustered Data ONTAP:
· Restrict privileged users to virus-scanning operations. Normal users should be discouraged from using privileged user credentials. This restriction can be achieved by turning off login rights for privileged users on Active Directory.
· Privileged users are not required to be part of any user group that has a large number of rights in the domain, such as the administrators group or the backup operators group. Privileged users must be validated only by the storage system so that they are allowed to create Vscan server connections and access files for virus scanning.
· Use the computers running Vscan servers only for virus-scanning purposes. To discourage general use, disable the Windows terminal services and other remote access provisions on these machines and grant the right to install new software on these machines only to administrators.
· Dedicate Vscan servers to virus scanning and do not use them for other operations, such as backups. You may decide to run the Vscan server as a virtual machine (VM). If this is the case, make sure that the resources allocated to the VM are not shared and are enough to perform virus scanning. Consult McAfee for guidance on antivirus engine requirements.
· Provide adequate CPU, memory, and disk capacity to the Vscan server to avoid resource bottlenecks. Most Vscan servers are designed to use multiple CPU core servers and to distribute the load across the CPUs. Consult McAfee for guidance on antivirus engine requirements.
· NetApp recommends using a dedicated network with a private VLAN for the connection from the SVM to the Vscan server so that the scan traffic is not affected by other client network traffic. Create a separate NIC that is dedicated to the antivirus VLAN on the Vscan server and to the data LIF on the SVM. This step simplifies administration and troubleshooting if network issues arise.
· The AV traffic should be segregated using a private network. The AV server should be configured to communicate with domain controller (DC) and clustered Data ONTAP in one the following ways:
o The DC should communicate to the AV servers through the private network that is used to segregate the traffic.
o The DC and AV server should communicate through a different network (not the private network mentioned previously), which is not the same as the CIFS client network.
· Connect the NetApp storage system and the Vscan server by using at least a 1GbE network.
· For an environment with multiple Vscan servers, connect all servers that have similar high-performing network connections. Connecting the Vscan servers improves performance by allowing load sharing.
· Use multiple Vscan servers to scan the data on the SVM for load-balancing and redundancy purposes. The amount of CIFS workload and resulting antivirus traffic vary per SVM. Monitor CIFS and virus-scanning latencies on the storage controller. Trend the results over time. If CIFS latencies and virus-scanning latencies increase due to CPU or application bottlenecks on the Vscan servers beyond trend thresholds, CIFS clients might experience long wait times. Add additional Vscan servers to distribute the load.
· The AV software policy for infected files should be set to delete or quarantine, which is the default value set by most AV vendors. In case the vscan-fileop-profile is set to write_only, and if an infected file is found, the file remains in the share and can be opened since opening a file will not trigger a scan. The AV scan is triggered only after the file is closed
· The scan-engine timeout value should always be lesser than the scanner-pool request-timeout value. If it is set to a higher value, access to files might be delayed and may eventually time out.
· To avoid this, configure the scan-engine timeout to 5 seconds lesser than the scanner-pool request-timeout value. See the scan engine vendor’s documentation for instructions on how to change the scan-engine timeout settings. The scanner-pool timeout can be changed by using the following command in advanced mode and by providing the appropriate value for the request-timeout parameter: vserver vscan scanner-pool modify
On The AV server op the McAfee vscan console and open the properties of the Network Appliance Filer AV Scanner. Adapt the Maximum scan time, for EWZ this is set to 40 seconds :
Best Practices for VirusScan Enterprise for Storage
Consider the following recommendations for configuring VirusScan Enterprise for Storage:
· Scan timeout value. The default timeout value for scanning files is 60 seconds. Adjust this value to 40 seconds so that scan requests can be completed before the CIFS timeout.
· DAT definitions. McAfee recommends scheduling a daily automatic update task to receive the daily DAT (signature) file release.
· Scan exclusions. McAfee recommends excluding the following common file types from virus scanning:
· Database files: .ldb .pst .tmp .mdb .nsf .pst
· Archives and large files: .7z .tar .cab .tgz .iso .vhd .jar .vmdk .rar .zip
References
The following references were used in this TR:
· Antivirus Solution Guide for Clustered Data ONTAP: McAfee
www.netapp.com/us/media/tr-4286.pdf