FPolicy is required for Data Governance Edition to capture real-time security updates and to collect resource activity. In order to use FPolicy on NetApp 7-Mode managed hosts, CIFS file system protocol must be enabled.
When adding a NetApp 7-Mode managed host, you can choose to use one of the following for FPolicy deployment:
However, for NetApp Cluster Mode managed hosts, FPolicy deployment is always automatic.
When you add a NetApp managed host, an FPolicy is created if either of the following managed host settings are enabled:
When you deploy an agent, an empty FPolicy (with no monitored operations) is created by the Data Governance server (performed as the service account for the domain). When the agent starts, it registers with the FPolicy as an FPolicy Server. At the point of registration, the agent will register the operations it will monitor.
|
Note: If another agent is added to the managed host to index a separate root on the NetApp device, a new FPolicy will be created (named after the new agent ID). |
The FPolicy:
is asynchronous.
|
Note: To view all the existing FPolicies on a NetApp device, establish a Telnet or SSH connection to the filer device, log in and type the following at the OnTap command line: “fpolicy”. |
|
Note: When you remove an agent, the FPolicy is deleted. |
Data Governance Edition can be configured to connect to a pre-created FPolicy. The following steps are required to configure Data Governance Edition to use a manually created FPolicy instead of automatic deployment:
To enable CIFS FPolicy on a NetApp filer
To create FPolicy on the filer
To configure the Data Governance server and agent
Configure the Data Governance server to prevent the creation of FPolicy on the required NetApp filer:
In the Manager, deploy a NetApp managed host.
|
Note: Ensure that the registry key has been created on the server before deploying the agent. |
Locate the following configuration setting in the %Program Files%\One Identity\One Identity Manager Data Governance Edition\Agent Services\DataGovernance.Agent.exe.config file.
<"Agent">
<"Services">
<"ChangeMonitoring">
<Setting name="OverrideFPolicyName">
FPolicy deployment for NetApp Cluster Mode is always automatic and is done by the agent at run time because of the use of dynamic ports. The FPolicy will be deleted when the agent stops. You cannot specify a pre-created FPolicy.
During the configuration of the managed host:
When you add an agent, the managed host properties impact whether FPolicy is deployed, and what properties are set within the FPolicy itself:
The following events are tracked on files and folders, as well as the identities associated with those events, when real-time security updates and/or resource activity collection is enabled:
Enabling FPolicy on NetApp filers may impact system performance. Data Governance Edition uses 'async' mode and does not inspect any file data to try and minimize the performance impact. However, every event does require a round trip network request between the NetApp filer and the Data Governance agent.
To have Data Governance Edition watch for security changes, real-time security updates must be enabled. That is, select the Collect activity for real-time security updates option at the bottom of the Security Scanning page on the Managed Hosts Settings dialog for the target managed host. This will cause the FPolicy to be deployed and the security index to be updated when changes to the structure and security of the file system on the target managed host occur.
If you are using Quest Change Auditor for NetApp to monitor a filer that is also being scanned by Data Governance Edition, you have two options available.
When Change Auditor is installed, you can configure Data Governance Edition to collect resource activity directly from Change Auditor. When enabled, Change Auditor collects the selected activity events every 15 minutes on all managed hosts. The events received from Change Auditor are harvested by the Data Governance server, aggregated and placed directly into the Data Governance Resource Activity database.
When using Change Auditor to collect resource activity, NetApp managed hosts will not place an FPolicy for Data Governance Edition on the NetApp filer.
In addition, when using Change Auditor to collect resource activity, it is recommended to clear the Collect activity for real-time security updates option for NetApp managed hosts. The agents managing these host types should be configured to scan on a schedule and not run once. The performance gain in using Change Auditor's event collection will be lost if the Data Governance agent is also collecting activity from these storage devices for security updates.
For more information on configuring Data Governance Edition to collect resource activity directly from Change Auditor, see the One Identity Manager Data Governance Edition Deployment Guide.
You can use Data Governance Edition to collect resource activity; however, for NetApp 7-Mode managed hosts, you must disable real-time security monitoring. You can disable security monitoring from the Resource Activity tab of the Managed Host Settings dialog.
To disable security monitoring
|
Note: This approach has the effect of setting the NetApp FPolicy option cifs_setattr to off. You can verify this by running the following command on the NetApp filer: >fpolicy options <Agent instance> Where <Agent instance> is in the following format: DGE_<DeploymentName>_<FQDN of managed host> You will still see setattr as a monitored operation in FPolicy. |
|
Note: This will need to be done for every NetApp agent. If it is necessary to disable “Security change” due to compatibility settings with Change Auditor for NetApp, ensure the Resource Activity setting is modified prior to the start of the agent scan. |
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy