Enabling Autonomous Ransomware Protection in ONTAP: A Comprehensive Guide

With the release of ONTAP 9.10.1, NetApp has introduced a significant advancement in data protection technology: the Autonomous Ransomware Protection (ARP). ARP is designed to safeguard your data volumes against the ever-evolving threat of ransomware attacks. This feature can be applied to both new and existing volumes, providing an essential layer of security for your data.

Understanding the ARP Implementation Process

  • Initiate ARP in Learning Mode: The first step in deploying ARP is to activate it in learning mode. During this phase, ARP meticulously analyzes your system’s workload, thereby establishing a baseline for normal operational behavior. This approach is crucial in minimizing false positives once ARP transitions to active mode.
security anti-ransomware volume dry-run -volume vol_name -vserver svm_name

Configuring ARP on Volumes: ARP offers flexibility; it can be enabled on a newly created volume or an existing one. For existing volumes, it’s important to note that ARP’s learning and active modes are applied only to new data written post-activation, leaving existing data unanalyzed.

security anti-ransomware volume enable -volume vol_name -vserver svm_nam

Key Considerations Before Activation

  • Prerequisites: Ensure your storage VM is set up for NFS or SMB protocols. Additionally, verify that your ONTAP version is correctly licensed and that you have a NAS workload with configured clients. The target volume should have an active junction path and must not be at full capacity.
  • Learning Mode Duration: It is advisable to allow ARP to operate in learning mode for at least 30 days. However, starting with ONTAP 9.13.1, ARP can autonomously determine the optimal learning period and may transition to active mode sooner if it deems appropriate.

If you upgraded to ONTAP 9.13.1 or later, adaptive learning is enabled so that the change to active state is done automatically. If you do not want this behavior to be automatically enabled, change the setting at the SVM level on all associated volumes:

vserver modify svm_name -anti-ransomware-auto-switch-from-learning-to-enabled false
  • Notification Setup: Configuring the Event Management System (EMS) for email notifications is recommended. This setup ensures you are promptly informed of any ARP activities.
  • Multi-Admin Verification (MAV): From ONTAP 9.13.1 onwards, enabling MAV is advised. This feature requires the authentication of multiple admin users for configuring ARP settings, adding an extra layer of security.

For a detailed understanding of ARP’s learning and active modes, and for information on configuring EMS notifications and MAV, refer to the respective sections in the ONTAP documentation.

Author: Daniel Micanek

Senior Service Architect, SAP Platform Services Team at Tietoevry | SUSE SCA | vExpert ⭐⭐⭐⭐⭐ | vExpert NSX | VCIX-DCV/NV | VCAP-DCV/NV Design+Deploy | VCP-DCV/NV/CMA/TKO/DTM | NCIE-DP | OCP | Azure Solutions Architect | Certified Kubernetes Administrator (CKA)