2012-06-22 01:12 PM
I know it's best practice to use a separate VLAN for AV scanning but what if you are not able to create a new VLAN without bringing down the interface? Would it still be acceptable to have AV scanners on the same VLAN as the CIFS vfiler? I had not thought about AV scanning during the design of the Filer and now I think it would take a Takeover and reconfigure interfaces which I don't really want to do.
2012-06-22 04:48 PM
vFiler0 can work on behalf of all vFilers for antivirus. So I would use the single vfiler0 for all scanning and the vfiler will use vfiler0. you can also use each vfiler but like you said more connections (and make sure your AV vendor is ok with multiple connections from vFilers which may look like a physical controller to them).
2012-06-23 08:51 AM
scott, im curious how to configure vfiler0 to act on behalf of all other vfilers for vscan?! do i just have to "vscan on" and connect the vscan to vfiler0 and it will automaticaly do the job for all other vfilers, even if these vfilers are "vscan off"?
2012-06-23 09:06 AM
Default is the vFiler uses the scanner on vfiler0 if one is configured.
"vscan use_host_scanners" from each vFiler determines to use vfiler0 or to register itself. The default is on.
Sent from my iPhone 4S
2012-06-23 09:13 AM
The nice thing is that vfiler0 still does not have file protocol access to individual vfiler files but only can send info the av scanner... and doesn't need a network to the vfiler. So even a vFiler in a DMZ doesn't need a separate network to AV. So the best practice to create a separate VLAN can be met easier by scanning with the default vfiler0 scanner settings to all vfilers. I could see arguments either way though...it depends on each situation if the scanning should be done within the vfiler itself (turn off use_host_scanners then vscan on in the vfiler) but licensing with your vendor would need to be handled (I remember one AV vendor told me that if 50 vFilers were on the same physical controller it still would be one license... but definitely confirm that with your AV vendor if you do scan within the vfiler since that could require new licenses since each vFiler would register as a separate system...and even if the vendor doesn't charge, you still may need to apply additional host licenses they give you for the vfilers on the physical controller).