ONTAP Discussions

Native Policy blocking access to entire cifs share instead of specific file extensions

ericknoleto
3,090 Views

Hi all.

 

I think it's the first time I post here, don't know.

 

I moved my cifs shares to another system I manage, one that uses Ontap 9.1P7, C-Mode. Applying the native fpolicy I used on the 7-mode system have being a pain...

My objective is to create a fpolicy that blocks read and write (creation) of midia files in some of my shares, here's what I did:

 

1. Create the events on the svm, command to check them:

fpolicy policy event show -vserver CIFS_01 -event-name *

 

                      Event                                         File                                                     Is Volume
Vserver          Name                Protocols         Operations                    Filters           Operation
---------            ------------------    ---------             ------------                       ------------       ------------
CIFS_01         create               cifs                  create, write, rename    -                    false

 

CIFS_01         read                  cifs                  read, open                     -                    false

2 entries were displayed.



2. Created the scope. Command to check them:

 

scope show -vserver CIFS_01 -policy-name restricted_file_type
(vserver fpolicy policy scope show)

 

Vserver: CIFS_01
Policy: restricted_file_type
Shares to Include: compartilhados, grupos, programas
Shares to Exclude: -
Volumes to Include: -
Volumes to Exclude: -
Export Policies to Include: -
Export Policies to Exclude: -
File Extensions to Include: 3G2, 3GP, AIF, ASX, AVI,DIVX, FLV, IFF, M3U, M4A,MOV, MP3, MP4, MPA, MPG,PIF, RA, RM, RMB, SWF, VOB,WMA, WMV
File Extensions to Exclude: -
Is File Extension Check on Directories Enabled: false
Is Monitoring of Objects with No Extension Enabled: false


3. Just to be sure, here's my shares list. Checking shares list:

 

share show -vserver CIFS_01 -fields share-name
(vserver cifs share show)
vserver share-name
------- ----------
CIFS_01 admin$
CIFS_01 arquivo_ascom
CIFS_01 c$
CIFS_01 cifs_audio_turmas$
CIFS_01 compartilhados
CIFS_01 grupos
CIFS_01 ipc$
CIFS_01 midia_ascom
CIFS_01 programas
CIFS_01 publico
CIFS_01 root$
CIFS_01 share_logs$
CIFS_01 usuarios
13 entries were displayed.


4. And here's the policy. Command to check policy:

 

policy show -vserver CIFS_01 -policy-name restricted_file_type -instance

Vserver: CIFS_01
Policy: restricted_file_type
Events to Monitor: create, read
FPolicy Engine: native
Is Mandatory Screening Required: true
Allow Privileged Access: yes
User Name for Privileged Access: TRT18\Administrator
Is Passthrough Read Enabled: false


So far... If I understood how fpolicy works in C-Mode, it should block only those file extensions on the included shares (compartilhados, grupos, programas) right?
Well, when I activate the policy with that command (enable -vserver CIFS_01 -policy-name restricted_file_type -sequence-number 1), I lost access to these shares completely, I cant even browse these three shares (compartilhados, grupos, programas), while the other shares I can access without problems.

Am I doing anything wrong? Can anyone lend a hand?

0 REPLIES 0
Public