ONTAP Discussions

Netapp clustered mode antivirus

Singhz
6,832 Views

In the process of installing and configuring Sophos for Netapp clustered mode. As i understand it, the process is to create a scanner pool comprising of vscan servers an apply a access policy on the SVM's that i want to be able to scan using the scanner pool.

 

I have a few issues.

 

1. If i have more than one vscan server as part of a scanner pool, both vscan servers scan a file when it is accessed. I was under the assumption that scanning is load balanced between vscan server in a scanner pool

 

2. How do i define a secondary scanner pool so that if the primary fails the secondary automatically takes over scanning?

 

3. I have also lost access to files from an SVM that was configured for scanning. I believe this may be due to the on-access-policy being configured to SCAN-MANDATORY. Whats the best practice to avoid this from occuring again?

 

Any guidance would be much appreciated

 

Thanks

1 ACCEPTED SOLUTION

Singhz
6,528 Views

Hi Sahana 

 

I followed instructions from the second link that you posted. This was exactly the same as i followed before. For the benefit of others experiencing the same issue, I recreated all my scanner pools and policies from the beginning. The only thing that I did different to the first time round was to create a local account read only on the Netapp with READ-ONLY ontapi access. I then used this account when you define the connection to the Cluster Management LIFs from the Netapp Connector. I have two scanner pools, one primary with 2 av scanner and one secondary with one av scanner. Only one av scanner in the primary scans the files at any one time (load balanced), which is how it should be working. As a test, if I disconnect the network to the 2 av scanner in the primary pool, the av scanner in the secondary pool kicks in automatically.

 

So now everything is working as it should.

 

Thanks for your help Sahana.

View solution in original post

5 REPLIES 5

Sahana
6,599 Views

Hi,

 

You can select the scanner policy as primary or secondary. https://library.netapp.com/ecmdocs/ECMLP2348025/html/vserver/vscan/scanner-pool/apply-policy.html 

Refer http://www.netapp.com/us/media/tr-4309.pdf

On-Access policy filter is set to Scan Mandatory by default.  vscan options mandatory_scan can be set to off.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Singhz
6,578 Views

Hi Sahana

 

Many thanks for you reply. I am unable to access the link https://library.netapp.com/ecmdocs/ECMLP2348025/html/vserver/vscan/scanner-pool/apply-policy.html%C2%A0 as i get an access denied message. Any chance of posting this somewhere where i am able to download the content.

 

 

Sahana
6,547 Views

Try vserver vscan scanner-pool apply-policy

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Singhz
6,529 Views

Hi Sahana 

 

I followed instructions from the second link that you posted. This was exactly the same as i followed before. For the benefit of others experiencing the same issue, I recreated all my scanner pools and policies from the beginning. The only thing that I did different to the first time round was to create a local account read only on the Netapp with READ-ONLY ontapi access. I then used this account when you define the connection to the Cluster Management LIFs from the Netapp Connector. I have two scanner pools, one primary with 2 av scanner and one secondary with one av scanner. Only one av scanner in the primary scans the files at any one time (load balanced), which is how it should be working. As a test, if I disconnect the network to the 2 av scanner in the primary pool, the av scanner in the secondary pool kicks in automatically.

 

So now everything is working as it should.

 

Thanks for your help Sahana.

Singhz
6,360 Views

Hi

 

I've been testing this setup on our network for a while now and am noticing latency from when an end user clicks to open a file and when it actually appears on their screen. My theory is that the latency is caused by a combination of network latency plus the time taken by the AV to scan.

 

So, i would like to test by bypassing our network while the AV is scanning files. To do this I have connected a rack mount server directly to 1 port each on our two controller FAS8020, so e0e port from node 1 and e0f port from node 2.

 

I need a little help in setting up the network.

 

Initially I was trying to set a 192 IP address on e0e and e0f ports but am not able to, using 'ifconfig e0e 192.168.x.x netmask 255.255.255.0' from each node shell. Each time it reports back 'usage: ifconfig -a | interfaces'. 

I'm not sure if this is the correct way of assigning an IP address directly to a port or whether it is possible.

 

Secondly, i have taken a different approach by creating a single mode ifgrp on both e0e and e0f port and created a broadcast domain from both ifgrps. I've then created a lif on an SVM that is serving data, on the ifgrp that was created using e0e port . So i have an SVM with a lif on a network vlan and a lif on the private 192.168.x.x range.

When i create a AVscanner which will also have a domain IP and a 192.168.x.x private IP, that is added to a scanner pool, how will the avscanner know which of the two networks to use when scanning files. Will it automatically chose the shortest path / shortest hop first in which case the 192.168 network will always win....

 

If the second method is the correct ways of setting this up it would also mean that if we decide to follow this approach because latency is reduced dramitically, each SVM will require 2 lif, one on a domain vlan and one from the 192.168.x.x range.

 

Are any of these methods feasible? your help is greatly appreciated.

 

 

 

Public