Community

Subscribe
Highlighted
Accepted Solution

File extension blocking is not working on filer

Hi,

I am trying to create a native file blocking based on extension of the file system like .mp3 etc....

Here are the steps I am performing:

1) fpolicy create mp3blocker screen

2) fpolicy extensions include set mp3blocker mp3



3)

UKXXXXXXX>fpolicy monitor set mp3blocker -p cifs,nfs create,rename

The following commands are available; for more information

type "fpolicy help <command>"

create              enable              options             show

destroy             ext[ension]         servers             vol[ume]

disable             help

Also tried the below:

fpolicy mon add mp3blocker -p cifs create,rename

Can not execute 3) but have gone ahead and enabled the policy with the below steps

4) bfpolicy options mp3blocker required on

5) fpolicy enable mp3blocker

I am still able to copy *.mp3 files

Sorry about the formatting. Any suggestions?


Re: File extension blocking is not working on filer

FYI... my Ontap version is 7.0.4

Re: File extension blocking is not working on filer

When I set this up last I remember it enabled on all volumes by default but worth checking... to see if the volume you are writing to is included or excluded...

What is the output of both fpolicy vol inc show mp3blocker and fpolicy vol exc show mp3blocker

I also remember having to use -f on enable at one account.. fpolicy enable mp3blocker -f

Re: File extension blocking is not working on filer

Thanks for the response...

UKXXXXXXXX> fpolicy vol inc show mp3blocker

List of volume specifications to screen:

None.

UKXXXXXXXX> fpolicy vol exc show mp3blocker

List of volume specifications to screen:

None.

Does this mean the volume is not included  and I have to include it.

(i used -f to enable the policy)

Update: File blocking with all the above commands works fine in another netapp filer which is running 7.2.7P2

Re: File extension blocking is not working on filer

Correct… the default used to be all volumes but looks like that changed before or after your release…so add to the include list and it will work.

Re: File extension blocking is not working on filer

Great that explains the behavior... Thanks Scott for quick response.

Re: File extension blocking is not working on filer

Let us know if it works ☺ One caveat is smart users can rename their mp3 files to .doc to get around the block, then you need a tool like ntp which will also use fpolicy but will also look at file headers regardless of extension.

Re: File extension blocking is not working on filer

I know... Hopefully I will be able to scare them away with some policy compliance message box (EMC has that feature). Not sure if Netapp has that feature.

Re: File extension blocking is not working on filer

Scott, I applied the changes (ie. added the volume to the policy) and enabled it with -f.

Still it lets me copy .mp3 files.

Any thought on this?

Re: File extension blocking is not working on filer

What is the volume include list?