topic Re: fpolicy - screening server required? in ONTAP Discussions

fpolicy - screening server required?

rogilvieisc — Thu, 05 Jun 2025 07:28:28 GMT

Hi,

I've been messing about with fpolicy on the simulator, trying to work out what functionality is provided without a file screening server. i've managed to get the following to work:

- block copying blocked extension into share

- block renaming/creation of the blocked file in a share

I cannot get it to block a file that has been renamed outside of the share, and then copied in (renamed a .mp3 to .txt and it let me copy the file into the share)

I've confused myself as to when a server is required and when you can just natively use fpolicy to handle all your file blocking requirements. Can I get all the following functionality with using a third party file screening server:

- block copy of .mp3 into share

- block creation/renaming existing .mp3 inside the share

- block renaming .mp3 to .txt outside of share and then copied into the share

I have found the config/example guides a little confusing on NOW as it seems to hint that fpolicy can handle all aspects of file-blocking without the addition of a server.

hopefully it all makes sense, if a server is required does anyone have a recommendation - prefer to not use one, just rely the awesome-ness of Ontap!

cheers,

Ross

Re: fpolicy - screening server required?

anthonyfeigl — Mon, 04 May 2009 12:34:46 GMT

Hey Ross,

In my experience you would need a third party software product such as NTP QFS, and you would need a server running the App to connect to the Fpolicy client (on the vfiler/filer) to block the software.

I have used the software in two financial firms, one managing 40,000 users and 300TB of useable data and one with 5,000 users, so I can tell you that Fpolicy works well in the correct implementation, just watch the version of Ontap you are using. But I think it is critical to have third party hardware and software.

Hope this helps.

Anthony

Re: fpolicy - screening server required?

rogilvieisc — Tue, 12 May 2009 07:08:35 GMT

Hi Anthony,

Thanks for the quick reply - if only I was as quick responding!

I agree with you, I've used file screening servers in the past, especially when granularity is required - actually the only product i've used is StorageExec, from Veritas which I think has now been rolled into EV?

I was trying to exclude one directory within a volume using fpolicy - but it does specifically state fpolicy is implemented at volume level. I thought I'd have a go anyway!! ...I was wasting my time

Have you had much experience with file screening servers, any you'd recommend over others?

cheers,

Ross

Re: fpolicy - screening server required?

anthonyfeigl — Tue, 12 May 2009 13:00:25 GMT

Hey Ross,

I'm a bit confused on your statement of file screening servers.

We use Wintel boxes to run the NTP QFS application which connects to our fpolicy configuration on our vfilers.

I have used NTP QFS extensively in financial Production environments to block non business related file content such as mp3, mpg and avi.

NTP QFS was recommended for use (2004-2005) by our NetApp sales team and it has been very effective at managing home directory folder level quotas (acl based) vs qtrees.

NTP QFS is very granular and will allow to lock down specific folders. I suggest you contact them for an evaluation license.

Do you have any other specific questions?

Anthony

Re: fpolicy - screening server required?

rogilvieisc — Tue, 12 May 2009 13:26:56 GMT

Hey Anthony,

Sorry about the confusion.

I was just babbling on really, thinking out loud . I was trying to enforce a more granular file-blocking policy without using a 3rd party product, so just using the fpolicy CLi commands via Ontap, it was a clutching at straws effort really - trying to save some money...

Not to worry, you answered my question with NTP QFS - think I'll download the trial and have a poke around. Thanks for the reply.

cheers,

Ross

Re: fpolicy - screening server required?

chriskranz — Tue, 12 May 2009 16:23:56 GMT

Also checkout Northern Storage Suite. It's not quite as mature as NTP QFS, but it is still a very comprehensive product and does the job very well. Deep scanning (opening a file and checking it's properties to work out whether it's been renamed or not) is always an intensive process I have found, so use with caution and make sure you over-spec the scanning server.

fpolicy directly on the filer is a good tool though, and if you don't want to do anything too fancy, then it gives you a pretty good starting block. While you're there, checkout quota's. Even if it's just soft quota's, it's a really good way to get a picture of what your users / departments are using. The reason I mention it is that most of the fpolicy servers have some sort of quota functionality also built into them.

Re: fpolicy - screening server required?

rogilvieisc — Mon, 18 May 2009 12:29:09 GMT

Thanks for the other recommendation Chris, I'll also have a better look into the quota's at some stage.

I've already got fpolicy blocking and its working very well! I just need to exclude some directories within a volume - only one actually which is a little painful but still required, and my understanding is fpolicy is set at a volume level only.

Hopefully NTP QFS and/or Northern Storage suite will give me that functionality.

Cheers,

Ross