Native Policy blocking access to entire cifs share instead of specific file extensions

ericknoleto — Wed, 04 Jun 2025 14:15:03 GMT

Hi all.

I think it's the first time I post here, don't know.

I moved my cifs shares to another system I manage, one that uses Ontap 9.1P7, C-Mode. Applying the native fpolicy I used on the 7-mode system have being a pain...

My objective is to create a fpolicy that blocks read and write (creation) of midia files in some of my shares, here's what I did:

1. Create the events on the svm, command to check them:

fpolicy policy event show -vserver CIFS_01 -event-name *

Event File Is Volume
Vserver Name Protocols Operations Filters Operation
--------- ------------------ --------- ------------ ------------ ------------
CIFS_01 create cifs create, write, rename - false

CIFS_01 read cifs read, open - false

2 entries were displayed.

2. Created the scope. Command to check them:

scope show -vserver CIFS_01 -policy-name restricted_file_type
(vserver fpolicy policy scope show)

Vserver: CIFS_01
Policy: restricted_file_type
Shares to Include: compartilhados, grupos, programas
Shares to Exclude: -
Volumes to Include: -
Volumes to Exclude: -
Export Policies to Include: -
Export Policies to Exclude: -
File Extensions to Include: 3G2, 3GP, AIF, ASX, AVI,DIVX, FLV, IFF, M3U, M4A,MOV, MP3, MP4, MPA, MPG,PIF, RA, RM, RMB, SWF, VOB,WMA, WMV
File Extensions to Exclude: -
Is File Extension Check on Directories Enabled: false
Is Monitoring of Objects with No Extension Enabled: false

3. Just to be sure, here's my shares list. Checking shares list:

share show -vserver CIFS_01 -fields share-name
(vserver cifs share show)
vserver share-name
------- ----------
CIFS_01 admin$
CIFS_01 arquivo_ascom
CIFS_01 c$
CIFS_01 cifs_audio_turmas$
CIFS_01 compartilhados
CIFS_01 grupos
CIFS_01 ipc$
CIFS_01 midia_ascom
CIFS_01 programas
CIFS_01 publico
CIFS_01 root$
CIFS_01 share_logs$
CIFS_01 usuarios
13 entries were displayed.

4. And here's the policy. Command to check policy:

policy show -vserver CIFS_01 -policy-name restricted_file_type -instance

Vserver: CIFS_01
Policy: restricted_file_type
Events to Monitor: create, read
FPolicy Engine: native
Is Mandatory Screening Required: true
Allow Privileged Access: yes
User Name for Privileged Access: TRT18\Administrator
Is Passthrough Read Enabled: false

So far... If I understood how fpolicy works in C-Mode, it should block only those file extensions on the included shares (compartilhados, grupos, programas) right?
Well, when I activate the policy with that command (enable -vserver CIFS_01 -policy-name restricted_file_type -sequence-number 1), I lost access to these shares completely, I cant even browse these three shares (compartilhados, grupos, programas), while the other shares I can access without problems.

Am I doing anything wrong? Can anyone lend a hand?

topic Native Policy blocking access to entire cifs share instead of specific file extensions in ONTAP Discussions

Native Policy blocking access to entire cifs share instead of specific file extensions