Native Policy blocking access to entire cifs share instead of specific file extensions
2017-12-13 03:14 AM
I think it's the first time I post here, don't know.
I moved my cifs shares to another system I manage, one that uses Ontap 9.1P7, C-Mode. Applying the native fpolicy I used on the 7-mode system have being a pain...
My objective is to create a fpolicy that blocks read and write (creation) of midia files in some of my shares, here's what I did:
1. Create the events on the svm, command to check them:
fpolicy policy event show -vserver CIFS_01 -event-name *
Event File Is Volume
Vserver Name Protocols Operations Filters Operation
--------- ------------------ --------- ------------ ------------ ------------
CIFS_01 create cifs create, write, rename - false
CIFS_01 read cifs read, open - false
2 entries were displayed.
2. Created the scope. Command to check them:
scope show -vserver CIFS_01 -policy-name restricted_file_type
(vserver fpolicy policy scope show)
Shares to Include: compartilhados, grupos, programas
Shares to Exclude: -
Volumes to Include: -
Volumes to Exclude: -
Export Policies to Include: -
Export Policies to Exclude: -
File Extensions to Include: 3G2, 3GP, AIF, ASX, AVI,DIVX, FLV, IFF, M3U, M4A,MOV, MP3, MP4, MPA, MPG,PIF, RA, RM, RMB, SWF, VOB,WMA, WMV
File Extensions to Exclude: -
Is File Extension Check on Directories Enabled: false
Is Monitoring of Objects with No Extension Enabled: false
3. Just to be sure, here's my shares list. Checking shares list:
share show -vserver CIFS_01 -fields share-name
(vserver cifs share show)
13 entries were displayed.
4. And here's the policy. Command to check policy:
policy show -vserver CIFS_01 -policy-name restricted_file_type -instance
Events to Monitor: create, read
FPolicy Engine: native
Is Mandatory Screening Required: true
Allow Privileged Access: yes
User Name for Privileged Access: TRT18\Administrator
Is Passthrough Read Enabled: false
So far... If I understood how fpolicy works in C-Mode, it should block only those file extensions on the included shares (compartilhados, grupos, programas) right?
Well, when I activate the policy with that command (enable -vserver CIFS_01 -policy-name restricted_file_type -sequence-number 1), I lost access to these shares completely, I cant even browse these three shares (compartilhados, grupos, programas), while the other shares I can access without problems.
Am I doing anything wrong? Can anyone lend a hand?