Network and Storage Protocols

Deleting a File on Windows 10 does not send FPolicy SMB_DEL request




I have configured NetApp FPolicy on a SMB share. The FPolicy server I have developed get requests from NetApp. I am enabled all SMB filters (open, close, setattr, delete, delete_dir, rename, rename_dir).


I am using Data ONTAP 8.3.2. I deleted a file from my Windows 10 client. But NetApp does not send a FPolicy request with SMB_DEL. I only get SMB_OPEN and SMB_CLOSE requests on the file. 


Is there someway I can get a delete request when a file is deleted? I am also attaching a Wireshark packet trace for FPolicy captured on the FPolicy server. It has requests that NetApp sends to my FPolicy server.


Thanks for your help!



just a thought,

if you're testing, try the netapp native fpolicy to see if works?


Thanks. I will check.


Late reply, but I'm hoping one of you are still around.  I'm running into the same issue.  I've created a new fpolicy on my 8.3.2 c-mode netapp.  All SMB events are being sent to our fpolicy server (stealthaudit) with the exception of delete_file from windows 10 clients (delete folder is being sent from win 10).  I can't seem to locate any information on the native fpolicy being discussed in one of the replies.  Does anyone have any additional information I could review to try to resolve my issue?




 - Matt Friedenfeld