Network and Storage Protocols

File extension blocking is not working on filer

RITESHKENNY1
7,759 Views

Hi,

I am trying to create a native file blocking based on extension of the file system like .mp3 etc....

Here are the steps I am performing:

1) fpolicy create mp3blocker screen

2) fpolicy extensions include set mp3blocker mp3



3)

UKXXXXXXX>fpolicy monitor set mp3blocker -p cifs,nfs create,rename

The following commands are available; for more information

type "fpolicy help <command>"

create              enable              options             show

destroy             ext[ension]         servers             vol[ume]

disable             help

Also tried the below:

fpolicy mon add mp3blocker -p cifs create,rename

Can not execute 3) but have gone ahead and enabled the policy with the below steps

4) bfpolicy options mp3blocker required on

5) fpolicy enable mp3blocker

I am still able to copy *.mp3 files

Sorry about the formatting. Any suggestions?


1 ACCEPTED SOLUTION

scottgelb
7,759 Views

Correct… the default used to be all volumes but looks like that changed before or after your release…so add to the include list and it will work.

View solution in original post

15 REPLIES 15

RITESHKENNY1
7,724 Views

FYI... my Ontap version is 7.0.4

scottgelb
7,724 Views

When I set this up last I remember it enabled on all volumes by default but worth checking... to see if the volume you are writing to is included or excluded...

What is the output of both fpolicy vol inc show mp3blocker and fpolicy vol exc show mp3blocker

I also remember having to use -f on enable at one account.. fpolicy enable mp3blocker -f

RITESHKENNY1
7,724 Views

Thanks for the response...

UKXXXXXXXX> fpolicy vol inc show mp3blocker

List of volume specifications to screen:

None.

UKXXXXXXXX> fpolicy vol exc show mp3blocker

List of volume specifications to screen:

None.

Does this mean the volume is not included  and I have to include it.

(i used -f to enable the policy)

Update: File blocking with all the above commands works fine in another netapp filer which is running 7.2.7P2

scottgelb
7,760 Views

Correct… the default used to be all volumes but looks like that changed before or after your release…so add to the include list and it will work.

RITESHKENNY1
7,724 Views

Great that explains the behavior... Thanks Scott for quick response.

scottgelb
7,724 Views

Let us know if it works ☺ One caveat is smart users can rename their mp3 files to .doc to get around the block, then you need a tool like ntp which will also use fpolicy but will also look at file headers regardless of extension.

RITESHKENNY1
7,724 Views

I know... Hopefully I will be able to scare them away with some policy compliance message box (EMC has that feature). Not sure if Netapp has that feature.

RITESHKENNY1
7,724 Views

Scott, I applied the changes (ie. added the volume to the policy) and enabled it with -f.

Still it lets me copy .mp3 files.

Any thought on this?

scottgelb
7,724 Views

What is the volume include list?

RITESHKENNY1
6,381 Views

UKXXXXXXXX> fpolicy vol inc show mp3blocker

List of volume specifications to screen:

testvol

scottgelb
6,381 Views

Use fpolicy vol inc add fpolicyname volnme

RITESHKENNY1
6,381 Views

Yes I used the same...fpolicy vol inc add mp3blocker testvol

RITESHKENNY1
6,381 Views

Upon digging more I found out that Native file blocking is not supported in 7.0.4.

This feature was introduced in 7.1 so I assume it was done using external server prior to 7.1

scottgelb
6,381 Views

Good catch…haven’t touched a 7G system in so long and didn’t see you were on that old of a system. Can you upgrade your controller?

RITESHKENNY1
6,381 Views

Will certainly look into upgrading the code. Thanks for helping me with this.

Public