Hi,. We have a AV server (hosting Trend micro) setup on our Prod clusters that has mandatory scan option set to ON in default_CIFS Policy. The clients have vscan-fileop-profile set to writes only. My question is
If I disable the mandatory scan to OFF since AV servers would be disconnected due to maintenance,
1> Would it deny file access to this client (separate SVM)
2> Would it deny file access t other clients since the same default_CIFS Policy is used for all the clients, but the AV server is different.
By default, thescan-mandatoryoption for on-access scanning denies file access when a Vscan server connection is not available for scanning. Although this option offers important safety features, it can lead to problems in a few situations.
Before enabling client access, you must ensure that at least one Vscan server is connected to anSVMon each node that has a LIF. If you need to connect servers toSVMsafter enabling client access, you must turn off thescan-mandatoryoption on theSVMto ensure that file access is not denied because a Vscan server connection is not available. You can turn the option back on after the server has been connected.
If a target LIF hosts all the Vscan server connections for anSVM, the connection between the server and theSVMwill be lost if the LIF is migrated. To ensure that file access is not denied because a Vscan server connection is not available, you must turn off thescan-mandatoryoption before migrating the LIF. You can turn the option back on after the LIF has been migrated.
EachSVMshould have at least two Vscan servers assigned to it. It is a best practice to connect Vscan servers to the storage system over a different network from the one used for client access.
I will add, there is still a posibility slow vscan could compromise your performance. Mandatory scan set to off works assuming the vscan server is responsive and you don't queue up on the filer with requests waiting to go to go vscan. Make sure you size it for your workload accordingly.
The TRs kind of talk about it, but generally we lean on the vscan vendor for help with sizing the AV solution. It may not hurt to have spare vscan servers available should you hit vscan latency so you can just easily upgrade the AV infrastructure if you're not sure if it's beefy enough or not (or maybe have a dynamic pool that grows and shrinks if you think you'll have a job say once a month that you know is more i/o intensive).
Hi @paul_stejskal Thanks for sharing the wonderful and detailed insights. Unfortunately, there is no backup servers in the Infra. Would it be a problem if I disable the on-access policy completely on this SVM during the time of the activity? Would it cause any risk?
Also, the machine account accessing this SVM for AV, is it authenticated through AD?
1) Should be fine. You may have to disable on the AV side depending on the vendor. Some vendors of vscan and fpolicy (Varonis I know for sure does for fpolicy) love to send API calls back to ONTAP to turn on fpolicy/vscan if you disable from the CLI. I can't confirm vscan will do this, but that's simple enough to test.
2) I'm not sure. I believe so, but unfortunately vscan is a secondary area for me so I cannot confirm 100%. AFAIK it is common for vscan to use an AD account, but possibly a local account can be used too.
Hopefully someone else can answer that second question. @Mjizzini ?