Let's say I have a NFS volume, and with FabricPool and snapshots policy enabled. The minimum cooling days are 2 days, which means any cold BLOCKS have not being modified will be tiered to S3 bucket. The snapshot policy is set to one per day.
Let's also assume that the volume got corrupted or infected (encrypted) by ransomware on Friday, can I then use snapshot taken Thursday, Wednesday, or any day before Friday to restore data?
My answer probably not, because the metadata or the active data may be got corrupted, It is not necessary that all blocks involved for that day I need would be tiered to S3, then I can not restore all blocks back. FabricPool with Snapshots policy is not backup. Am I right?
Can experts here please confirm or shed some light for me?
Thanks for clarifying a lot of issues here for me. One more follow-up.
If I implement SnapVault, it could backup snapshots to remote site, and restore not infected data from previous data on remote site. Will that do any better comparing to rely on local snapshots?
I know this method could save space on the primary site and keep all data should DR happen. But just from the perspective of protecting data from ransomeare attack, I would say there is no difference because the infected data will be replicated to the remote side as well by snapvault.
That (replication of Snapshots + SnapMirror + SnapVault-ing them on the remote site) is a valid design pattern for several purposes. For example, with it not only do you have a backup (replica copy of volumes from Origin), but you also can SnapVault those snapshots at SnapMirror Destination.
Now you may ask what's the difference between using CVO/FP (with Snapshot tiering policy) and SnapMirror + SnapVault in terms of ransomware protection? It isn't much in the sense that you can always restore from a snapshot, but the extra features are (a) with SnapVault you are also protected from various other destruction, (b) with SnapVault at a remote location, you also get a backup and the ability to move service elsewhere if you have to (example: Ransomware takes down all Active Directory / DNS servers at the Origin - your Snapshots can be restored, but no SMB client can connect as ADS is dead).
There are also other reasons, it really depends.
One example might be where you want SnapVault, not just Snapshots. Another is where you may have a big/fast/expensive Origin ONTAP and a lower cost Destination ONTAP, so you want to keep more snapshots, and longer, at the Destination, whereas at the Origin you may keep just 10-20 for the current week.
Some customers also use the pattern you mention (SM + SV) to backup data to tape. You can't do that in the cloud, but if you SnapMirror + SnapVault to on-prem, you could backup that on-prem data to tape. (This isn't to say "tape is better" or anything like that, it's simply a requirement that some customers have.)
Fabric Pool doesn't play a role in client-side encryption of data (Fabric Pool data is already encrypted by ONTAP before it arrives to S3), so as far as recovery from encryption or ransomware is concerned Fabric Pool can be ignored (it's the same situation with or without it).
> Let's also assume that the volume got corrupted or infected (encrypted) by ransomware on Friday
The volume itself can't get "corrupted" because of ransomware. ONTAP itself would have to get infected for that to happen.
There will be one or more NFS shares, and files on NFS share(s) on that volume could get deleted or encrypted (if it doesn't get stopped by anti-ransomware feature  built into ONTAP => 9.10.1).
If you have a FlexVol snapshot, only files on NFS share(s) that live(s) on that volume can get encrypted by ransomware. The filesystem (WAFL) itself cannot. If data on NFS shares gets encrypted or deleted, you can revert the volume to last snapshot before NFS clients got infected, or clone it and rescan the clone data with anti-ransomware software to make sure it's clean.
See TR-4572 for the details related to pre-9.10.1 (when this built-in detection becomes available in ONTAP OS):