Hi Ashun,

Thanks for the reply.

Is there any reason that we set a hard limit to 8?

My point is that we don't have to hard limit it, let users to decide the number of snapshots to keep.

If the attack is frequent, and ARP found it immeditely, take snapshots, and the first few snapshots are clean.

But they are deleted after more attacks, then the snapshots taken later are not usable or partial unsuable.

If the attacker knows how these options works, they can just attack more frequently and let ONTAP delete the good snapshots for them. 

I highly recommend that change this behavior, and keep the snapshots when user set the retention period.

br

Lei

lei bro

I'm sorry for the late reply

I think what you said is very reasonable. As for the 8 snapshots set by netapp, it may be considered to prevent the surge of snapshots and cause more system resources to be occupied.

The way I understand it, if all the rule Settings are defaults

case
arp snapshot is created at the beginning of the attack, and the arp snapshot is S1. If the attack continues, no arp snapshot is created. After more than 4 hours, the arp snapshot is created, and the snapshot is S2.
Six snapshots S1-S6 are created. 24 hours have passed. I believe that 24-hour response to attackers and data recovery is more than enough

If it is not fixed, the attack continues. The rule gradually changes to create arp snapshots at an eight-hour interval. Each ARP snapshot is retained for 48 hours, and snapshots are taken every five days for five days. If we get to that point, it's been a long time since the attack started, and if we can't fix it in the meantime, I think we can replace it with a better security team