ONTAP Discussions

Native Policy blocking access to entire cifs share instead of specific file extensions


Hi all.


I think it's the first time I post here, don't know.


I moved my cifs shares to another system I manage, one that uses Ontap 9.1P7, C-Mode. Applying the native fpolicy I used on the 7-mode system have being a pain...

My objective is to create a fpolicy that blocks read and write (creation) of midia files in some of my shares, here's what I did:


1. Create the events on the svm, command to check them:

fpolicy policy event show -vserver CIFS_01 -event-name *


                      Event                                         File                                                     Is Volume
Vserver          Name                Protocols         Operations                    Filters           Operation
---------            ------------------    ---------             ------------                       ------------       ------------
CIFS_01         create               cifs                  create, write, rename    -                    false


CIFS_01         read                  cifs                  read, open                     -                    false

2 entries were displayed.

2. Created the scope. Command to check them:


scope show -vserver CIFS_01 -policy-name restricted_file_type
(vserver fpolicy policy scope show)


Vserver: CIFS_01
Policy: restricted_file_type
Shares to Include: compartilhados, grupos, programas
Shares to Exclude: -
Volumes to Include: -
Volumes to Exclude: -
Export Policies to Include: -
Export Policies to Exclude: -
File Extensions to Include: 3G2, 3GP, AIF, ASX, AVI,DIVX, FLV, IFF, M3U, M4A,MOV, MP3, MP4, MPA, MPG,PIF, RA, RM, RMB, SWF, VOB,WMA, WMV
File Extensions to Exclude: -
Is File Extension Check on Directories Enabled: false
Is Monitoring of Objects with No Extension Enabled: false

3. Just to be sure, here's my shares list. Checking shares list:


share show -vserver CIFS_01 -fields share-name
(vserver cifs share show)
vserver share-name
------- ----------
CIFS_01 admin$
CIFS_01 arquivo_ascom
CIFS_01 c$
CIFS_01 cifs_audio_turmas$
CIFS_01 compartilhados
CIFS_01 grupos
CIFS_01 ipc$
CIFS_01 midia_ascom
CIFS_01 programas
CIFS_01 publico
CIFS_01 root$
CIFS_01 share_logs$
CIFS_01 usuarios
13 entries were displayed.

4. And here's the policy. Command to check policy:


policy show -vserver CIFS_01 -policy-name restricted_file_type -instance

Vserver: CIFS_01
Policy: restricted_file_type
Events to Monitor: create, read
FPolicy Engine: native
Is Mandatory Screening Required: true
Allow Privileged Access: yes
User Name for Privileged Access: TRT18\Administrator
Is Passthrough Read Enabled: false

So far... If I understood how fpolicy works in C-Mode, it should block only those file extensions on the included shares (compartilhados, grupos, programas) right?
Well, when I activate the policy with that command (enable -vserver CIFS_01 -policy-name restricted_file_type -sequence-number 1), I lost access to these shares completely, I cant even browse these three shares (compartilhados, grupos, programas), while the other shares I can access without problems.

Am I doing anything wrong? Can anyone lend a hand?

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner