Skip to content

Latest commit

 

History

History
71 lines (64 loc) · 5.1 KB

modify-automatic-snapshot-options-task.adoc

File metadata and controls

71 lines (64 loc) · 5.1 KB
Raw
sidebar permalink keywords summary
sidebar
anti-ransomware/modify-automatic-snapshot-options-task.html
anti-ransomware, automatic, snapshot, suspected attack, vserver options, autonomous ransomware protection, arp
Modify settings for Autonomous Ransomware Protection snapshots that are automatically generated in response to suspected ransomware attacks.

Modify options for automatic snapshots

Beginning with ONTAP 9.11.1, you can use the CLI to control the retention settings for Autonomous Ransomware Protection (ARP) snapshots that are automatically generated in response to suspected ransomware attacks.

Before you begin

You can only modify ARP snapshots options on a node SVM.

Steps

  1. To show all current ARP snapshot settings, enter:
    vserver options -vserver <svm_name> -option-name arw*

    Note
    		 The vserver options command is a hidden command. To view the man page, enter man vserver options at the ONTAP CLI.

  2. To show selected current ARP snapshot settings, enter:
    vserver options -vserver <svm_name> -option-name <arw_setting_name>

  3. To modify ARP snapshot settings, enter:
    vserver options -vserver <svm_name> -option-name <arw_setting_name> -option-value <arw_setting_value>

    The following settings are modifiable:

    ARW setting Description

    arw.snap.max.count

    Specifies the maximum number of ARP snapshots that can exist in a volume at any given time. Older copies are deleted to ensure that the total number of ARP snapshots are within this specified limit.
    The -option-value parameter accepts integers between 3 and 8, inclusive. The default value is 6.

    arw.snap.create.interval.hours

    Specifies the interval in hours between ARP snapshots. A new ARP snapshot is created when an data entropy-based attack is suspected and the most recently created ARP snapshot is older than the specified interval.
    The -option-value parameter accepts integers between 1 and 48, inclusive. The default value is 4.

    arw.snap.normal.retain.interval.hours

    Specifies the duration in hours for which an ARP snapshot is retained. When an ARP snapshot reaches the retention threshold, any other ARP snapshots copy created before it is deleted. No more than one ARP snapshot older than the retention threshold can exist.
    The -option-value parameter accepts integers between 4 and 96, inclusive. The default value is 48.

    arw.snap.max.retain.interval.days

    Specifies the maximum duration in days for which an ARP snapshot can be retained. Any ARP snapshot older than this duration is deleted when there is no attack reported on the volume.

    Note
    		 The maximum retention interval for ARP snapshots is ignored if a moderate threat is detected. The ARP snapshot created in response to the threat is retained until you have responded to the threat. When you mark a threat as a false positive, ONTAP will delete the ARP snapshots for the volume. The -option-value parameter accepts integers between 1 and 365, inclusive. The default value is 5.

    arw.snap.create.interval.hours.post.max.count

    Specifies the interval in hours between ARP snapshots when the volume already contains the maximum number of ARP snapshots. When the maximum number is reached, an ARP snapshot is deleted to make room for a new copy. The new ARP snapshot creation speed can be reduced to retain the older copy using this option. If the volume already contains the maximum number of ARP snapshots, the interval specified in this option is used for next ARP snapshot creation, instead of arw.snap.create.interval.hours.
    The -option-value parameter accepts integers between 4 and 48, inclusive. The default value is 8.

    arw.surge.snap.interval.days

    Specifies the interval in days between ARP snapshots created in response to IO surges. ONTAP creates an ARP snapshot surge copy when there’s a surge in IO traffic and the last created ARP snapshot is older than this specified interval. This option also specifies retention period in day for an ARP surge snapshot.
    The -option-value parameter accepts integers between 1 and 365, inclusive. The default value is 5.

    arw.snap.new.extns.interval.hours

    This option specifies the interval in hours between the ARP snapshots created when a new file extension is detected. A new ARP snapshot is created when a new file extension is observed; the previous snapshot created upon observing a new file extension is older than this specified interval. On a workload that frequently creates new file extensions, this interval helps in controlling the frequency of the ARP snapshots. This option exists independent of arw.snap.create.interval.hours, which specifies the interval for data entropy-based ARP snapshots.
    The -option-value parameter accepts integers between 24 and 8760. The default value is 48.