Merge pull request #933 from NetAppDocs/ontap-hotfix

Ontap hotfix

anti-ransomware/enable-default-task.adoc

@@ -16,28 +16,18 @@ summary: Beginning with ONTAP 9.10.1, you can configure storage VMs (SVMs) such
 [.lead]
 Beginning with ONTAP 9.10.1, you can configure storage VMs (SVMs) such that new volumes are enabled by default for Autonomous Ransomware Protection (ARP) in learning mode.
 
-.What you'll need
+.About this task
 
-*	The correct license is installed for your ONTAP version.
-+
-[cols="2*",options="header"]
-|===
-| ONTAP releases| License
-a| ONTAP 9.11.1 and later
-a| Anti_ransomware
-a| ONTAP 9.10.1
-a| MT_EK_MGMT (Multi-Tenant Key Management)
-|===
+By default, new volumes are created with ARP in disabled mode. You can modify this setting in System Manager and with the CLI. Volumes enabled by default are set to ARP in learning mode. 
 
-* Optional but recommended: Beginning in ONTAP 9.13.1, you can enable multi-admin verification (MAV) so that two or more authenticated user admins are required for anti-ransomware operations. link:../multi-admin-verify/enable-disable-task.html[Learn more^].
+ARP will only be enabled on volumes created in the SVM after you have changed the setting. ARP will not be enabled on existing volumes. Learn how to link:enable-task.html[enable ARP in an existing volume].
 
-.About this task
-New volumes are created by default with ARP in disabled mode, but you can change this setting in System Manager and at the CLI. Volumes enabled by default are set to ARP in learning mode. Beginning in ONTAP 9.13.1, adaptive learning has been added to ARP analytics and the switch from learning mode to active mode is done automatically.
+Beginning in ONTAP 9.13.1, adaptive learning has been added to ARP analytics, and the switch from learning mode to active mode is done automatically. For more information, see link:index.html#learning-and-active-mode[Learning and active mode]. 
 
-[NOTE]
-====
-Enabling ARP by default for new volumes in an SVM does not automatically enable ARP for existing volumes in that SVM. Learn how to link:enable-task.html[enable ARP in an existing volume].
-====
+.Before you begin 
+
+* The xref:index.html[correct license] must be installed for your ONTAP version.
+* Beginning in ONTAP 9.13.1, it's recommended you enable multi-admin verification (MAV) so that two or more authenticated user admins are required for anti-ransomware operations. link:../multi-admin-verify/enable-disable-task.html[Learn more^].
 
 .Autonomous ARP switching from learning to active mode
 [%collapsible]
@@ -63,8 +53,8 @@ For more information on ARP configuration options, including default values, see
 ====
 .System Manager
 --
-.	Click *Storage > Storage VMs* and then select the storage VM that contains volumes you want to protect with ARP.
-.	In the *Settings* tab, [in the *Security* section], click image:icon_pencil.gif["pen icon"] in the *Anti-ransomware* box, then check the box to enable ARP for NAS volumes. Check the additional box to enable ARP on all eligible NAS volumes in the storage VM.
+.	Select *Storage > Storage VMs* then select the storage VM that contains volumes you want to protect with ARP.
+.	Navigate to the *Settings* tab. Under *Security*, select image:icon_pencil.gif["pen icon"] in the *Anti-ransomware* box, then check the box to enable ARP for NAS volumes. Check the additional box to enable ARP on all eligible NAS volumes in the storage VM.
 +
 NOTE: If you have upgraded to ONTAP 9.13.1, the *Switch automatically from learning to active mode after sufficient learning* setting is enabled automatically. This allows ARP to determine the optimal learning period interval and automate the switch to active mode. Turn off the setting if you want to manually transition to active mode.
 
@@ -83,6 +73,7 @@ If you upgraded to ONTAP 9.13.1 or later, adaptive learning is enabled so that t
 `vserver modify _svm_name_ -anti-ransomware-auto-switch-from-learning-to-enabled false`
 ====
 
+// 18 may 2023, ontapdoc-1046
 // 2023-04-06, ontapdoc-931
 // 2022 Dec 16, ontap-issues-739
 // 2022-08-25, BURT 1499112

anti-ransomware/enable-task.adoc

@@ -15,62 +15,51 @@ summary: Autonomous Ransomware Protection (ARP) can be enabled on new or existin
 :imagesdir: ./media/
 
 [.lead]
-Beginning with ONTAP 9.10.1, Autonomous Ransomware Protection (ARP) can be enabled on new or existing volumes. You first enable ARP in learning mode, in which the system analyzes the workload to characterize normal behavior. Then you switch to active mode, in which abnormal activity is flagged for your evaluation. You can enable ARP on an existing volume, or you can create a new volume and enable ARP from the beginning.
-
-.What you'll need
-
-*	A storage VM enabled for NFS or SMB (or both).
-*	The correct license is installed for your ONTAP version.
-+
-[cols="2*",options="header"]
-|===
-| ONTAP releases| License
-a|
-ONTAP 9.10.1
-a|
-MT_EK_MGMT (Multi-Tenant Key Management)
-a| ONTAP 9.11.1 and later
-a| Anti_ransomware
-|===
-*	An NAS workload with clients configured.
-*	The volume to be protected must have an active link:../concepts/namespaces-junction-points-concept.html[junction path^].
-*	Optional but recommended: The EMS system is configured to send email notifications, which will include notices of ARP activity. For more information, see link:../error-messages/configure-ems-events-send-email-task.html[Configure EMS events to send email notifications].
-* Optional but recommended: Beginning in ONTAP 9.13.1, you can enable multi-admin verification (MAV) so that two or more authenticated user admins are required for Autonomous Ransomware Protection (ARP) configuration. link:../multi-admin-verify/enable-disable-task.html[Learn more^].
+Beginning with ONTAP 9.10.1, Autonomous Ransomware Protection (ARP) can be enabled on new or existing volumes. You first enable ARP in learning mode, in which the system analyzes the workload to characterize normal behavior. You can enable ARP on an existing volume, or you can create a new volume and enable ARP from the beginning.
 
 .About this task
 
-NetApp ARP includes an initial learning period (also known as “dry run”), in which an ONTAP system learns which file extensions are valid and uses the analyzed data to develop alert profiles. After running ARP in learning mode for enough time to assess workload characteristics, you can switch to active mode and start protecting your data. Beginning with ONTAP 9.13.1, adaptive learning has been added to ARP analytics and the switch from learning mode to active mode is done automatically. 
+You should always enable ARP initially in the dry-run (learning mode) state. Beginning with the active state can lead to excessive false positive reports.
 
-Although you can switch from learning to active mode anytime, a learning period of 30 days is recommended. Switching early might lead to too many false positives. The adaptive learning introduced in ONTAP 9.13.1 might determine that a shorter period is sufficient. In the ONTAP CLI, you can use the `security anti-ransomware volume workload-behavior show` command to show file extensions detected to date. It is recommended that you not use this tool to shorten the learning period.
+It is recommended you let ARP run in learning mode for a minimum of 30 days. Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch, which may occur before 30 days. 
 
-In active mode, if a file extension is flagged as abnormal, but then you evaluate it and mark it as a false positive, the alert profile is updated so that the extension is not flagged as abnormal in future alerts.
+For more information, see link:index.html#learning-and-active-mode[Learning and active mode]. 
 
 [NOTE]
 In existing volumes, learning and active modes only apply to newly-written data, not to already existing data in the volume. The existing data is not scanned and analyzed, because the characteristics of earlier normal data traffic are assumed based on the new data after the volume is enabled for ARP.
 
-To manage this feature in the ONTAP CLI, you can use the `security anti-ransomware volume` command. You can also use the `volume modify` command with the `-anti-ransomware` parameter.
+.Before you begin
+
+*	You must have a storage VM enabled for NFS or SMB (or both).
+*	The xref:index.html[correct license] must be installed for your ONTAP version.
+*	You must have NAS workload with clients configured.
+*	The volume you want to set ARP on needs to be protected must have an active link:../concepts/namespaces-junction-points-concept.html[junction path^].
+* It's recommended you configure the EMS system to send email notifications, which will include notices of ARP activity. For more information, see link:../error-messages/configure-ems-events-send-email-task.html[Configure EMS events to send email notifications].
+* Beginning in ONTAP 9.13.1, it's recommended that you enable multi-admin verification (MAV) so that two or more authenticated user admins are required for Autonomous Ransomware Protection (ARP) configuration. For more information, see link:../multi-admin-verify/enable-disable-task.html[Enable multi-admin verification^].
 
 .Steps
 
 [role="tabbed-block"]
 ====
 .System Manager
 --
-. Click *Storage > Volumes* and then select the volume you want to protect.
-. In the *Security* tab of the *Volumes* overview, click *Status* to switch from Disabled to Enabled in learning-mode in the *Anti-ransomware* box.
+. Select *Storage > Volumes*, then select the volume you want to protect.
+. In the *Security* tab of the *Volumes* overview, select *Status* to switch from Disabled to Enabled in learning-mode in the *Anti-ransomware* box.
 . When the learning period is over, switch ARP to active mode.
 +
-NOTE: If you have upgraded to ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch. You can link:../anti-ransomware/enable-default-task.html[disable this setting on the associated storage VM] if you want to control the learning mode to active mode switch manually. 
+NOTE: Beginning with ONTAP 9.13.1, ARP automatically determines the optimal learning period interval and automates the switch. You can link:../anti-ransomware/enable-default-task.html[disable this setting on the associated storage VM] if you want to control the learning mode to active mode switch manually. 
 
-.. Click *Storage > Volumes* and then select the volume that is ready for active mode.
-.. In the *Security* tab of the *Volumes* overview, click *Switch* to active mode in the Anti-ransomware box.
-. You can always verify the ARP state of the volume in the *Anti-ransomware* box.
-To display ARP status for all volumes: In the *Volumes* pane, click *Show/Hide*, then ensure that *Anti-ransomware* status is checked.
+.. Select *Storage > Volumes* and then select the volume that is ready for active mode.
+.. In the *Security* tab of the *Volumes* overview, select *Switch* to active mode in the Anti-ransomware box.
+. You can verify the ARP state of the volume in the *Anti-ransomware* box.
++
+To display ARP status for all volumes: In the *Volumes* pane, select *Show/Hide*, then ensure that *Anti-ransomware* status is checked.
 
 --
 
 .CLI
 --
+.Enable ARP on an existing volume
 . Modify an existing volume to enable ransomware protection in learning mode:
 +
 `security anti-ransomware volume dry-run -volume _vol_name_ -vserver _svm_name_`
@@ -79,15 +68,28 @@ You can also enable ransomware protection with the `volume modify` command:
 +
 `volume modify -volume _vol_name_ -vserver _svm_name_ -anti-ransomware-state dry-run`
 +
-At the CLI, you can also create a new volume with anti-ransomware protection enabled before provisioning data.
+If you upgraded to ONTAP 9.13.1 or later, adaptive learning is enabled so that the change to active state is done automatically. If you do not want this behavior to be automatically enabled, change the setting at the SVM level on all associated volumes:
 +
-`volume create -volume _vol_name_ -vserver _svm_name_  -aggregate _aggr_name_ -size _nn_ -anti-ransomware-state dry-run -junction-path /_path_name_`
+`vserver modify _svm_name_ -anti-ransomware-auto-switch-from-learning-to-enabled false`
+. When the learning period is over, modify the protected volume to switch to active mode if not already done automatically:
 +
-[NOTE]
-You should always enable ARP initially in the dry-run (learning mode) state. Beginning with the active state can lead to excessive false positive reports.
+`security anti-ransomware volume enable -volume _vol_name_ -vserver _svm_name_`
++
+You can also switch to active mode with the modify volume command:
++
+`volume modify -volume _vol_name_ -vserver _svm_name_ -anti-ransomware-state active`
+
+. Verify the ARP state of the volume.
++
+`security anti-ransomware volume show`
+
 
+.Enable ARP on a new volume
+. Create a new volume with anti-ransomware protection enabled before provisioning data.
 +
-If you upgraded to ONTAP 9.13.1 or later, adaptive learning is enabled so that the change to active state is done automatically. If you do not want this behavior to be automatically enabled, change the setting at the Vserver level on all associated volumes:
+`volume create -volume _vol_name_ -vserver _svm_name_  -aggregate _aggr_name_ -size _nn_ -anti-ransomware-state dry-run -junction-path /_path_name_`
++
+If you upgraded to ONTAP 9.13.1 or later, adaptive learning is enabled so that the change to active state is done automatically. If you do not want this behavior to be automatically enabled, change the setting at the SVM level on all associated volumes:
 +
 `vserver modify _svm_name_ -anti-ransomware-auto-switch-from-learning-to-enabled false`
 
@@ -104,6 +106,8 @@ You can also switch to active mode with the modify volume command:
 `security anti-ransomware volume show`
 --
 ====
+
+// 18 may 2023, ontapdoc-1046
 // 2023-04-06, ONTAPDOC-931
 // 2023 Mar 06, Git Issue 826
 // 2022-08-25, BURT 1499112