Skip to main content
NetApp Knowledge Base

FAQ: FPolicy: Auditing

  1. Last updated
  2. Save as PDF
Views:
7,512
Visibility:
Public
Votes:
4
Category:
data-ontap-8
Specialty:
nas
Last Updated:

 

Applies to

  • ONTAP 9
  • Fpolicy

Answer

Overview:
  • FPolicy Auditing is a software-based solution for data-usage management
  • With it, organizations can see, understand, and manage who is using data to control data access and enforce compliance with data-usage policies
  •  Auditing assists in addressing the growing need for regulating data usage within organizations, enabling full visibility and accountability of data usage for legal, financial, data-security, intellectual-property, and data-privacy purposes
  • Although this can be done natively on the controller, an external FPolicy engine provides enhanced performance by allowing ONTAP to offload the Auditing tasks
  • Auditing is guaranteed, meaning the FPolicy server must acknowledge it has received the auditing notification
Configuration:
  • The following table shows what events are supported for what protocol:
NFSv3 NFSv4 CIFS
create close close
create_dir create create
delete create_dir create_dir
delete_dir delete delete
link delete_dir delete_dir
lookup getattr getattr
read link open
write lookup read
rename open write
rename_dir read rename
setattr    write rename_dir
symlink rename setattr
  rename_dir  
  setattr  
  symlink  

 

  • Until ONTAP 9.2, first_read and first_write filters are only recommended for CIFS workload since Auditing NFS reads/writes prior to ONTAP 9.2 could result in performance issues
  • Since Ontap 9.2 Onward,  first_read and first_write filters can be used with both CIFS & NFS; see RFE:858682 for more details.

 

Troubleshooting:
  • Disable the policy to verify if something outside of FPolicy is causing the issue
  • If the policy is new or recently modified, verify the configuration of the policy using TR-4429.
Useful commands/logs:

  • fpolicy policy show

  • fpolicy policy scope show

  • fpolicy policy event show

  • fpolicy policy external-engine show

  • fpolicy show-engine

  • /etc/log/ems

  • /etc/log/mlog/fpolicy.log*

  • /etc/log/mlog/mgwd.log*

  • Packet trace collected during the issue on port used to communicate to the FPolicy server.

  • AutoSupport Sections

    • Full autosupports (weekly and Manual)

      • fpolicy policy show = FPOLICY-POLICY-STATUS.XML

      • fpolicy policy scope show = FPOLICY-SCOPE.XML

      • fpolicy policy event show = FPOLICY-EVENT.XML

      • fpolicy policy external-engine show = FPOLICY-EXT-ENGINE.XML

      • fpolicy show-engine = FPOLICY-SERVER-STATUS.XML

    • Daily Management and Manual autosupports

      • /etc/log/mlog/fpolicy.log* = FPOLICY-MLOG-TXT.GZ

Common KBs for auditing issues:

Additional Information

  • TR-4429: FPolicy Solution Guide for Clustered Data ONTAP: Varonis DatAdvantage
  • TR-4473: FPolicy Solution Guide for Clustered Data ONTAP: Veritas Data Insight
  • TR-4696: FPolicy Solution Guide for Clustered Data ONTAP: STEALTHbits File Activity Monitor
  • Netwrix *Note: External site. Not NetApp documentation
  • 1225695: Fpolicy has no support for NFSv4.1

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.