Skip to main content
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.
NetApp Knowledge Base

What is the performance impact on NAS when using FPolicy in ONTAP?

Last Updated:

Applies to

  • Clustered Data ONTAP 8     
  • ONTAP 9 


  • Performance overhead of FPolicy depends on many factors.

What factors does the performance of an FPolicy depend on?

  • Number of Operations (like read, open, close, and so on) being monitored
  • Number of registered FPolicy servers (load sharing)
  • Number of Policies screening the same operation
  • Network bandwidth between storage system and FPolicy server (round-trip time of the screen request)
  • Response time of the FPolicy server
  • Please ensure you follow best practices and sizing considerations that are laid out on our Whitepapers and Technical Reports for the specific Fpolicy solution
  • Consider how certain activities may impact Fpolicy performance, deactivate FPolicy during the following scenarios:
    • When performing large data migrations from one NetApp storage system to another (large write or modification of files)
    • Large scale maintenance that may result in large sustained spikes in normal IO patterns
    • Use Fpolicy with caution in situations where VM datastores or SQL Server datastores are being notified on, because such stores are not accessed by humans and do not host human-generated data. Activation of an FPolicy can increase the usage of resources on those stores and affect the performance of applications that use them.
  • Prior to 9.2, NFSv3 traffic will be impacted more than CIFS traffic, since there is no equivalent of first_read and first_write filter
     for NFS. This means that instead of just the first read operation being scanned, all packets for that read are scanned. (See Bug# 858682)
  • See KB Fpolicy EAGAIN errors seen in fpolicy.log for ways to detect and mitigate impact from overloaded FPolicy servers.
    Latencies and requests can be seen in Perfstat or via the CLI:
    • ONTAP:
      ::*> statistics start -object fpolicy -sample-id vserver
      ::*> statistics start -object fpolicy_policy -sample-id policy
      ::*> statistics start -object fpolicy_server -sample-id server

      ::*> statistics show -sample-id <sample-id_name> (will print output)


Active IQ System Risk Detection

For customers who have enabled AutoSupport™ on their storage systems, the Active IQ Portal provides detailed System Risk reports at the customer and site and system levels. The reports show systems that have specific risks as well as severity levels and mitigation action plans. You may be reading this article as a result of one of those alerts.

If fpolicy is enabled for your system and no fpolicy servers are connected, we may be flagging your system to prevent any future Performance impact as a result of an enabled but disconnected Fpolicy Solution. Corrective action should be done to resolve the condition or remove Fpolicy configuration if no longer utilized.




Scan to view the article on your device