- ONTAP 9
There are 2 recommendations for optimizing timeouts for vscan:
- Set ONTAP 'vserver: vscan scanner-pool' policy
- Vscan vendor dependent timeout value.
Ultimately, the timeout recommendations are published in various Technical Reports and Vscan vendor provided best practices.
The following are the various Technical Reports:
- TR-4286: Antivirus Solution Guide for Clustered Data ONTAP 8.2.1: McAfee
- TR-4304: Antivirus Solution Guide for Clustered Data ONTAP 8.2.1: Symantec
- TR-4309 Antivirus Solution Guide for Clustered Data ONTAP 8.2.1: Sophos
- TR-4312: Antivirus Solution Guide for Clustered Data ONTAP 8.2.1: Trend Micro
What should I set the Vscan scanner-pool timeouts to?
NetApp’s general guideline is to ensure the vendor vscan-engine timeout values are lower than the scanner-pool Request Service Timeout (default 30s) value.
The following are recommended settings for ‘vserver vscan scanner-pool’ timeout settings. (9.3 example)
::*> vscan scanner-pool show -instance
Scanner Pool: pool1
Applied Policy: primary
Current Status: on
Cluster on Which Policy Is Applied: node1
Scanner Pool Config Owner: vserver
List of IPs of Allowed Vscan Servers: 10.63.119.140
List of Host Names of Allowed Vscan Servers: 10.63.119.140
List of Privileged Users: domain\administrator
Request Service Timeout: 30s
Scan Queue Timeout: 20s
Session Setup Timeout: 10s
Session Teardown Timeout: 10s
Max Number of Consecutive Session Setup Attempts: 5
What does each value mean?
- request-timeout: Refers to the max wait-time for response of a scan-request.
- scan-queue-timeout: Refers to the max time spent by a scan-request in scan-engine's queue, before it is serviced.
- session-setup-timeout: Refers to the max wait-time for a response for session-setup-message.
- session-teardown-timeout: Refers to the max wait-time for a response for a session-teardown-message, or for any message to be received for a session-id, after the underlying connection has been disconnected.
- max-session-setup-retries: Refers to the max times session-setup for a session-id may be retried; case of consecutive retry failures only.
The general recommendation is to NOT change these timeout values.
They have been optimally set as default. However, there could be certain situations where these values may need to be changed.
What should I set the vendor scan-timeouts to?
The official NetApp recommendation is to set the scan timeout value lower than our defined Request Service Timeout, but ultimately those are based on the different vendor recommendations.
At time of publish, these are the currently published vendor timeout values.
|AV vendor||Scan-timeout Value|
|Sophos||60 seconds **|
|Kaspersky||60 seconds **|
|Trend Micro||24 seconds|
** NetApp has recommended this value to be below 30 seconds (ideally 5-10 seconds below the
Request Service Timeout)