Skip to main content

NetApp_Insight_2020.png 

NetApp Knowledgebase

What is the recommended value for ONTAP Vscan offbox timeout settings?

Views:
304
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • Antivirus

Answer

There are 2 recommendations for optimizing timeouts for vscan:

  • Set ONTAP  'vserver: vscan scanner-pool' policy
  • Vscan vendor dependent timeout value.

 

Ultimately, the timeout recommendations are published in various Technical Reports and Vscan vendor provided best practices.


The following are the various Technical Reports:

  • TR-4286: Antivirus Solution Guide for Clustered Data ONTAP 8.2.1: McAfee
  • TR-4304: Antivirus Solution Guide for Clustered Data ONTAP 8.2.1: Symantec
  • TR-4309 Antivirus Solution Guide for Clustered Data ONTAP 8.2.1: Sophos
  • TR-4312: Antivirus Solution Guide for Clustered Data ONTAP 8.2.1: Trend Micro
What should I set the Vscan scanner-pool timeouts to?

NetApp’s general guideline is to ensure the vendor vscan-engine timeout values are lower than the scanner-pool Request Service Timeout (default 30s) value.

The following are recommended settings for ‘vserver vscan scanner-pool’ timeout settings. (9.3 example)

::*> vscan scanner-pool show -instance
javascript:void('Edit Link') 
                                         Vserver: svm1
                                    Scanner Pool: pool1
                                  Applied Policy: primary
                                  Current Status: on
              Cluster on Which Policy Is Applied: node1
                       Scanner Pool Config Owner: vserver
            List of IPs of Allowed Vscan Servers: 10.63.119.140
List of Host Names of Allowed Vscan Servers: 10.63.119.140
                        List of Privileged Users: domain\administrator
                         Request Service Timeout: 30s
                              Scan Queue Timeout: 20s
                           Session Setup Timeout: 10s
                        Session Teardown Timeout: 10s
Max Number of Consecutive Session Setup Attempts: 5

 What does each value mean?

  • request-timeout: Refers to the max wait-time for response of a scan-request.
  • scan-queue-timeout: Refers to the max time spent by a scan-request in scan-engine's queue, before it is serviced.
  • session-setup-timeout: Refers to the max wait-time for a response for session-setup-message.
  • session-teardown-timeout: Refers to the max wait-time for a response for a session-teardown-message, or for any message to be received for a session-id, after the underlying connection has been disconnected.
  • max-session-setup-retries: Refers to the max times session-setup for a session-id may be retried; case of consecutive retry failures only.

The general recommendation is to NOT change these timeout values.

They have been optimally set as default. However, there could be certain situations where these values may need to be changed.

What should I set the vendor scan-timeouts to?

The official NetApp recommendation is to set the scan timeout value lower than our defined Request Service Timeout, but ultimately those are based on the different vendor recommendations.


At time of publish, these are the currently published vendor timeout values.
 

AV vendor Scan-timeout Value
Symantec 2/3* req_timeout
McAfee 25 seconds
Sophos 60 seconds **
Kaspersky 60 seconds **
Trend Micro 24 seconds

* Based off Best Practices for implementing Symantec Protection Engine for Network Attached Storage with a NetApp File

** NetApp has recommended this value to be below 30 seconds (ideally 5-10 seconds below the Request Service Timeout)