Skip to main content
NetApp Knowledge Base

About ARW setting parameters' explanation

  1. Last updated
  2. Save as PDF
Views:
167
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

Answer

Q1.
What's the reasoning behind 'arw.snap.max.count' design?

A1.

  • The setting arw.snap.max.count specifies the maximum number of ARP Snapshot copies that can exist in a volume at any given time. 
  • The rationale behind allowing multiple ARP Snapshot copies is to ensure that you have several points in time to revert to, especially if an attack is suspected. 
  • This is particularly useful in scenarios where ransomware or other threats might be detected multiple times in a short period, providing a robust mechanism to restore data to a state before the attack occurred.

Q2:

What does 'arw.snap.create.interval.hours' indicate? 

A2:

  • The 'arw.snap.create.interval.hours' parameter, with a default value of 4 hours
  • It dictates that an ARP Snapshot is taken if an attack is detected more than 4 hours after the previous detection.

Q3:

How does 'arw.snap.normal.retain.interval.hours' work?

A3:

  • The 'arw.snap.normal.retain.interval.hours' parameter has a default value of 48 hours.
  •  This parameter indicates the retention period for ARP snapshots before they are automatically deleted—in other words, a snapshot is automatically deleted 48 hours after its creation. 
  • The behavior of this parameter changes based on the Attack Probability.
    • When the Attack Probability is either "low" or "moderate," snapshots are not deleted; they are retained until the attack is cleared and the probability returns to "None" 
    • For a detailed explanation of the logic, please refer directly to Understanding ARP snapshot protection and attack detection 

Q4:

Explain more about  'arw.snap.max.retain.interval.days'

A4:

  • The 'arw.snap.max.retain.interval.days' parameter is set to a default of 5 days.
  • ARP Snapshots are scheduled for deletion after this period unless the snapshots are associated with medium-level threats, which may be retained longer.

Q5:

What triggers the 'arw.surge.snap.interval.days' parameter? 
A5:

  • The 'arw.surge.snap.interval.days' parameter is activated by an IO surge.
  • It ensures that a new ARP Snapshot is created during an IO increase, even if no existing ARP Snapshots are present.

Q6:

How does 'arw.snap.new.extns.interval.hours' function? 
A6:

  • The 'arw.snap.new.extns.interval.hours' parameter triggers the creation of a new ARP Snapshot when a new file extension is detected, based on volume activity observed during learning mode.
  • If the most recent ARP Snapshot based on a new extension is older than the specified interval (default is 48 hours), a new snapshot is taken.
  • This process occurs regardless of the 'arw.snap.create.interval.hours' setting and even if there are no existing ARP Snapshots.

Q7:

Are these settings enabled by default? 
A7:

Yes, all the aforementioned settings are enabled by default, providing a standard level of data protection and recovery readiness in NetApp systems.

Additional Information

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.