How ARP creates Snapshots
Applies to
- ONTAP version 9.10.1 or later
- Anti-ransomware or Autonomous Ransomware Protection (ARP) or Anti_Ransomware or ARW
Answer
Options default value:
arw.snap.create.interval.hours
= 4 hoursarw.snap.new.extns.interval.hours
= 48 hours (Beginning with ONTAP 9.13)
A snapshot for new-extension is created if all conditions below are true:
- The last high-entropy snapshot is more than 30 minutes old.
- The last new-extension snapshot is more than 4 hours old.
- The last new-extension snapshot is more than 48 hours old. (Beginning with ONTAP 9.13)
Scenario-1: Only high-entropy data. No new file extension.
- T: Snapshot created due to high-entropy data.
- T + 4 hour: Snapshot created due to high-entropy data.
- T + 8 hour: Snapshot created due to high-entropy data.
- T + 12 hour: Snapshot created due to high-entropy data.
- …
Scenario-2: High-entropy data and new file extensions.
Note: The further description refers to reasons a and b above.
- ONTAP 9.10, 9.11, 9.12:
- T: Snapshot created due to high-entropy data.
- T + 20 mins: A new file extension .abcd with 20+ files observed. Snapshot not created for reason a.
- T + 30 mins: A new file extension .efgh with 20+ files observed. Snapshot created. (The next snapshot for new-extension will not be created until 4 hours from this point)
- T + 40 mins: A new file extension .ijkl with 20+ files observed. Snapshot not created for reason b.
- T + 2 hours: A new file extension .mnop with 20+ files observed. Snapshot not created for reason b.
- T + 4 hours: Snapshot created due to high-entropy data.
- T + 5 hours: A new file extension .qrst with 20+ files observed. Snapshot created (The next snapshot for new-extension will not be created until 4 hours from this point)
- T + 8 hours: Snapshot created due to high-entropy data.
- …
- ONTAP 9.13 or later:
- T: Snapshot created due to high-entropy data.
- T + 20 mins: A new file extension .abcd with 20+ files observed. Snapshot not created for reason a.
- T + 30 mins: A new file extension .efgh with 20+ files observed. Snapshot created. (The next snapshot for new-extension will not be created until 48 hours from this point)
- T + 40 mins: A new file extension .ijkl with 20+ files observed. Snapshot not created for reason c.
- T + 2 hours: A new file extension .mnop with 20+ files observed. Snapshot not created for reason c.
- T + 4 hours: Snapshot created due to high-entropy data.
- T + 5 hours: A new file extension .qrst with 20+ files observed. Snapshot not created for reason c.
- T + 8 hours: Snapshot created due to high-entropy data.
- …
- T + 48 hours: Snapshot created due to high-entropy data.
- T + 48 hours + 20 mins: A new file extension .uvwx with 20+ files observed. Snapshot not created for reasons a & c.
- T + 48 hours + 30 mins: A new file extension .wxyz with 20+ files observed. Snapshot created. (The next snapshot for new-extension will not be created until 48 hours from this point)