Netwrix/Stealthbits Fpolicy Best Practice and Recommendations

What are some Best Practices and Recommendations pertaining to Netwrix Fpolicy Deployments?

• This guide is critical in ensuring that you are reveiwing both the Netwrix and NetApp side Best Practices.
• Netapp Fpolicy Deployments Best Practices for Netwrix Activity Monitor

Netwrix Specific Recommendations:

These recommendations are to be done in conjunction per Netwrix guidelines and may require the customer reach out to Netwrix for further details\clarifications.

• Per Netwrix guidelines, ensure Netwrix version is up to date including the enhancements for this hotifx (SAM_6.0_029)

  • Customers must engage with Netwrix Support directly in order to obtain more information about this hotfix.

  • A copy of hotfix information is attached here SAM_6.0_029 (Please contact Netwrix for latest information)

  • The new version will handle burst of activity events better, optimized for improved processing of events and other enhancements.

    Please reach out to Netwrix to ensure you are on the best release available.

• Other Netwrix specific Best Practices

  • Consider using multiple primary servers for scale out and fault tolerance purposes.

  • Use low-latency links between ONTAP and Activity Monitor Agent. For example, Activity Monitor Agents should be located in the same datacenter as the monitored NetApp appliances.

  • Reduce the monitoring scope (What operations, shares, volumes are being monitored). It is not recommended to monitor Directory Read operations on loaded servers.

  • Ensure that each ONTAP cluster node has a LIF per SVM to connect to Agents.

NetApp Specific Recommendations:

• Upgrade to the appropriate versions of ONTAP that have fixes for known fpolicy related issues

  • 1438207 - FPolicy might stop sending screen requests to the external engine if it enters a throttling state

• For Netwrix External Engines, set send-buffer-size  to 7895160

  • Netwrix best practice is to set to maximum value: "The FPolicy Send-Buffer size is set to 7895160"

vserver fpolicy policy external-engine modify -vserver <vserver> -engine-name <engine-name> send-buffer-size 7895160

• For more information on how to set send-buffer size:
  • How to calculate send buffer for ONTAP 9 FPolicy
  • Write EAGAIN errors found in EMS and Fpolicy.log

• To lessen the potential impact of latency, with Netwrix guidance, set abort timeout lower, for example: 10s.

If there is a large amount of latency between the Agent and the SVM, it can cause a delay in the TCP acknowledgements, and potential impact to latency in very rare occasions.

To decrease end-user latency in cases where there are connection issues or CPU starvation on the Agent, it is recommended to lower the "Timeout for Aborting a Request" from 40 to 10 seconds. 

vserver fpolicy policy external-engine modify -vserver <vserver -engine-name <engine-name> -reqs-abort-timeout 10s

Please refer to the following documentation: Vserver fpolicy policy external-engine commands - vserver fpolicy policy external-engine show.
 

General Recommendations:

• Per TR-4696 Netwrix/Stealthbits Best Practices

  • Review the TR above for more Best Practices, including:

7.5 Managing FPolicy Workflow and Dependency on Other Technologies

NetApp recommends disabling an FPolicy policy before making any configuration changes. For example,
if you want to add or modify an IP address in the external engine configured for the enabled policy, then
first disable the policy.
If you configure FPolicy to monitor NetApp FlexCache® volumes, NetApp recommends that you do not
configure FPolicy to monitor read and getattr file operations. Monitoring these operations in ONTAP
requires the retrieval of inode-to-path (I2P) data. Because I2P data cannot be retrieved from FlexCache
volumes, it must be retrieved from the origin volume. Therefore, monitoring these operations eliminates
the performance benefits that FlexCache can provide.
When both FPolicy and an off-box antivirus (AV) solution are deployed, the AV solution receives
notifications first. FPolicy processing starts only after AV scanning is complete. A slow AV scanner could
affect overall performance, so AV solutions must be sized properly.
When defining the scope, add all the shares you want to monitor or audit into the share/include list. Turn
off monitoring on the file server if you do not want to monitor the shares. Disabling FPolicy on the SVM is
not helpful because the Netwrix Activity Monitor activity agent periodically checks on the file server
and automatically disables or enables FPolicy if it notices a disconnection (if the Enable and connect
FPolicy option was selected).

7.6 Sizing Considerations

FPolicy performs inline monitoring of CIFS operations, sends notifications to the external server, and
waits for a response, depending on the mode of external engine communication (synchronous or
asynchronous). This process affects the performance of CIFS access and CPU resources. To mitigate
any issues, NetApp recommends assessing and sizing the environment before enabling FPolicy.
Performance is affected by the number of users, workload characteristics such as operations per user,
data size, and network latency.

8 Netwrix File Activity Monitor Best Practices

The following best practices are recommended when using the Netwrix File Activity Monitor with a
NetApp file server:
• Restrain the FPolicy configuration to specific volumes, shares, and operations to decrease the impact
on the SVM.
• Consider deploying multiple Netwrix Activity Monitor activity agents for load balancing and fault
tolerance.
• Use the Enable and Connect FPolicy option to keep the SVM connected and consistently sending
events to the Netwrix Activity Monitor activity agents.