Skip to main content
NetApp Knowledge Base

Varonis Fpolicy Best Practice and Recommendations

Views:
6,934
Visibility:
Public
Votes:
5
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • CIFS
  • NFS
  • Varonis
  • FPolicy

Answer

What are some Best Practices and Recommendations pertaining to Varonis Fpolicy Deployments?
Varonis Specific Recommendations:

These recommendations are to be done in conjunction per Varonis guidelines and may require the customer reach out to Varonis for further details\clarifications.

NetApp Specific Recommendations:
  • For Varonis External Engines, set send-buffer-size  to 7895160

::*> vserver fpolicy policy external-engine modify -vserver <vserver> -engine-name <engine-name> -send-buffer-size 7895160

  • To lessen the potential impact of latency, with Varonis guidance, set abort timeout lower, for example: 5s.

If there is a large amount of latency between the Collector and the SVM, it can cause a delay in the TCP acknowledgements, and potential impact to latency in very rare occasions.

To decrease end-user latency in cases where there are connection issues or CPU starvation on the collector, it is recommended to lower the "Timeout for Aborting a Request" from 40 to 5 seconds. 

::*> vserver fpolicy policy external-engine modify -vserver <vserver> -engine-name <engine-name> -reqs-abort-timeout 5s

Please refer to the following documentation: Vserver fpolicy policy external-engine commands - vserver fpolicy policy external-engine show.

(For more information on this recommendation, please review Varonis KB: Fpolicy-Impacts-NetApp-Performance-Latency and NetApp CM Monitoring Results in NetApp Client Latency

 

  • To lessen the potential impact of latency, with Varonis guidance, set fpolicy event filters.

Fpolicy Event filters

During normal activity, fpolicy can be expected to cause latency. In order to minimize this, we can filter the fpolicy to not send events that we do not monitor. We recommend that "first-read" and "first-write" are both filtered.

::> vserver fpolicy policy event create -vserver <Vserver Name> -event-name fp_event_varonis_cifs
-file-operations create,create_dir,delete,delete_dir,open,read,write,rename,rename_dir,setattr -protocol cifs
-filters first-read,first-write,open-with-delete-intent

General Recommendations:
  • Per TR-4429 Varonis DatAdvantage Best Practices

    • Review the TR above for more Best Practices, including:

To avoid performance issues, deactivate FPolicy during the following scenarios:
Note: Activation of an FPolicy can increase the usage of resources on those stores and affect the performance of applications that use them.
• When performing large data migrations from one NetApp storage system to another (large write or modification of files)
• When upgrading your release of ONTAP to a newer version
• When performing a Varonis upgrade (both IDU and probes or collectors)

After performing any of these actions, you can safely activate FPolicy.
Note: Manage VM datastores or SQL Server datastores with FPolicy with caution, because such stores are not accessed by humans and do not host human-generated data

 

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.