NetApp with ONTAP OS supports antivirus integration known as Off-box Antivirus Scanning or VSCAN. With VSCAN ability, the storage system will scan each new file with an antivirus system. VSCAN allows increasing corporate data security.
ONTAP supports the next list of antivirus software:
- Trend Micro
- Computer Associates
Also, ONTAP supports FPolicy technology which can prevent a file been written or read based on file extension or file content header.
This time I’d like to discuss an example of CIFS (SMB) integration with antivirus system McAfee.
In this example im going to show how to set up integration with McAfee. Here are the minimum requirements for McAfee but approximately the same with other AVs:
- MS Windows Server 2008 or higher
- NetApp storage with ONTAP 8 or higher
- SMB v2 or higher (CIFS v1.0 not supported)
- NetApp ONTAP AV Connector (Download page)
- McAfee VirusScan Enterprise for Storage (VSEfS)
- For more details see NetApp Support Matrix Tool.
Diagram of antivirus integration with ONTAP system.
To set up such an integration, we will need to configure the next software components:
We need to set up McAfee VSEfS, which can work in two modes: as an independent product or as managed by McAfee ePolicy Orchestrator (McAfee ePO). In this article, I will discuss how to configure it as an independent product. To set up & configure VSEfS we will need already installed and configured:
- McAfee VirusScan Enterprise (VSE). Download VSE
- McAfee ePolicy Orchestrator (ePO), not needed if VirusScan used as an independent product.
At first, we need to configure few SCAN servers to balance the workload between them. I will install each SCAN server on a separate Windows Server with McAfee VSE, McAfee VSEfS, and ONTAP AV Connector. In this article, we will create three SCAN servers: SCAN1, SCAN2, SCAN3.
At the next step, we need to create user scanuser in our domain, in this example domain will be NetApp.
After ONTAP been started, we need to create Cluster management LIF and SVM management LIF; set up AD integration and configure file shares and data LIFs for SMB protocol. Here, we will have NCluster-mgmt LIF for cluster management and SVM01-mgmt for SVM management.
NCluster::> network interface create -vserver NCluster -home-node NCluster-01 -home-port e0M -role data -protocols none -lif NCluster-mgmt -address 10.0.0.100 -netmask 255.0.0.0 NCluster::> network interface create -vserver SVM01 -home-node NCluster-01 -home-port e0M -role data -protocols none -lif SVM01-mgmt -address 10.0.0.105 -netmask 255.0.0.0 NCluster::> domain-tunnel create -vserver SVM01 NCluster::> security login create -username NetApp\scanuser -application ontapi -authmethod domain -role readonly -vserver NCluster NCluster::> security login create -username NetApp\scanuser -application ontapi -authmethod domain -role readonly -vserver SVM01
ONTAP AV Connector
On each SCAN server, we will install the ONTAP AV Connector. At the end of the installation, I will add AD logging & password for the user scanuser.
Then configure management LIFs
Start → All Programs → NetApp → ONTAP AV Connector → Configure ONTAP Management LIFs
In the field “Management LIF” we will add DNS name or IP address for the NCluster-mgmt or SVM01-mgmt. In the Account field, we will fill with NetApp\scanuser. Also, then pressing “Test,” “Update” or “Save” if test finished.
McAfee Network Appliance Filer AV Scanner Administrator Account
Assuming you already installed McAfee on three SCAN servers, on each SCAN server, we are logging as an administrator and in Windows taskbar opening VirusScan Console and then open Network Appliance Filer AV Scanner and choosing tab called “Network Appliance Filers.” So, in the field “This Server is processing scan request for these filers” press the “Add button” and put to the address field “127.0.0.1”, and then also add scanuser credentials.
Returning to ONTAP console
Configuring off-box scanning, then enabling it, creating and applying scan policies. SCAN1, SCAN2, and SCAN3 are the Windows servers with installed McAfee VSE, VSEfS, and ONTAP AV Connector.
First, we create a pool of AV servers:
NCluster::> vserver vscan scanner-pool create -vserver SVM01 -scanner-pool POOL1 -servers SCAN1,SCAN2,SCAN3 -privileged-users NetApp\scanuser NCluster::> vserver vscan scanner-pool show Scanner Pool Privileged Scanner Vserver Pool Owner Servers Users Policy -------- ---------- ------- ------------ ------------ ------- SVM01 POOL1 vserver SCAN1, NetApp\scanuser idle SCAN2, SCAN3 NCluster::> vserver vscan scanner-pool show -instance Vserver: SVM01 Scanner Pool: POOL1 Applied Policy: idle Current Status: off Scanner Pool Config Owner: vserver List of IPs of Allowed Vscan Servers: SCAN1, SCAN2, SCAN3 List of Privileged Users: NetApp\scanuser
Second, we apply a scanner policy:
NCluster::> vserver vscan scanner-pool apply-policy -vserver SVM01 -scanner-pool POOL1 -scanner-policy primary NCluster::> vserver vscan enable -vserver SVM01 NCluster::> vserver vscan connection-status show Connected Connected Vserver Node Server-Count Servers --------- -------- ------------ ------------------------ SVM01 NClusterN1 3 SCAN1, SCAN2, SCAN3 NCluster::> vserver vscan on-access-policy show Policy Policy File-Ext Policy Vserver Name Owner Protocol Paths Excluded Excluded Status --------- --------- ------- -------- ---------------- ---------- ------ NCluster default_ cluster CIFS - - off CIFS SVM01 default_ cluster CIFS - - on CIFS
There is no other licensing needed on ONTAP side to enable and use FPolicy & off-box anti-virus scanning; this is a basic functionality available in any ONTAP system. However, you might need to license additional functionality from the antivirus side, so please check it with your antivirus vendor.
Here are some advantages in integration storage system with your corporate AV: NAS integration with antivirus allows you to have one of the antivirus systems on your desktops and another for your NAS share. There is no need to do NAS scanning on workstations and waste their limited resources. All NAS data protected, there is no way for a user with advanced privileges to connect to the file share without antivirus protection and put there some unscanned files.