To configure native file blocking, you create a policy and then configure it with a list of file extensions to block.
Before you begin
The CIFS protocol needs to be licensed and configured.
Steps
- Create a file policy by using the following CLI command: fpolicy create PolicyName Policytype
Example
To create a screening policy named "mp3blocker", enter the following command: fpolicy create mp3blocker screen
FPolicy creates the file policy with the specified policy name, using the screen policy type.
- Configure the policy to monitor the mp3 extension by entering the following command: fpolicy extensions include set PolicyName ext-list
Example
To configure the policy to monitor the mp3 extension, enter the following command: fpolicy extensions include set mp3blocker mp3
- Set the operations and protocols monitored by the policy by entering the following command: fpolicy monitor {add|remove|set} PolicyName [-p protocols] [-f] op-spec
PolicyName is the name of the policy that you want to add operations to.
protocols is the set of protocols that you want to enable monitoring for. Use cifs to monitor CIFS requests, nfs to monitor NFS requests, or cifs,nfs to monitor both.
-f forces the policy to be enabled even if there are no servers available to enforce the policy.
op-spec is the list of operations you want to add.
Example
To replace the mp3blocker policy list of operations monitored for CIFS and NFS operations, enter the following command: fpolicy monitor set mp3blocker -p cifs,nfs create,rename
Specify the create option to prevent creation of mp3 files. In addition, to ensure that an mp3 file is not copied onto the storage system with a different extension and renamed, also specify the rename option.
This CLI command sets specific operations to be monitored.
- To enable mandatory screening, set the required option to on: fpolicy options PolicyName required on
Example
To enable mandatory screening on the mp3blocker policy, enter the following command: fpolicy options mp3blocker required on
This CLI command makes file screening mandatory before the files can be accessed.
- Enable the FPolicy feature by entering the following command: fpolicy enable PolicyName [-f]
Example
To enable the FPolicy mp3blocker, enter the following command: fpolicy enable mp3blocker
This CLI command enables the file policy.
Result
After completing the steps, if a client tries to perform an operation that uses a blocked file, the operation fails and a STATUS_ACCESS_DENIED error code is sent.