File screening policies are used to specify files or directories on which one wants to put some restrictions. Upon receiving a file operation request (such as open, write, create, or rename), Data ONTAP checks its file screening policies before permitting the operation.
If the policy specifies screening for that file based on its extension, the file name is sent to the file screening server to be screened. The file screening server applies policies to the file name to determine whether the storage system should allow the requested file operation. The file screening server then sends a response to the storage system to either allow or block the requested file operation.
Yes, the performance of the system goes down while using file screening.
There is a master setting for all file policies, the fpolicy.enable option, which is on by default. When an individual FPolicy is newly created, it is off by default. This allows the system administrator to fully configure the policy before activating it. Whether something is actually screened or not, depends upon whether or not there is a supported external file screening server running and accessible to the storage system. Remember that an external file screening server is a requirement in order to use FPolicy.
If you enable a policy when no file screening servers are available, nothing happens. However, if you have turned on the fpolicy option required for that policy, then access to files specified in that policy will be denied. The setting for 'required' on a policy is set to off by default.
You can display the status of the file screening server by using the following command: fpolicy servers show PolicyNameData ONTAP returns the status of the file screening server for the policy you specified.
Yes, you can designate a list of secondary servers to be used when the primary file screening server is unavailable. Use the following command:
fpolicy options PolicyName secondary_servers [ server_list ]Any FPolicy server that connects to the storage system will be a primary server unless its IP address is in the secondary server list. Secondary servers will never be used by the storage system unless all primary servers are unavailable.
You can disable the connection to a file screening server by using the following command:fpolicy servers stop PolicyName server-IP-address
FPolicy file screening is applied at the volume level, and not at the qtree level.
