Table of ContentsView in Frames

File screening FAQs

How does file screening work?

File screening policies are used to specify files or directories on which one wants to put some restrictions. Upon receiving a file operation request (such as open, write, create, or rename), Data ONTAP checks its file screening policies before permitting the operation.

If the policy specifies screening for that file based on its extension, the file name is sent to the file screening server to be screened. The file screening server applies policies to the file name to determine whether the storage system should allow the requested file operation. The file screening server then sends a response to the storage system to either allow or block the requested file operation.

Does the performance of the system go down while using file screening?

Yes, the performance of the system goes down while using file screening.

Can we use default options for setting file screening options?

There is a master setting for all file policies, the fpolicy.enable option, which is on by default. When an individual FPolicy is newly created, it is off by default. This allows the system administrator to fully configure the policy before activating it. Whether something is actually screened or not, depends upon whether or not there is a supported external file screening server running and accessible to the storage system. Remember that an external file screening server is a requirement in order to use FPolicy.

What happens if I create screening policies but do not have a screening server?

If you enable a policy when no file screening servers are available, nothing happens. However, if you have turned on the fpolicy option required for that policy, then access to files specified in that policy will be denied. The setting for 'required' on a policy is set to off by default.

How can I display the status of file screening servers?

You can display the status of the file screening server by using the following command: fpolicy servers show PolicyNameData ONTAP returns the status of the file screening server for the policy you specified.

Can I specify secondary screening servers? If yes, how can I do it?

Yes, you can designate a list of secondary servers to be used when the primary file screening server is unavailable. Use the following command:

fpolicy options PolicyName secondary_servers [ server_list ]

Any FPolicy server that connects to the storage system will be a primary server unless its IP address is in the secondary server list. Secondary servers will never be used by the storage system unless all primary servers are unavailable.

How can I disable the connection to a file screening server?

You can disable the connection to a file screening server by using the following command:fpolicy servers stop PolicyName server-IP-address

Is FPolicy file screening applied at the volume level or at the qtree level?

FPolicy file screening is applied at the volume level, and not at the qtree level.