NetApp ONTAP Ransomware Protection with Native FPolicy File Blocking

NetApp FPolicy is often associated with external FPolicy servers, however FPolicy has a native mechanism to block file extensions.  This method can also be used to block other unwanted file types (MP3 for example), but a user could rename an extension prior to write to circumvent the extension block.

It is good practice to keep local Snapshot copies, replicated Snapshot copies, backup, and also block known ransomware extensions.  Additionally, you can use other overlapping security mechanisms like auditing tools, anti-virus and firewall solutions.

A great reference for additional information is TR-4572.  The technical report has a list of known ransomware extensions, but does not give an example for a native block.  Below are the four steps to setup the native block.

The NetApp Solution for Ransomware

Click to access tr-4572.pdf

NetApp OnCommand Cloud Manager (OCCM) Cloud Volumes ONTAP (CVO) provisioning automates activation of Snapshot copies and FPolicy native blocking.

A screenshot of a cell phone

Description automatically generated

Common Ransomware Extensions (not limited to these)

  • .micro              .encrypted       .locked            .crypto
  • .crypt               .crinf               .r5a                  .XRNT
  • .XTBL             .R16M01D05 .pzdc               .good 
  • .LOL!              .OMG!            .RDM              .RRK
  • .encryptedRSA .crjoker          .EnCiPhErEd  .LeChiffre
  • ._crypt             Locky              .SUPERCRYPT .CTBL
  • .CTB2             .WNCRY        .ad4c .HD

How do you set this up on your ONTAP cluster?

CLI Example to create a native block in 4 steps

  1. Create the FPolicy event

fpolicy policy event create -vserver SVM1 -event-name ransomware_block -volume-operation false -protocol cifs -file-operations create,rename,write,rename-dir,read,create-dir,open

2. Create the FPolicy policy (using the events created in step 1)

fpolicy policy create -vserver SVM1 -policy-name ransomware_block -events ransomware_block -engine native -is-mandatory true

3. Create the FPolicy scope (using the policy created in step 2)

fpolicy policy scope create -vserver SVM1 -policy-name ransomware_block -is-file-extension-check-on-directories-enabled true -file-extensions-to-include micro,encrypted,locked,crypto,crypt,crinf,r5a,XRNT,XTBL,R16M01D05,pzdc,good,LOL!,OMG!,RDM,RRK,encryptedRSA,crjoker,EnCiPhErEd,LeChiffre,_crypt,Locky,SUPERCRYPT,CTBL,CTB2,WNCRY,ad4c,HD -volumes-to-include *

4. Enable the FPolicy

fpolicy enable -vserver SVM1 -policy-name ransomware_block -sequence-number 1

Test the Policy

When a file write of a blocked extension is attempted, the following error occurs.

A screenshot of a cell phone

Description automatically generated

When an existing file rename from .DOC to a blocked extension is attempted, the following error occurs.

A screenshot of a social media post

Description automatically generated

Final Note

I had a customer with telemetry data files with a “.good” extension, and they were unable to write files.  We modified the policy scope list to remove that extension.  Since this is a manual method, update the extension list when new known ransomware extensions are identified.

2 thoughts on “NetApp ONTAP Ransomware Protection with Native FPolicy File Blocking

  1. I think NetApp best feature is the use of snapshots (at a high frequency, taking into account the 1025 snapshots limits on a volume)… FPolicy lack a bit of flexibility in use and in a crisis can prove to be slow to implement or modifiy… if they we’re exposed into system manager GUI, this would help a lot.


    1. I agree..The limit is 1023 snapshots per volume now. Note that the increase from 255 to 1023 was in ONTAP 9.4 with one exception, FlexGroups. FlexGroups increased from 255 to 1023 in ONTAP 9.7. Also note that if using SnapVault, the limit is 1019 to account for baseline snaps.

      Snapshots should always be used as well as offsite replication. Native FPolicy blocking is free and works well. I recommend overlapping methods (firewalls, virus scanning, local snaps, replicated snaps, backup). I really like the 3-2-1 methodology created by Veeam. 3 copies of your data, 2 different media types, 1 offsite.

      Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s