Installer Guides

NetApp

Connecting SMB Server mounted on NetApp shares to LightBeam

Overview

This document guides lightbeam customers through integrating NetApp's Fpolicy with the lightbeam External Engine. This integration is essential for enabling lightbeam's security, auditing, and compliance features on data in NetApp SMB shares.

Prerequisites and System Requirements

A. NetApp System Requirements

Requirement

Detail

Rationale

Supported ONTAP Version

Your NetApp cluster must be running a version of ONTAP that supports external Fpolicy engines and the required API calls (typically ONTAP 9.x or later).

Compatibility is crucial for stable session setup and event notification delivery.

Administrative Credentials

Full administrator access (e.g., admin role with high privileges) to the NetApp cluster and the specific Storage Virtual Machine (SVM/Vserver) hosting the SMB shares.

Required for CLI/API commands to create the external engine, policy, scope, and enable the Fpolicy.

Network Connectivity & Firewall Rules

Open the necessary network paths between the NetApp Cluster Data LIF (Logical Interface) and the lightbeam Fpolicy Server IP address.

Fpolicy uses a multi-stage connection:

1. Session Setup: Typically uses a well-known port (e.g., TCP 139 or 445 initially, though the external engine connection will use the custom port).

2. Event Notification: Uses the custom Fpolicy Protocol Port 31666 (defined in lightbeam and configured on NetApp) for ongoing event communication.

Fpolicy Licenses

Ensure the necessary NetApp licenses for Fpolicy functionality are installed and active on the cluster.

Fpolicy is often a licensed feature, depending on your NetApp support contract.

B. Lightbeam Fpolicy Server Requirements

Requirement

Detail

Rationale

Dedicated Fpolicy Server

The lightbeam Fpolicy software must be installed on a dedicated, stable server (physical or virtual machine) running a supported Windows or Linux OS.

This server acts as the "External Engine" and must be reliably available to receive high-volume event streams from the NetApp system.

Dedicated Service Account

A specific Windows domain service account must be created for the lightbeam Fpolicy Server.

This account must have read-only or read/execute permissions to the specific NetApp SMB shares being monitored. It establishes the initial connection session and ensures context for monitoring.

Resource Allocation

Adequate CPU, RAM, and Disk I/O must be allocated to the lightbeam server to handle the expected load of file events (e.g., hundreds or thousands of events per second).

High-traffic environments require robust sizing to prevent event backlog and potential notification drops.

The integration process is partitioned into two primary phases:

  1. Fpolicy Server Setup

  2. LIghtBeam Website Configuration

Fpolicy Server Setup:

This phase confirms that the lightbeam external engine is ready to receive connections.

Prerequisites checklist:

  1. Ensure the dedicated Windows service account is created in Active Directory and has the required read-only/read-execute access to all target SMB shares on the NetApp SVM.

  2. Obtain External Engine Connection Parameters:

    1. lightbeam Server IP

    2. Fpolicy Protocol Port

    3. External Engine Name

The following commands must be executed on the NetApp cluster CLI, targeting the relevant Storage Virtual Machine (SVM/Vserver).

Step A: Fpolicy External Engine Definition

This step registers the Lightbeam server as a trusted event notification receiver.

Note:

-is-synchronous false: This is crucial for performance. NetApp sends notifications without waiting for a response from Lightbeam, completing file operations promptly. This prevents Lightbeam's processing delays from affecting end-user latency.

-engine-name: This must match the External Engine Name defined in the Lightbeam configuration (Step 1).

Create the FPolicy Policy

To monitor file access, define the FPolicy policy with the following command:

This command defines a policy for the Lightbeam engine. Replace placeholders with appropriate values.

  • -events *: Wildcard (*) captures all file events (read, write, create, delete, rename, etc.). For efficiency, replace * with specific events (e.g., file-read,file-write,file-create) if only a subset is needed.

  • -protocol smb: Limits notifications to SMB file operations, ignoring NFS access if applicable.

  • -is-mandatory false: Ensures non-blocking of file operations if the Lightbeam engine is unavailable, aligned with -is-synchronous false.

C. Create an FPolicy Scope

Define the FPolicy scope to specify the applicable volumes and shares, and identify which files or extensions to include or exclude. This helps to minimize event noise.

Best Practices:

  • Shares or Volumes: Use -shares-to-include for more granular control if the SVM has many shares. Only include shares/volumes explicitly configured for lightbeam monitoring.

  • Exclusions: Exclude non-critical file types (e.g., media, backups, temp files) to reduce the event stream and improve performance on both NetApp and the lightbeam server.

D. Enable the FPolicy Policy

Activate the policy to initiate session setup with the lightbeam external engine.

Input:

The -sequence-number parameter dictates the processing order when multiple Fpolicies are operational on the SVM. Generally, this is the only policy, so a value of 1 is typical.

Actions to take on the Lightbeam Website:

Navigate to the Lightbeam website.

Then, add a Datasource and select NetApp.

1.

2.

3.

Credential Requirements for FPolicy Configuration and Data Access

Types of Credentials Needed

To successfully implement FPolicy and analyze file share data, two distinct sets of credentials are required:

1. SMB File Share Credentials (Always Required)

These credentials are essential for accessing files and folders on your SMB shares for content scanning and analysis.

Credential

Purpose

Notes

Username*

Account with read permissions on the SMB file shares.

Password*

Authentication for the Username.

URL*

The SMB server address.

e.g., \\server-name or smb://server-name

Domain

The Windows domain name.

Optional, but common in enterprise environments.

2. NetApp ONTAP API Credentials (Required Only for Audit Logging)

These credentials are used to interact with the NetApp ONTAP management API, enabling the configuration and management of FPolicy-based audit logging for file access events.

Credential

Purpose

V Server*

The NetApp Storage Virtual Machine (SVM) hosting the SMB shares.

Policy Name*

The specific FPolicy policy name configured on NetApp for auditing.

OnTap API Endpoint

The NetApp ONTAP REST API URL (e.g., [https://netapp-cluster.example.com](https://netapp-cluster.example.com)).

OnTap Username

An ONTAP administrative account with permissions to configure FPolicy.

OnTap Password

The password for the ONTAP administrative account.

Node

Specific NetApp cluster node identifier (optional context).

Server

The FPolicy external server address (optional context).

Why Two Sets of Credentials Are Necessary

The application uses two separate sets of credentials to perform two distinct, critical functions:

Credential Set

Purpose

Function

SMB Credentials

Data Scanning

Used to read file content from the shares.

ONTAP API Credentials

Audit Logging

Used to configure and monitor file access patterns via FPolicy.

Enabling audit logging necessitates two credential sets for optimal performance:

  • ONTAP Credentials: Used to connect to the NetApp ONTAP API, enabling FPolicy monitoring.

  • SMB Credentials: Used to access file shares for scanning content.

This dual-credential configuration allows the system to analyze file content and track access patterns simultaneously, ensuring comprehensive security and compliance monitoring.

Please complete the scan settings and save them, just like with other data sources such as SMB.

Test SMB Access and Event Flow

  1. Access SMB Share:

    • From a client machine, access one of the monitored SMB shares listed in the scope.

    • Perform a definitive file operation, such as creating, saving, and deleting a text file.

    Expected Result:

    • The Session Status field should change to "Connected" shortly after enabling the policy.

    • The Request Count should increment as file events occur.

  2. Verify External Engine Connection via NetApp CLI:

    • Execute the following command:

    Expected Result:

    • The Policy State for lightbeam_policy should display as "active."

  3. Check Fpolicy Policy Status via NetApp CLI:

    • Run this command for immediate verification:

    Purpose:

    • Ensures the policy connection and event flow are functioning properly after enabling the policy.

Troubleshooting Checklist

If the Session Status remains disconnected or if lightbeam is not receiving events:

Issue Area

Troubleshooting Action

Network/Firewall

Use ping and telnet (or nc) from the NetApp system (or a machine on the same network segment) to the lightbeam server's IP address on the Fpolicy Protocol Port. Verify the firewall is open bidirectionally.

lightbeam Service

Verify that the lightbeam Fpolicy service is running and configured with the correct Fpolicy Protocol Port 31666. Review lightbeam service logs for binding or connection errors.

NetApp Configuration

Double-check that the IP address, port, and engine name in NetApp's external-engine create command exactly match the values obtained from lightbeam (Step 1).

Service Account

Confirm the lightbeam service account has not expired and still possesses the necessary read permissions on the monitored SMB shares.

PreviousGoogle DriveNextNetDocuments

Last updated