09-28-2015 12:35 PM
Using EV 11 and FSA/SB against OnTap 8 7-mode. All the documentation for file system blocking talks about adding volumes and configuring blocking against volumes. In actual fact, it appears that you do not add volumes at all, you add shares in realtion to file system blocking. My query is how the logic works when you define different policies against different shares that reside on the same volume. For example, consider this:
So, essentially I can reach the folder subfolder1 via two UNC paths. Now, see the results of some basic testing:
This is expected. Now this:
So, it seems like in the case of a nested share, the more specific path and the policy attached to it applies. My question though is where is this documented? We have many nested shares residing on the same volume so things could get messy. I would have assumed that the policy/volume was matched based on the UNC accessed but that appears to not be the case. Is this the way NetApp passes the file screening request i.e. it passes the absolute volume path to the screening server rather than the share path and hence the more specific policy applies?
09-28-2015 05:36 PM
my thoughts to help explain what you're seeing in your testing:
1. the terminology is confusing because a netapp volume and an EV FSA volume are not the same thing.
2. remember that the file blocking service runs on behalf of the NetApp by the EV FSA Agent on a Windows file server.
3. in the EV admin console when you're prompted for the the File Blocking agent server, specify the Windows file server where the EV FSA Agent is running
09-29-2015 12:25 AM
Thanks Andrew for the reply but I'm not sure if that helps me understand the logic. Regardless of the nomenclature, FSB works against shares as you can only select share targets in the console UI. Thereafter, in relation to nested shares, how are the policies matched? it would appear to be based on the underlying volume based path of the folder rather than the UNC.
09-29-2015 12:51 AM
Here's a better example. Suppose I create the following:
So two shares accessing the same volume/folder on a NetApp CIFS server. perfectly valid configuration. I then add them into EV FSA and assign FSB policies:
Now, if I copy a .pst to either share it's allowed but if I copy a .mp3 to either share it is blocked. Where is this logic defined? seems like the last policy added wins in ths case.
09-29-2015 02:31 AM
09-29-2015 03:56 AM
Furthermore, if I remove Share1 and re-add it, the resulting policies are now reversed and .pst files are blocked and .mp3 files are allowed.
09-29-2015 05:07 AM
Hi Ben. You say:
So, as per my setup, both your shares point at the same underlying NTFS path?. I just recreated the same with Windows shares. Can you send me the output of NET SHARE on you windows file server??
10-03-2015 02:29 AM
Bump