cancel
Showing results for 
Search instead for 
Did you mean: 

File System Blocking - Nested Shares

shocko
Level 4

Using EV 11 and FSA/SB against OnTap 8 7-mode. All the documentation for file system blocking talks about adding volumes and configuring blocking against volumes. In actual fact, it appears that you do not add volumes at all, you add shares in realtion to file system blocking. My query is how the logic works when you define different policies against different shares that reside on the same volume. For example, consider this:

  • Volume hosting shares is /vol/vol1
  • Share 1: share_1 and resides on /vol/vol1/ and policy blocks *.pst with no folder exceptions
  • Share 2: share_2 and resides on /vol/vol1/subfolder1/ *.mp3 with no folder exceptions

So, essentially I can reach the folder subfolder1 via two UNC paths. Now, see the results of some basic testing:

  1. Copy a .pst to \\myfiler\share_1 - blocked
  2. Copy a .mp3 to \\myfiler\share_1 - allowed
  3. Copy a .pst to \\myfiler\share_2 - allowed
  4. Copy a .mp3 to \\myfiler\share_2 - blocked

This is expected. Now this:

  1. Copy a .pst to \\myfiler\share_1\subfolder1 - blocked

So, it seems like in the case of a nested share, the more specific path and the policy attached to it applies. My question though is where is this documented? We have many nested shares residing on the same volume so things could get messy. I would have assumed that the policy/volume was matched based on the UNC accessed but that appears to not be the case. Is this the way NetApp passes the file screening request i.e. it passes the absolute volume path to the screening server rather than the share path and hence the more specific policy applies?

 

 

 

7 REPLIES 7

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

my thoughts to help explain what you're seeing in your testing:

1. the terminology is confusing because a netapp volume and an EV FSA volume are not the same thing.

2. remember that the file blocking service runs on behalf of the NetApp by the EV FSA Agent on a Windows file server.

3. in the EV admin console when you're prompted for the the File Blocking agent server, specify the Windows file server where the EV FSA Agent is running

shocko
Level 4

Thanks Andrew for the reply but I'm not sure if that helps me understand the logic. Regardless of the nomenclature, FSB works against shares as you can only select share targets in the console UI. Thereafter, in relation to nested shares, how are the policies matched? it would appear to be based on the underlying volume based path of the folder rather than the UNC.

shocko
Level 4

Here's a better example. Suppose I create the following:

  • Share1 -> /vol/vol1/
  • Share2 -> /vol/vol2/

So two shares accessing the same volume/folder on a NetApp CIFS server. perfectly valid configuration. I then add them into EV FSA and assign FSB policies:

  • Share1 -> block *.pst
  • Share2 -> block *.mp3

Now, if I copy a .pst to either share it's allowed but if I copy a .mp3 to either share it is blocked. Where is this logic defined? seems like the last policy added wins in ths case.  

Ben_Watts
Level 6
Employee Accredited
Hi Shocko, I have just done the above, albeit with windows and NTFS shares, and have not come across the issue you are seeing. My setup is as below:- Fileserver - \\ev11-ex2010 Shared folders on ev11-ex2010 consist of the below, both Share1 and Share2 folders are on the root of C: and C: is NOT defined as a target in EV for anything. Share1 Share2 So we have the two accessible paths from clients:- \\ev11-ex2010\share1 \\ev11-ex2010\share2 Share1 has txt files blocked Share2 has htm/html etc files blocked I add both of those shares as volumes to the VAC under Targets - 'ev11-ex2010'. I have then applied the differing volume policies for each volume/share (Share1 and Share2), these are applied as expected:- Share1 - Unable to create txt files, can create html/htm files Share2 - Unable to create htm/html files, can create txt files In your example do you have the parent volume targeted by EV in the VAC at all and have a Volume Policy applied to it already? - Just a thought.

shocko
Level 4

Furthermore, if I remove Share1 and re-add it, the resulting policies are now reversed and .pst files are blocked and .mp3 files are allowed.

shocko
Level 4

Hi Ben. You say:

  • "both Share1 and Share2 folders are on the root of C: and C: is NOT defined as a target in EV for anything."

So, as per my setup, both your shares point at the same underlying NTFS path?. I just recreated the same with Windows shares. Can you send me the output of NET SHARE on you windows file server??

shocko
Level 4

Bump