×

Welcome to Knowledge Base!

KB at your finger tips

This is one stop global knowledge base where you can learn about all the products, solutions and support features.

Categories
All
Storage and Backups-Nutanix
File Analytics Guide

Files 2.2

Last updated: 2022-06-14

File Analytics

File Analytics provides data and statistics on the operations and contents of a file server.

Once deployed, Files adds an File Analytics VM to the Files cluster. A single File Analytics VM supports all file servers in the cluster; however, you must enable File Analytics separately for each file server. Data on the File Analytics VM is protected, and is kept in a separate volume group.

Once you deploy File Analytics, a new File Analytics link appears on the file server actions bar. You can access File Analytics through this link for any file server where it is enabled.

Figure. File Analytics VM Click to enlarge

Display Features

The File Analytics web console consists of display features:

Main menu bar : The main menu bar appears at the top of every page of the File Analytics web console. The main menu bar includes the following display features:

  • Dashboard tab : View widgets that present data on file trends, distribution, and operations.
  • Audit Trails tab : Search for a specific user or file and view various widgets to audit activity.
  • Anomalies tab : Create anomaly policies and view anomaly trends.
  • Status icon : Check the file system scan status.
  • File server drop-down : View the name of the file server for which data is displayed.
  • Settings drop-down : Manage File Analytics and configure settings.
  • Health icon : Check the health of File Analytics.
  • Admin dropdown : Collect logs and view the current File Analytics version.

Deployment Requirements

Meet the following requirements prior to deploying File Analytics.

Ensure that you have performed the following tasks and your Files deployment meets the following specifications.

  • Assign the file server administrator role to an Active Directory (AD) user, see Managing Roles in the Nutanix Files Guide .
  • Log on as the Prism admin user to deploy the File File Analytics server.
  • Configure a VLAN with one dedicated IP address for File Analytics, or you can use an IP address from an existing Files external network. This IP address must have connectivity to AD, the control VM (CVM), and Files. See "Configuring a Virtual Network For Guest VM Interfaces" in the Prism Web Console Guide.
    Note: Do not install File Analytics on the Files internal network.
  • (optional) Assign the file server administrator role to an LDAP user, see Managing Roles in the Nutanix Files Guide .
  • Ensure that all software components meet the supported configurations and system limits, see the File Analytics Release Notes .

Network Requirements

Open the required ports and ensure that your firewall allows bi-directional Internet Control Message Protocol (ICMP) traffic between the FAVM and CVMs.

The Port Reference provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.

In addition to meeting the File Analytics network requirements, ensure to meet Nutanix Files port requirements as described in the Port Reference .

Limitations

File Analytics has the following limitations.

Note: Depending on data set size, file count, and workload type, enabling File Analytics can affect the performance of Nutanix Files. High latency is more common with heavy file-metadata operations (directory and file creation, deletion, permission changes, and so on). To minimize the impact on performance, ensure that the host has enough CPU and memory resources to handle the File Analytics VM (FAVM), file servers, and guest VMs (if any).
  • Only Prism admin users can deploy Analytics. Active Directory (AD) users and AD users mapped to Prism admin roles cannot deploy File Analytics.
  • Analytics analyzes data from 1 month up to 1 year based on the configuration. Analytics automatically deletes data beyond the defined configuration.
    Note: After surpassing the 750 million audit event threshold, Analytics archives the oldest events. Archived audit events do not appear in the Analytics UI.
  • You cannot deploy or decommission Analytics when a file server has high-availability (HA) mode enabled.
  • You cannot use network segmentation for Nutanix Volumes with File Analytics.
  • If file server DNS or IP changes, File Analytics does not automatically reconfigure.
  • File Analytics does not collect metadata for files on Kerberos authenticated NFS v4.0 shares.
  • If File Analytics is running on a one-node file server, you cannot upgrade using the Life Cycle Manager (LCM)
  • File Analytics does not support hard links.
  • You cannot enable File Analytics on a file server clone.
  • You cannot move File Analytics to another storage container.
  • File Analytics creates an unprotected Prism and an unprotected file server user for integration purposes. Do not delete these users.
  • The legacy file blocking policy has an upper limit of 300 ransomware extensions.
    Note: For higher limits, it is recommended to use Nutanix Data Lens.

Administration

Overview of administrative processes for File Analytics.

As an admin, you have the privileges to perform administrative tasks for File Analytics. To add a file server admin user, see Managing Roles in the Nutanix Files Guide . The topics in this chapter describe the basics for administering your File Analytics environment. For advanced administrative options, refer to the File Analytics Options chapter.

Deploying File Analytics

Follow this procedure to deploy the File Analytics server.

Before you begin

Ensure that your environment meets all requirements prior to deployment, see Deployment Requirements.

Procedure

Deploying the File Analytics server.
  1. Go to Support Portal > Downloads > File Analytics .
  2. Download the File Analytics QCOW2 and JSON files.
  3. Log on to Prism with the user name and password of the Prism administrator.
    Note: An Active Directory (AD) user or an AD user mapped to a Prism admin role cannot deploy File Analytics.
  4. In Prism, go to the File Server view and click the Deploy File Analytics action link.
    Figure. File Analytics
    Click to enlarge

  5. Review the File Analytics requirements and best practices in the Pre-Check dialog box.
  6. In the Deploy File Analytics Server dialog box, do the following in the Image tab.
    • Under Available versions , select one of the available File Analytics versions. (continue to step 8.).
    • Install by uploading installation binary files (continue to next step).
  7. Upload installation files.
    1. In the Upload binary section, click upload the File Analytics binary to upload the File Analytics JSON and QCOW files.
      Figure. Upload Binary Link Click to enlarge
    2. Under File Analytics Metadata File (.Json) , click Choose File to choose the downloaded JSON file.
    3. Under File Analytics Installation Binary (.Qcow2) click Choose File to choose the downloaded QCOW file.
      Figure. Upload Binary Files Click to enlarge
    4. Click Upload Now after choosing the files.
  8. Click Next .
  9. In the VM Configuration tab, do the following in the indicated fields:
    1. Name : Enter a name for the File Analytics VM (FAVM).
    2. Server Size : Select either the small or large configuration. Large file servers require larger configurations for the FAVM. By default File Analytics selects the large configuration.
    3. Storage Container: select a storage container from the drop-down.
      The drop-down only displays file server storage containers.
    4. Network List : Select a VLAN.
      Note: If the selected network is unmanaged , enter more network details in the Subnet Mask , Default Gateway IP , and IP Address fields as indicated.
      Note: The FAVM must use the client-side network.
  10. Click Deploy .
    In the main menu drop-down, select the Tasks view to monitor the deployment progress.

Results

Once deployment is complete, File Analytics creates an FAVM, CVM, and a new Files user to make REST API calls. Do not delete the CVM, FAVM, or the REST API user. A new Manage File Analytics link appears in the Prism Element File Server view.

Enabling File Analytics

Steps for enabling File Analytics after deployment or disablement.

About this task

Attention: Nutanix recommends enabling File Analytics during off-peak hours.

Follow these steps to enable File Analytics after disabling the application.

Note: File Analytics saves all previous configurations.

Procedure

  1. In the File Server view in Prism , select the target file server.
  2. (skip to step 3 if you are re-enabling a file server) click Manage roles to add a file server admin user, see Managing Roles in the Nutanix Files Guide .
  3. In the File Server view, select the target file server and click File Analytics in the tabs bar.
  4. (Skip to step 5 if you are not re-enabling a disabled instance of File Analytics) to re-enable File Analytics, click Enable File Analytics in the message bar.
    Figure. Enabling File Analytics Link Click to enlarge
    The Enable File Analytics dialog-box appears. Skip the remaining steps.
  5. In the Data Retention field, select a data retention period. The data retention period refers to the length of time File Analytics retains audit events.
  6. In the Authentication section, enter the credentials as indicated:
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. (For SMB users only) In the SMB section, do the following in the indicated fields to provide SMB authentication details:
      • Active Directory Realm Name : Confirm the AD realm name for the file server.
      • Username : Enter the AD username for the file server administrator, see File Analytics Prerequisites .
      • Password : Enter the AD user password for the file server administrator.
    2. (For NFS users only) In the NFS Authentication section, do the following in the indicated fields to provide NFS authentication details:
      • LDAP Server URI : Enter the URI of the LDAP server.
      • Base DN : Enter the base DN for the LDAP server.
      • Password : Enter the LDAP user password for the file server administrator.

    Click to enlarge

  7. Click Enable .

Results

After enablement, File Analytics performs a one-time file system scan to pull metadata information. The duration of the scan varies depending on the protocol of the share. There is no system downtime during the scan.

Example

Scanning 3–4 million NFS files or 1 million SMB files takes about 1 hour.

Disabling File Analytics

About this task

Follow the steps as indicated to disable File Analytics.

Procedure

  1. In File Analytics click the gear icon > Disable File Analytics .
  2. In the dialog-box, click Disable .
    Disabling File Analytics disables data collection. The following message banner appears.
     File Analytics is disabled on the server. Enable File Analytics to start collecting data again or Delete File Analytics Data. 

What to do next

To delete data, click the Delete File Analytics Data link in the banner described in Step 2.

Launching File Analytics

About this task

Do the following to launch File Analytics.

Procedure

  1. From the Prism views drop-down, select the File Server view.
  2. Select the target file server from the entity tab.
  3. Click the File Analytics action button below the entity table.
    Figure. Launch File Analytics Click to enlarge The File Analytics action button.

File Analytics VM Management

To update an File Analytics VM (FAVM), refer to the sizing guidelines in the File Analytics release notes and follow the steps in the VM Management topic of the Prism Web Console Guide .

Removing File Analytics VMs

Remove a File Analytics VM (FAVM) by disabling it and deleting it from the cluster in Prism.

About this task

Follow the steps as indicated to remove an FAVM.
Note: Do not delete an FAVM using the CLI, as this operation does not decommission the FAVM.

Procedure

  1. Disable File Analytics on all file servers in the cluster, see Disabling File Analytics.
  2. In the File Server view in Prism Element, do the following:
    1. In the top actions bar, click Manage File Analytics .
    2. Click Delete to remove the FAVM.
    When you delete an FAVM, you also delete all of your File Analytics configurations and audit data stored on the FAVM.

Updating Credentials

About this task

Follow the steps as indicated to update authentication credentials for LDAP or Active Directory.

Procedure

  1. Click gear icon > Update AD/LDAP Configuration .
  2. To update Active Directory credentials, do the following in the indicated fields (otherwise move on to the next step).
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. Active Directory Realm Name: confirm or replace the realm name.
    2. Username: confirm or replace the username.
    3. Password: type in the new password.
  3. To update NFS configuration, do the following (otherwise move on to the next step).
    1. LDAP Server URI: confirm or replace the server URI.
    2. Base DN: confirm or replace the base distinguished name (DN).
    3. Bind DN (Optional): confirm or replace the bind distinguished name (DN).
    4. Password: type in the new password.
  4. Click Save .

Managing Deleted Share/Export Audits

Manage the audit data of delete shares and exports.

About this task

By default, File Analytics retains deleted share and export data. The dashboard widgets do not account for data of deleted shares and exports. The deleted marker appears adjacent to deleted shares and exports in audit trails. The Manage Share/Export Audit data window displays a list of deleted shares and exports.

Follow the directions as indicated to delete audit data for the deleted share or export.

Note: You cannot restore the deleted audit data of a deleted share or export.

Procedure

  1. Click the gear icon > Manage Deleted Share/Export Audit .
  2. Check the box adjacent to the share or export name.
  3. Click Delete .
  4. In the confirmation window, click Delete to confirm the deletion of data.
    In the Manage Deleted Share/Export Audit , a progress bar displays the progress of the deletion process next to the share name. File Analytics considers data deletion of a deleted share a low-priority task, which may take several hours to finish.

Upgrades

Perform File Analytics upgrades using the Life Cycle Manager feature in Prism Element.

Before you upgrade File Analytics, ensure that you are running a compatible version of AOS and Files. Refer to File Analytics release notes for compatibility details. You can upgrade both AOS and Files through Prism Element, see AOS Upgrade in the Prism Web Console Guide .

To upgrade File Analytics, perform inventory and updates using the Life-Cycle Manager (LCM), see the Life Cycle Manager Guide for instructions on performing inventory and updates. LCM cannot upgrade File Analytics when the protection domain (PD) for the File Analytics VM (FAVM) includes any other entities.

Note: The File Analytics UI is not accessible during upgrades.

During the upgrade process, File Analytics takes a snapshot of the volume group (VG) that contains File Analytics data. If issues occur during an upgrade, File Analytics restores the FAVM to the pre-upgrade state. If the volume group is protected and is part a protection domain, the File Analytics creates a snapshot and sets the expiry time to 30 days. If the volume group is not protected, File Analytics creates a snapshot and deletes the snapshot after completing the upgrade successfully. If any errors occur, the system keeps the snapshot for 30 days to troubleshoot the issue.

Upgrade File Analytics at a Dark Site

Upgrade File Analytics at a dark site using the Life-Cycle Manager (LCM).

About this task

Before you begin

You need a local web server reachable by your Nutanix clusters to host the LCM repository.

Procedure

  1. From a device that has public Internet access, go to Nutanix Portal > Downloads > Tools & Firmware .
    1. Download the tar file lcm_dark_site_version.tar.gz .
    2. Transfer lcm_dark_site_version.tar.gz to your local web server and untar into the release directory.
  2. From a device that has public Internet access, go to the Nutanix portal and select Downloads > File Analytics .
    1. Download the following files.
      • file_analytics_dark_site_version.tar.gz
      • nutanix_compatibility.tgz
      • nutanix_compatibility.tgz.sign
    2. Transfer file_analytics_dark_site_version.tar.gz to your local web server and untar into the release directory.
    3. Transfer the nutanix_compatibility.tgz and nutanix_compatibility.tgz.sign files to your local web server (overwrite existing files as needed).
  3. Log on to Prism Element.
  4. Click Home > LCM > > Settings .
    1. In the Fetch updates from field, enter the path to the directory where you extracted the tar file on your local server. Use the format http://webserver_IP_address/release .
    2. Click Save .
      You return to the Life Cycle Manager.
    3. In the LCM sidebar, click Inventory > Perform Inventory .
    4. Update the LCM framework before trying to update any other component.
      The LCM sidebar shows the LCM framework with the same version as the file you downloaded.

Dashboard

The Dashboard tab displays data on the operational trends of a file server.

Dashboard View

The Dashboard tab is the opening screen that appears after launching File Analytics from Prism. The dashboard displays widgets that present data on file trends, distribution, and operations.

Figure. File Analytics Dashboard Click to enlarge File Analytics data panes in the Dashboard view.

Table 1. Dashboard Widgets
Tile Name Description Intervals
Capacity Trend Displays capacity trends for the file server including capacity added, capacity removed, and net changes.

Clicking an event period widget displays the Capacity Trend Details view.

Seven days, the last 30 days, or the last 1 year.
Data Age Displays the percentage of data by age. Less than 3 months, 3–6 months, 6–12 months, and > 12 months.
Anomaly Alerts Displays alerts for configured anomalies, see Configuring Anomaly Detection.
Permission Denials Displays users who have had excessive permission denials and the number of denials. Clicking a user displays audit details, see Audit Trails - Users for more. [user id], [number of permission denials]
File Distribution by Size Displays the number of files by file size. Provides trend details for top 5 files. Less than 1 MB, 1–10 MB, 10–100 MB, 100 MB to 1 GB, greater than 1 GB).
File Distribution by Type Displays the space taken up by various applications and file types. The file type is determined by the file extension. See the File Types table for more details. MB or GB
File Distribution by Type Details view Displays a trend graph of the top 5 file types. File distribution details include file type, current space used, current number of file, and change in space for the last 7 or 30 days.

Clicking View Details displays the File Distribution by Type view.
Daily size trend for top 5 files (GB), file type (see File Type table), current space used (GB), current number of files (numeric), change in last 7 or 30 days (GB).
Top 5 active users Lists the users who have accessed the most files and number of operations the user performed for the specified period. When there are more than 5 active users, the more link provides details on the top 50 users. Clicking the user name displays the audit view for the user, see Audit Trails - Users for more. 24 hours, 7 days, 1 month, or 1 year.
Top 5 accessed files Lists the 5 most frequently accessed files. Clicking more provides details on the top 50 files.

Clicking the file name displays the audit view details for the file, see Audit Trails - Files for more.

Twenty-four hours, 7 days, 1 month, or 1 year.
Files Operations Displays the distribution of operation types for the specified period including a count for each operation type and the total sum of all operations.

Operations include: create, delete, read, write, rename, permission changed, set attribute, symlink, permission denied, permission denied (file blocking).

Clicking an operation displays the File Operation Trend view.
Twenty-four hours, 7 days, 1 month, or 1 year.

Capacity Trend Details

Clicking an event period in the Capacity Trend widget displays the Capacity Trend Details view for that period. The view includes three tabs Share/Export , Folder , and Category . Each tab includes columns detailing entity details: Name . Net Capacity Change, Capacity Added, and Capacity Removed.

Figure. Capacity Trend Details View Click to enlarge Clicking on the Capacity Trend widget in the Dashboard tab displays the Capacity Trend Details view.

Table 2. Capacity Trend Details
Category Supported File Type
Name Name of share/export, folder, or category.
Net Capacity Change The total difference between capacity at the beginning and the end of the specified period.
Share Name (for folders only) The name of the share or export that the folder belongs to.
Capacity Added Total added capacity for the specified period.
Capacity Removed Total removed capacity for the specified period.

File Distribution by Type Details

Clicking View Details for the File Distribution by Type widget displays granular details of file distribution, see the File Types table below for details.

Figure. File Distribution by Type Click to enlarge Clicking View Details on the File Distribution by Type widget displays the File Distribution by Type dashboard.

Table 3. Details of File Distribution Parameters
Category Supported File Type
File Type Name of file type
Current Space Used Space capacity occupied by the file type
Current Number of Files Number of files for the file type
Change (In Last 30 Days) The increase in capacity over a 30 day period of time for the specified file type .
Table 4. File Types
Category Supported File Type
Archives .cab, .gz, .rar, .tar, .z, .zip
Audio .aiff, .au, .mp3, .mp4, .wav, .wma
Backups .bak, .bkf, .bkp
CD/DVD Images .img, .iso, .nrg
Desktop Publishing .qxd
Email Archives .pst
Hard Drive images .tib, .gho, .ghs
Images .bmp, .gif, .jpg, .jpeg, .pdf .png, .psd, .tif, .tiff,
Installers .msi, .rpm
Log Files .log
Lotus Notes .box, .ncf, .nsf, .ns2, .ns3, .ns4, .ntf
MS Office Documents .accdb, .accde, .accdt, .accdr, .doc, .docx, .docm, .dot, .dotx, .dotm, .xls, .xlsx, .xlsm, .xlt, .xltx, .xltm, .xlsb, .xlam, .ppt, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .mdb
System Files .bin, .dll, .exe
Text Files .csv, .pdf, .txt
Video .avi, mpg, .mpeg, .mov, .m4v
Disk Image .hlog, .nvram, .vmdk, .vmx, .vmxf, .vmtm, .vmem, .vmsn, .vmsd

File Operation Trend

Clicking an operation type in the File Operations widget displays the File Operation Trend view. The File Operation Trend view breaks down the specified period into smaller intervals, and displays the number of occurrences of the operation during each interval.

Figure. Operation Trend Click to enlarge A graph displays the number of times the specified operation took place over time.

Table 5. File Operation Trend View Parameters
Category Description
Operation Type A drop-down option to specify the operation type. See Files Operations in the Dashboard Widgets table for a list of operation types.
Last (time period) A drop-down option to specify the period for the file operation trend.
File operation trend graph The x-axis displays shorter intervals for the specified period. The y-axis displays the number of operations trend over the extent of the intervals.

Managing File Categories

File Analytics uses the file category configuration to classify file extensions.

About this task

The capacity widget in the dashboard uses the category configuration to calculate capacity details.

Procedure

  1. Click gear icon > Manage File Category .
  2. To create a new category, click + New Category . (Otherwise, move on to step 3).
    1. In the Category column, name the category.
    2. In the Extensions column, specify file extensions for the category.
  3. To delete an existing category, click the x icon next to the category. (Otherwise, move on to step 4)
  4. To modify an existing category, click the pencil icon next to the category and modify the specified file extensions.
  5. Click save .

Health

The Health dashboard displays dynamically updated health information about each File File Analytics component.

The Health dashboard includes the following details:

  • Data Summary Data summary of all file servers with File Analytics enabled.
  • Host Memory Percent of used memory on the File Analytics VM (FAVM).
  • Host CPU Usage Percent of CPU used by the FAVM.
  • Storage Summary Amount of storage space used on the File Analytics data disk or FAVM disk.
  • Overall Health Overall health of File Analytics components.
  • Data Server Summary Data server usage by component.
Figure. Health Page Click to enlarge The Health page dashboard includes tiles that dynamically update to indicate the health of relevant entities.

Anomalies

Data panes in the Anomalies tab display data and trends for configured anomalies.

The Anomalies tab provides options for creating anomaly policies and displays dashboards for viewing anomaly trends.
Note: Configure an SMTP server to send anomaly alerts, see Configuring an SMTP Server

You can configure anomalies for the following operations:

  • Creating files and directories
  • Deleting files and directories
  • Permission changes
  • Permission denials
  • Renaming files and directories
  • Reading files and directories

Define anomaly rules by the specifying the following conditions:

  • Users exceed an operation count threshold
  • Users exceed an operation percentage threshold

Meeting the lower operation threshold triggers an anomaly.

Consider a scenario where you have 1 thousand files, the operation count threshold defined as 10, and the operation percentage threshold defined as 10%. The count threshold takes precedence, as 10% of 1 thousand is 100, which is greater than the count threshold of 10.

Figure. Anomalies Dashboard Click to enlarge The Anomalies dashboard displays anomaly trends.

Table 1. Anomalies Data Pane Descriptions
Pane Name Description Values
Anomaly Trend Displays the number of anomalies per day or per month. Last 7 days, Last 30 days, Last 1 year
Top Users Displays the users with the most anomalies and the number of anomalies per user. Last 7 days, Last 30 days, Last 1 year
Top Folders Displays the folders with the most anomalies and the number of anomalies per folder. Last 7 days, Last 30 days, Last 1 year
Operation Anomaly Types Displays the percentage of occurrences per anomaly type. Last 7 days, Last 30 days, Last 1 year

Anomaly Details

Clicking an anomaly bar in the Anomaly Trend graph displays the Anomaly Details view.

Figure. Anomaly Details View Click to enlarge

Table 2. Anomalies Details View Total Results Table
Column Description
Anomaly Type The configured anomaly type. Anomaly types not configured do not show up in the table.
Total User Count The number of users that have performed the operation causing the specified anomaly during the specified time range.
Total Folder Count The numbers of folders in which the anomaly occurred during the specified time range.
Total Operation Count Total number of anomalies for the specified anomaly type that occurred during the specified time range.
Time Range The time range for which the total user count, total folder count, and total operation count are specified.
Table 3. Anomalies Details View Users/Folders Table
Column Description
Username or Folders Indicates the entity for the operation count. Selecting the Users tab indicates operation count for specific users, and selecting the Folders tab indicates the operation count for specific folders.
Operation count The total number of operations causing anomalies for the selected user or folder during the time period for the bar in the Anomaly Trend graph.

Configuring Anomaly Detection

Steps for configuring anomaly rules.

About this task

Configure an SMTP server for File Analytics to send anomaly alerts, see Configuring an SMTP Server. To create an anomaly rule, do the following.

Procedure

  1. In the File Analytics web console, click the gear icon > Define Anomaly Rules. .
  2. In the Anomaly Email Recipients field, enter a comma-separated list of email recipients for all anomaly alerts and data.
    Note: File Analytics sends anomaly alerts and data to recipients whenever File Analytics detects an anomaly.
  3. To configure a new anomaly, do the following in the indicated fields:
    1. Events : Select a rule for the anomaly from one of the following:
      • Permission changed
      • Permission denied
      • Delete
      • Create
      • Rename
      • Read
      The event defines the scenario type for the anomaly.
    2. Minimum Operations % : Enter a percentage value for the minimum threshold.
      File Analytics calculates the minimum operations percentage based on the number of files. For example, if there are 100 files, and you set the minimum operations percentage to 5, five operations within the scan interval would trigger an anomaly alert.
    3. Minimum Operation Count : Enter a value for a minimum operation threshold.
      File Analytics triggers an anomaly alert after meeting the threshold.
    4. User : Choose if the anomaly rule is applicable for All Users or an Individual user.
    5. Type: the type determines the interval.
      The interval determines how far back File Analytics monitors the anomaly.
    6. Interval : Enter a value for the detection interval.
    7. (optional) Actions : Click the pencil icon to update an anomaly rule. Click the x icon to delete an existing rule.
    Figure. Anomaly Configuration Fields Click to enlarge Fill out these fields to configure a new anomaly rule.

  4. Click Save .

Configuring an SMTP Server

File Analytics uses a simple mail transport protocol (SMTP) server to send anomaly alerts.

About this task

To configure an SMTP server, do the following:

Procedure

  1. In the File Analytics web console, click the gear icon > SMTP Configuration .
  2. In the SMTP Configuration window, enter the indicated details in the following fields:
    1. Hostname Or IP Address : Enter a fully qualified domain name or IP address for the SMTP server.
    2. Port : Enter the port to use.
      The standard SMTP ports are 25 (encrypted), 587 (TLS), and 465 (SSL).
    3. Security Mode : Enter the desired security mode from the dropdown list.
      The options are:
      • NONE (unencrypted)
      • STARTTLS (TTL encryption)
      • SSL (SSL encryption)
    4. (If security mode is "NONE" go to step f.)
    5. User Name enter a user name for logging into the SMTP server. Depending on the authentication method, the user name may require a domain.
    6. Password enter password.
    7. From Email Address: enter the email address from which File Analytics will send the anomaly alerts.
    8. Recipient Email Address: enter a recipient email address to test the SMTP configuration.
    Figure. SMTP Configuration Click to enlarge Fields for configuring an SMTP server.

  3. Click Save .

Audit Trails

Use audit trails to look up operation data for a specific user, file, folder, or client.

The Audit Trails tab includes Files , Folders , Users , and Client IP options for specifying the audit type. Use the search bar for specifying the specific entity for the audit (user, folder, file, or client IP).

The results table presents details for entities that match the search criteria. Clicking the entity name (or client IP number) takes you to the Audit Trails dashboard for the target entity.

View Audit Trails

Audit a user, file, client, or folder.

About this task

Procedure

  1. Click the Audit Trails tab.
  2. Select the Files , Folders , Users , or Client IP option.
  3. Enter the audit trails target into the search bar.
  4. Click Search .
  5. To display audit results in the Audit Trails window, click the entity name (or client IP number).

Audit Trails - Users

Details for client IP Audit Trails.

Audit Trails Search - Users

When you search by user in the Audit Trails tab, search results display the following information in a table.

  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. Users Search Results Click to enlarge A table displays user search results for the query.

Audit Details Page - Users

Clicking View Audit displays the Audit Details page, which shows the following audit information for the selected user.

  • A User Events graph displays various operations the user performed during the selected period and the percentage of time each operation has occurred per total operations during the specified period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Remove Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
    • The filter bar , above the User Events graph, displays the filters in use.
    • Use the From and To fields to filter by date.
  • The Results table displays operation-specific information. See more details below.
  • The Reset Filters button removes all filters.
Figure. User Audit Details - Events Click to enlarge User Events table displays event rates for various operations performed by the user.

The Results table provides granular details of the audit results. The following data is displayed for every event.

  • User Name
  • User IP Address
  • Operation
  • Operation Date
  • Target File

Click the gear icon for options to download the data as an xls, csv, or JSON file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Folders

Dashboard details for folder audits.

The following information displays when you search by file in the Audit Trails tab.

  • Folder Name
  • Folder Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Folders Search Results Click to enlarge

The Audit Details page shows the following audit information for the selected folder.

  • A Folder Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Select All
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Remove Directory
      • Rename
      • Set Attribute
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
  • The Reset Filters button removes all filters.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

Audit Trails - Files

Dashboards details for file audit.

Audit Trails for Files

When you search by file in the Audit Trails tab, the following information displays:

  • File Name
  • File Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Files Search Results Click to enlarge A table displays file search results for the query.

Note: File Analytics does not support regular-expression (RegEx) based search.

The Audit Details page shows the following audit information for the selected file.

  • A File Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Close File
      • Create File
      • Delete
      • Make Directory
      • Open
      • Read
      • Rename
      • Set Attribute
      • Write
      • Symlink
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • Username
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Client IP

Dashboard details for client IP Audit Trails.

Audit Trails Search - Client IP

When you search by client IP in the Audit Trails tab, search results display the following information in a table.

  • Client IP
  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. IP Search Results Click to enlarge A table displays IP search results for the query

The Audit Details page shows the following audit information for the selected client.

  • A User Events graph displays various operations performed on the client during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Removed Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
      • Permission Denied (File Blocking)
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Operation
  • Target File
  • Operation Date

Click the gear icon for an option to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

File Analytics Options

You can get more insight into the usage and contents of files on your system by configuring and updating File Analytics features and settings. Some options include scanning the files on your file server on demand, updating data retention, and configuring data protection.

Updating Data Retention

The data retention period determines how long File Analytics retains event data.

About this task

Follow the steps as indicated to configure data retention.

Procedure

  1. In File Analytics, click gear icon > Update Data Retention .
  2. In the Data Retention Period drop-down, select the period for data retention.
  3. Click Update .

Scanning the File System

Once enabled, File Analytics scans the metadata of all files and shares on the system. You can perform an on-demand scan of shares in your file system.

About this task

To scan shares, perform the following task:

Procedure

  1. In File Analytics, click the gear icon .
  2. In the drop-down list, click Scan File System .
    Figure. Scan File System Option Click to enlarge

  3. In the list of shares, select the target shares for the scan.
    Figure. Select Scan Targets Click to enlarge

  4. Click Scan .
    The status of the share is In Progress . Once the scan is complete, the status changes to Completed .

Blacklisting

Blacklist users, file extensions, and client IPs.

About this task

Use the blacklisting feature to block audit events from being performed on specified file extensions or by specified users and clients.

Procedure

  1. Click the gear icon > Define Blacklisting Rules .
  2. Click the pencil icon in the user, file extension, or client IP row.
  3. Add a comma separated list of entities that you want blocked.
  4. Click save in the updated row.

Data Protection

Configure File Analytics disaster recovery (DR) using Prism Element.

File Analytics only supports async disaster recovery. File Analytics does not support NearSync and metro availability.

Create an async protection domain, configure a protection domain schedule, and configure remote site mapping. The remote site must have symmetric configurations to the primary site. The remote site must also deploy File Analytics to restore a File Analytics VM (FAVM).

The Data Protection section in the Prism Web Console Guide provides more detail on the disaster recovery process.

Configuring Disaster Recovery

To set up disaster recovery for File Analytics, create an async protection domain, configure a protection domain schedule, and configure remote site mapping.

About this task

By default, the File Analytics volume group resides on the same container that hosts vDisks for Nutanix Files.

Procedure

  1. If you have not done so already, configure a remote site for the local cluster.
    See the Configuring a Remote Site (Physical Cluster) topic in the Prism Web Console Guide for this procedure.
  2. Create an async DR protection domain for the File Analytics volume group as the entity. The volume group name is File_Analytics_VG .
    See Configuring a Protection Domain (Async DR) in the Prism Web Console Guide .
  3. In the Schedule tab, click the New Schedule button to add a schedule.
    Add a schedule, as File Analytics does not provide a default schedule. See Creating a Protection Domain Schedule (Files) Nutanix Files Guide.
  4. Configure local and remote container mapping.
    See the Configuring Disaster Recovery (Files) section in the Nutanix Files Guide for steps to configure mapping between local and remote containers.
  5. Create a protection domain schedule.
    See Creating a Protection Domain Schedule (Files) in the Nutanix Files Guide .

Activating Disaster Recovery

Recover a File Analytics VM (FAVM) after a planned or unplanned migration to the remote site.

About this task

Perform the following tasks on the remote site.

Procedure

  1. Fail over to the protection domain for disaster recovery activation.
    See the Failing Over a Protection Domain topic in the Prism Web Console Guide .
  2. Fail back the protection domain to the primary site.
    See the Failing Back a Protection Domain topic in the Prism Web Console Guide .

Deploying File Analytics on a Remote Site

Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.

About this task

To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.

Before you begin

Ensure that the Nutanix Files and AOS versions match the versions on the remote and primary sites.

About this task

Run the following commands from the command prompt inside the FAVM.

Procedure

  1. Deploy a new File Analytics instance on the remote site, see Deploying File Analytics.
    Caution: Do not enable File Analytics.
    The remote site requires an iSCSI data service IP address to configure the FAVM on the remote site. This procedure deploys a new volume group File_Analytics_VG and deletes it in a subsequent step.
  2. On the remote site, create a volume group by restoring the snapshot of the File_Analytics_VG .
    See Restoring an Entity from a Protection Domain in the Prism Web Console Guide . For the How to Restore step, use the Create new entities option, and specify a name in the Volume Group Name Prefix field. The restored volume group name format is prefix -File_Analytics_VG.
  3. In the Storage Table view, go to the Volumes tab.
    1. Copy the target IQN prefix from the Volume Group Details column.
      Tip: Click the tooltip to see the entire IQN prefix.
  4. To configure the FAVM on the remote, follow these steps:
    Caution: If the IP address of the File Analytics VM has changed on the remote site, contact Nutanix Support before proceeding.
    1. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    2. To discover all storage devices accessed by the FAVM, run the following commands.
      nutanix@favm$  sudo blkid 
    3. Copy the cvm.config file to the temporary files directory.
      nutanix@favm$ cd /mnt/containers/config/common_config/
      nutnix@avm$ sudo cp cvm.config /tmp
    4. Stop the File Analytics services.
      nutanix@favm$  sudo systemctl stop monitoring
      nutanix@favm$  docker stop $(docker ps -q)
      nutanix@favm$  sudo systemctl stop docker
    5. Unmount and log off from all iSCSI targets.
      nutnix@avm$ sudo umount /mnt
      nutnix@avm$ sudo /sbin/iscsiadm -m node -u
      
    6. Remove the disconnected target records from the discoverydb mode of the FAVM.
      nutanix@favm$  sudo /sbin/iscsiadm -m node –o delete
    7. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      The output does not show the /dev/sdb device.
    8. Get the File Analytics Linux client iSCSI initiator name.
      nutanix@favm$  sudo cat /etc/iscsi/initiatorname.iscsi
      The output displays the initiator name.
      InitiatorName=iqn.1991-05.com.redhat:8ef967b5b8f
    9. Copy the iSCSI initiator name.
    10. Remove the iSCSI initiator name from the client whitelist of the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    11. Whitelist the AVM client on the cloned volume group prefix -File_Analytics_VG using the iSCSI initiator name of the AVM client.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    12. Let the Analytics initiator discover the cluster and its volume groups.
      nutanix@favm$  sudo /sbin/iscsiadm --mode discovery --type sendtargets --portal  data_services_IP_address:3260
      Clicking the Nutanix cluster name in Prism displays cluster details including the data service IP address. The output displays the restored iSCSI target from step 2.
    13. Connect to the volume target by specifying IQN prefix.
      nutanix@favm$  sudo /sbin/iscsiadm --mode node --targetname iqn_name --portal data_services_IP_address:3260,1 --login
    14. Restart the FAVM to restart the iSCSI host adapters, which allows the discovery of the attached volume group.
      nutanix@favm$  sudo reboot
    15. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    16. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      The FAVM discovers the attached iSCSI volume group and assigns to the /dev/sdb device.
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      /dev/sdb: UUID="30749ab7-58e7-437e-9a09-5f6d9619e85b" TYPE="ext4"
    17. Delete the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    18. Rename the restored volume group prefix -File_Analytics_VG to File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    19. Create a backup of the cvm.config file.
      nutanix@favm$ cd /mnt/containers/config/common_config/
      nutanix@favm$ mv cvm.config cvm_bck.config
    20. Copy the cvm.config file from the /tmp directory to /common_config/ on the FAVM.
      nutanix@favm$ cd /tmp
      nutanix@favm$ mv cvm.config /mnt/containers/config/common_config/
    21. Reconfigure the password of the user on Prism for internal FAVM operations. Specify a passphrase for new password . File Analytics uses the password only for internal communication between Prism and the FAVM. You must issue the same command twice.
      nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
       --password='new password' --local_update
      nutanix@favm$  sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
      --password='new password' --prism_user=admin --prism_password='Prism admin password'
    22. In File Analytics, go to gear icon > Scan File System to check if a file system scan can be initiated.
      Note: If you receive errors, disable and re-enable File Analytics, see "Disabling File Analytics" and "Enabling File Analytics."
File Analytics Guide

Files 3.1

Product Release Date: 2022-04-05

Last updated: 2022-11-04

File Analytics

File Analytics provides data and statistics on the operations and contents of a file server.

Once deployed, Nutanix Files adds a File Analytics VM (FAVM) to the Files cluster. A single File Analytics VM supports all file servers in the cluster; however, you must enable File Analytics separately for each file server. File Analytics protects data on the FAVM, which is kept in a separate volume group.

Once you deploy File Analytics, a new File Analytics link appears on the file server actions bar. Use the link to access File Analytics on any file server that has File Analytics enabled.
Note: File Analytics supports dual NIC configuration for segmented networks. Contact Nutanix Support for assistance.
Figure. File Analytics VM Click to enlarge

Display Features

The File Analytics web console consists of display features:

Main menu bar : The main menu bar appears at the top of every page of the File Analytics web console. The main menu bar includes the following display features:

  • Dashboard tab : View widgets that present data on file trends, distribution, and operations, see Dashboard.
  • Audit Trails tab : Search for a specific user or file and view various widgets to audit activity, see Audit Trails.
  • Anomalies tab : Create anomaly policies and view anomaly trends, see Anomalies.
  • Ransomware tab : Configure ransomware protection and self-service restore (SSR) snapshots, see Ransomware Protection.
    Warning: Ransomware protection helps detect potential ransomware. Nutanix does not recommend using the File Analytics ransomware feature as an all-encompassing ransomware solution.
  • Reports tab : Create custom reports or use pre-canned report templates, see Reports.
  • Status icon : Check the file system scan status.
  • File server drop-down : View the name of the file server for which data is displayed.
  • Settings drop-down : Manage File Analytics and configure settings, see Administration and File Analytics Options.
  • Health icon : Check the health of File Analytics, see Health.
  • Admin dropdown : Collect logs and view the current File Analytics version.

Deployment Requirements

Meet the following requirements prior to deploying File Analytics.

Ensure that you have performed the following tasks and your Files deployment meets the following specifications.

  • Assign the file server administrator role to an Active Directory (AD) user, see Managing Roles in the Nutanix Files Guide .
  • Log on as the Prism admin user to deploy the File Analytics server.
  • Configure a VLAN with one dedicated IP address for File Analytics, or you can use an IP address from an existing Files external network. This IP address must have connectivity to AD, the control VM (CVM), and Files. See "Configuring a Virtual Network For guest VM Interfaces" in the Prism Web Console Guide.
    Note: Do not install File Analytics on the Files internal network.
  • (optional) Assign the file server administrator role to an LDAP user, see Managing Roles in the Nutanix Files Guide .
  • Ensure that all software components meet the supported configurations and system limits, see the File Analytics Release Notes .

Network Requirements

Open the required ports, and ensure that your firewall allows bi-directional Internet Control Message Protocol (ICMP) traffic between the FAVM and CVMs.

The Port Reference provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.

In addition to meeting the File Analytics network requirements, ensure to meet Nutanix Files port requirements as described in the Port Reference .

Limitations

File Analytics has the following limitations.

Note: Depending on data set size, file count, and workload type, enabling File Analytics can affect the performance of Nutanix Files. High latency is more common with heavy file-metadata operations (directory and file creation, deletion, permission changes, and so on). To minimize the impact on performance, ensure that the host has enough CPU and memory resources to handle the File Analytics VM (FAVM), file servers, and guest VMs (if any).
  • Only Prism admin can deploy File Analytics.
  • File Analytics analyzes data from daily up to 1 year based on the configuration. File Analytics automatically deletes data beyond the defined configuration.
    Note: After surpassing the audit event threshold, as specified in File Analytics Release Notes , Analytics archives the oldest events. Archived audit events do not appear in the Analytics UI.
  • You cannot deploy or decommission File Analytics when a file server has high-availability (HA) mode enabled.
  • You cannot use network segmentation for Nutanix Volumes with File Analytics.
  • If file server DNS or IP changes, File Analytics does not automatically reconfigure.
  • File Analytics does not collect metadata for files on Kerberos authenticated NFS v4.0 shares.
  • File Analytics does not support hard links.
  • You cannot enable File Analytics on a file server clone.
  • You cannot move File Analytics to another storage container.
  • File Analytics creates an unprotected Prism and an unprotected file server user for integration purposes. Do not delete these users.
  • The legacy file blocking policy has an upper limit of 300 ransomware extensions.
    Note: For higher limits, it is recommended to use Nutanix Data Lens.
  • File Analytics does not support the following operations for graceful shutdown:
    • AHV: power cycle, power off
    • ESXi: power off, reset
  • File Analytics log collection from CVM fails with dual NIC setup.
  • File Analytics does not collect metadata information on shares, offline shares, and encrypted shares.
  • Teardown of File Analytics fails in case of dual NIC setup.

Administration

Overview of administrative processes for File Analytics.

As an admin, you have the required permissions for performing File Analytics administrative tasks. To add a file server admin user, see Managing Roles in the Nutanix Files Guide . The topics in this chapter describe the basics for administering your File Analytics environment. For advanced administrative options, refer to the File Analytics Options chapter.

Role-based Access Control for File Analytics

Prism Element supports role-based access control (RBAC) that allows you to configure and provide customized access to the users based on their assigned roles.

Note: Log in to File Analytics with local user created on Prism Central is not supported.

From the Prism Element dashboard, you can assign a set of predefined built-in roles (system roles) roles to users or user groups. File Analytics support the following built-in roles (system roles) that are defined by default:

Note: Only administrators (Super Admin or a Prism Admin in Prism Element) can create roles for File Analytics.
    • Viewer : Allows users with view-only access to the information and cannot perform any administrative (create or modify) tasks.
    • Cluster and User Admin : Allows users to view information, perform administrative tasks, and to create and modify operations.
    For more information on Role Based Access Control, refer to the Controlling User Access (RBAC) , Built-in Role Management , Configuring Role Mapping , and Managing Local User Accounts sections in the Security Guide .

Deploying File Analytics

Follow this procedure to deploy the File Analytics server.

Before you begin

Ensure that your environment meets all requirements prior to deployment, see Deployment Requirements.

Procedure

Deploying the File Analytics server.
  1. Go to Support Portal > Downloads > File Analytics .
  2. Download the File Analytics QCOW2 and JSON files.
  3. Log on to Prism with the user name and password of the Prism administrator.
    Note: An Active Directory (AD) user or an AD user mapped to a Prism admin role cannot deploy File Analytics.
  4. In Prism, go to the File Server view and click the Deploy File Analytics action link.
    Figure. File Analytics
    Click to enlarge

  5. Review the File Analytics requirements and best practices in the Pre-Check dialog box.
  6. In the Deploy File Analytics Server dialog box, do the following in the Image tab.
    • Under Available versions , select one of the available File Analytics versions. (continue to step 8.).
    • Install by uploading installation binary files (continue to next step).
  7. Upload installation files.
    1. In the Upload binary section, click upload the File Analytics binary to upload the File Analytics JSON and QCOW files.
      Figure. Upload Binary Link Click to enlarge
    2. Under File Analytics Metadata File (.Json) , click Choose File to choose the downloaded JSON file.
    3. Under File Analytics Installation Binary (.Qcow2) click Choose File to choose the downloaded QCOW file.
      Figure. Upload Binary Files Click to enlarge
    4. Click Upload Now after choosing the files.
  8. Click Next .
  9. In the VM Configuration tab, do the following in the indicated fields:
    1. Name : Enter a name for the File Analytics VM (FAVM).
    2. Server Size : Select either the small or large configuration. Large file servers require larger configurations for the FAVM. By default File Analytics selects the large configuration.
    3. Storage Container: select a storage container from the drop-down.
      The drop-down displays the storage containers.
      Note: From AOS 5.15.3 version onward, the drop-down displays all storage containers. For earlier AOS versions, the drop-down only displays file server storage containers.
    4. Network List : Select a VLAN.
      Note: If the selected network is unmanaged , enter more network details in the Subnet Mask , Default Gateway IP , and IP Address fields as indicated.
      Note: The FAVM must use the client-side network.
      Note: For ESXi, do not use the Controller VM (CVM) backplane network. The CVM backplane network is not supported and any later upgrade operations might fail.
  10. Click Deploy .
    In the main menu drop-down, select the Tasks view to monitor the deployment progress.

Results

Once deployment is complete, File Analytics creates an FAVM, CVM, and a new Files user to make REST API calls. Do not delete the CVM, FAVM, or the REST API user.

Enabling File Analytics

Steps for enabling File Analytics after deployment or disablement.

About this task

Attention: Nutanix recommends enabling File Analytics during off-peak hours.

Follow these steps to enable File Analytics after disabling the application.

Note: File Analytics saves all previous configurations.

Procedure

  1. In the File Server view in Prism , select the target file server.
  2. (skip to step 3 if you are re-enabling a file server) click Manage roles to add a file server admin user, see Managing Roles in the Nutanix Files Guide .
  3. In the File Server view, select the target file server and click File Analytics in the tabs bar.
  4. (Skip to step 5 if you are not re-enabling a disabled instance of File Analytics) to re-enable File Analytics, click Enable File Analytics in the message bar.
    Figure. Enabling File Analytics Link Click to enlarge
    The Enable File Analytics dialog-box appears. Skip the remaining steps.
  5. In the Data Retention field, select a data retention period. The data retention period refers to the length of time File Analytics retains audit events.
  6. In the Authentication section, enter the credentials as indicated:
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. (For SMB users only) In the SMB section, do the following in the indicated fields to provide SMB authentication details:
      • Active Directory Realm Name : Confirm the AD realm name for the file server.
      • Username : Enter the AD username for the file server administrator, see File Analytics Prerequisites .
      • Password : Enter the AD user password for the file server administrator.
    2. (For NFS users only) In the NFS Authentication section, do the following in the indicated fields to provide NFS authentication details:
      • LDAP Server URI : Enter the URI of the LDAP server.
      • Base DN : Enter the base DN for the LDAP server.
      • Password : Enter the LDAP user password for the file server administrator.

    Click to enlarge

  7. Click Enable .

Results

After enablement, File Analytics performs a one-time file system scan to pull metadata information. The duration of the scan varies depending on the protocol of the share. There is no system downtime during the scan.

Example

Scanning 3–4 million NFS files or 1 million SMB files takes about 1 hour.

Disabling File Analytics

About this task

Follow the steps as indicated to disable File Analytics.

Procedure

  1. In File Analytics click the gear icon > Disable File Analytics .
  2. In the dialog-box, click Disable .
    Disabling File Analytics disables data collection. The following message banner appears.
     File Analytics is disabled on the server. Enable File Analytics to start collecting data again or Delete File Analytics Data. 

What to do next

To delete data, click the Delete File Analytics Data link in the banner described in Step 2.

Launching File Analytics

About this task

Do the following to launch File Analytics.

Procedure

  1. From the Prism views drop-down, select the File Server view.
  2. Select the target file server from the entity tab.
  3. Click the File Analytics action button below the entity table.
    Figure. Launch File Analytics Click to enlarge The File Analytics action button.

File Analytics VM Management

To update a File Analytics VM (FAVM), refer to the sizing guidelines in the File Analytics release notes and follow the steps in the VM Management topic of the Prism Web Console Guide .

Removing File Analytics VMs

Remove a File Analytics VM (FAVM) by disabling it and deleting it from the cluster in Prism.

About this task

Follow the steps as indicated to remove an FAVM.
Note: Do not delete an FAVM using the CLI, as this operation does not decommission the FAVM.

Procedure

  1. Disable File Analytics on all file servers in the cluster, see Disabling File Analytics.
  2. In the File Server view in Prism Element, do the following:
    1. In the top actions bar, click Manage File Analytics .
    2. Click Delete to remove the FAVM.
    When you delete an FAVM, you also delete all of your File Analytics configurations and audit data stored on the FAVM.

Updating Credentials

About this task

Follow the steps as indicated to update authentication credentials for LDAP or Active Directory.

Procedure

  1. Click gear icon > Update AD/LDAP Configuration .
  2. To update Active Directory credentials, do the following in the indicated fields (otherwise move on to the next step).
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. Active Directory Realm Name: confirm or replace the realm name.
    2. Username: confirm or replace the username.
    3. Password: type in the new password.
  3. To update NFS configuration, do the following (otherwise move on to the next step).
    1. LDAP Server URI: confirm or replace the server URI.
    2. Base DN: confirm or replace the base distinguished name (DN).
    3. Bind DN (Optional): confirm or replace the bind distinguished name (DN).
    4. Password: type in the new password.
  4. Click Save .

Managing Deleted Share/Export Audits

Manage the audit data of delete shares and exports.

About this task

By default, File Analytics retains deleted share and export data. The dashboard widgets do not account for data of deleted shares and exports. The deleted marker appears next to deleted shares and exports in audit trails. The Manage Share/Export Audit data window displays a list of deleted shares and exports.

Follow the directions as indicated to delete audit data for the deleted share or export.

Note: You cannot restore the deleted audit data of a deleted share or export.

Procedure

  1. Click the gear icon > Manage Deleted Share/Export Audit .
  2. Check the box next to the share or export name.
  3. Click Delete .
  4. In the confirmation window, click Delete to confirm the deletion of data.
    In the Manage Deleted Share/Export Audit , a progress bar displays the progress of the deletion process next to the share name. File Analytics considers data deletion of a deleted share a low-priority task, which can take several hours to finish.

Changing an FAVM Password

Steps for updating the password of a File Analytics VM (FAVM).

About this task

Context for the current task

Procedure

  1. Log on to an FAVM with SSH.
  2. Change the nutanix password.
    nutanix@fsvm$ sudo passwd nutanix
  3. Respond to the prompts, providing the current and new nutanix user password.
    Changing password for user nutanix.
    Old Password:
    New password:
    Retype new password:
    passwd: all authentication tokens updated successfully.
    Note:

    The password must meet the following complexity requirements:

    • At least 8 characters long
    • At least 1 lowercase letter
    • At least 1 uppercase letter
    • At least 1 number
    • At least 1 special character
    • At least 4 characters difference from the old password
    • Should not be among the last 10 passwords

Upgrades

Perform File Analytics upgrades using the Life Cycle Manager feature in Prism Element.

Before you proceed with the FA upgrade, ensure you meet the following:

  • Have a compatible version of AOS and Files.

    Refer to File Analytics release notes for compatibility details. You can upgrade both AOS and Files through Prism Element, see AOS Upgrade in the Prism Web Console Guide .

  • Check the health page of File Analytics to confirm if the overall health is green. See Health.
  • The protection domain (PD) for the File Analytics VM (FAVM) should not include any other entities.

To upgrade File Analytics, perform inventory and updates using the Life-Cycle Manager (LCM), see the Life Cycle Manager Guide for instructions on performing inventory and updates.

Note: The File Analytics UI is not accessible during upgrades.

During the upgrade process, File Analytics takes a snapshot of the volume group (VG) that contains File Analytics data. If issues occur during an upgrade, File Analytics restores the FAVM to the pre-upgrade state. If the volume group is protected and is part a protection domain, the File Analytics creates a snapshot and sets the expiry time to 30 days. If the volume group is not protected, File Analytics creates a snapshot and deletes the snapshot after completing the upgrade successfully. If any errors occur, the system keeps the snapshot for 30 days to troubleshoot the issue.

Upgrade File Analytics at a Dark Site

Upgrade File Analytics at a dark site using the Life-Cycle Manager (LCM).

About this task

Before you begin

You need a local web server reachable by your Nutanix clusters to host the LCM repository.

Procedure

  1. From a device that has public Internet access, go to Nutanix Portal > Downloads > Tools & Firmware .
    1. Download the tar file lcm_dark_site_version.tar.gz .
    2. Transfer lcm_dark_site_version.tar.gz to your local web server and untar into the release directory.
  2. From a device that has public Internet access, go to the Nutanix portal and select Downloads > File Analytics .
    1. Download the following files.
      • file_analytics_dark_site_version.tar.gz
      • nutanix_compatibility.tgz
      • nutanix_compatibility.tgz.sign
    2. Transfer file_analytics_dark_site_version.tar.gz to your local web server and untar into the release directory.
    3. Transfer the nutanix_compatibility.tgz and nutanix_compatibility.tgz.sign files to your local web server (overwrite existing files as needed).
  3. Log on to Prism Element.
  4. Click Home > LCM > > Settings .
    1. In the Fetch updates from field, enter the path to the directory where you extracted the tar file on your local server. Use the format http://webserver_IP_address/release .
    2. Click Save .
      You return to the Life Cycle Manager.
    3. In the LCM sidebar, click Inventory > Perform Inventory .
    4. Update the LCM framework before trying to update any other component.
      The LCM sidebar shows the LCM framework with the same version as the file you downloaded.

Dashboard

The Dashboard tab displays data on the operational trends of a file server.

Dashboard View

The Dashboard tab is the opening screen that appears after launching File Analytics for a specific file server. The dashboard displays widgets that present data on file trends, distribution, and operations.

Note: Widgets refresh hourly.
Figure. Analytics Dashboard Click to enlarge Widgets in the dashboard view.

Table 1. Dashboard Widgets
Tile Name Description Intervals
Capacity trend Displays capacity trends for the file server including capacity added, capacity removed, and net changes.

Clicking an event period widget displays the Capacity Trend Details view.

7 days, the last 30 days, or the last 1 year.
Data age Displays the percentage of data by age. Data age determines the data heat, including: hot, warm, and cold. Default intervals are as follows:
  • Hot data – accessed within the last week.
  • Warm data – accessed within 2 to 4 weeks.
  • Cold data – accessed 4 weeks ago or later.
Permission denials Displays users who have had excessive permission denials and the number of denials. Clicking a user displays audit details, see Audit Trails - Users for more. [user id], [number of permission denials]
File distribution by size Displays the number of files by file size. Provides trend details for top 5 files. Less than 1 MB, 1–10 MB, 10–100 MB, 100 MB to 1 GB, greater than 1 GB).
File distribution by type Displays the space taken up by various applications and file types. The file extension determines the file type. See the File types table for more details. MB or GB
File distribution by type details view Displays a trend graph of the top 5 file types. File distribution details include file type, current space used, current number of files, and change in space for the last 7 or 30 days.

Clicking View Details displays the File Distribution by Type view.
Daily size trend for top 5 files (GB), file type (see the "File Type" table), current space used (GB), current number of files (numeric), change in last 7 or 30 days (GB).
Top 5 active users Lists the users who have accessed the most files and number of operations the user performed for the specified period. When there are more than 5 active users, the more link provides details on the top 50 users. Clicking the user name displays the audit view for the user, see Audit Trails - Users for more. 24 hours, 7 days, 1 month, or 1 year.
Top 5 accessed files Lists the 5 most frequently accessed files. Clicking more provides details on the top 50 files.

Clicking the file name displays the audit view details for the file, see Audit Trails - Files for more.

24 hours, 7 days, 1 month, or 1 year.
Files operations Displays the distribution of operation types for the specified period, including a count for each operation type and the total sum of all operations.

Operations include: create, delete, read, write, rename, permission changed, set attribute, symlink, permission denied, permission denied (file blocking).

Clicking an operation displays the File Operation Trend view.
24 hours, 7 days, 1 month, or 1 year.

Capacity Trend Details

Clicking an event period in the Capacity Trend widget displays the Capacity Trend Details view for that period. The view includes three tabs Share/Export , Folder , and Category . Each tab includes columns detailing entity details: Name . Net capacity change, capacity added, and capacity removed.

Figure. Capacity Trend Details View Click to enlarge Clicking on the Capacity Trend widget in the Dashboard tab displays the Capacity Trend Details view.

Table 2. Capacity Trend Details
Category Supported File Type
Name Name of share/export, folder, or category.
Net capacity change The total difference between capacity at the beginning and the end of the specified period.
Share name (for folders only) The name of the share or export that the folder belongs to.
Capacity added Total added capacity for the specified period.
Capacity removed Total removed capacity for the specified period.

File Distribution by Type Details

Clicking View Details for the File Distribution by Type widget displays granular details of file distribution, see the File Types table for details.

Figure. File Distribution by Type Click to enlarge Clicking View Details on the File Distribution by Type widget displays the File Distribution by Type dashboard.

Table 3. Details of File Distribution Parameters
Category Supported File Type
File type Name of file type
Current space used Space capacity occupied by the file type
Current number of files Number of files for the file type
Change (in last 30 days) The increase in capacity over a 30-day period for the specified file type
Table 4. File Types
Category Supported File Type
Archives .cab, .gz, .rar, .tar, .z, .zip
Audio .aiff, .au, .mp3, .mp4, .wav, .wma
Backups .bak, .bkf, .bkp
CD/DVD images .img, .iso, .nrg
Desktop publishing .qxd
Email archives .pst
Hard drive images .tib, .gho, .ghs
Images .bmp, .gif, .jpg, .jpeg, .pdf .png, .psd, .tif, .tiff,
Installers .msi, .rpm
Log Files .log
Lotus notes .box, .ncf, .nsf, .ns2, .ns3, .ns4, .ntf
MS Office documents .accdb, .accde, .accdt, .accdr, .doc, .docx, .docm, .dot, .dotx, .dotm, .xls, .xlsx, .xlsm, .xlt, .xltx, .xltm, .xlsb, .xlam, .ppt, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .mdb
System files .bin, .dll, .exe
Text files .csv, .pdf, .txt
Video .avi, mpg, .mpeg, .mov, .m4v
Disk image .hlog, .nvram, .vmdk, .vmx, .vmxf, .vmtm, .vmem, .vmsn, .vmsd

File Operation Trend

Clicking an operation type in the File Operations widget displays the File Operation Trend view. The File Operation Trend view breaks down the specified period into smaller intervals, and displays the number of occurrences of the operation during each interval.

Figure. Operation Trend Click to enlarge A graph displays the number of times the specified operation took place over time.

Table 5. File Operation Trend View Parameters
Category Description
Operation type A drop-down option to specify the operation type. See Files Operations in the Dashboard Widgets table for a list of operation types.
Last (time period) A drop-down option to specify the period for the file operation trend.
File operation trend graph The x-axis displays shorter intervals for the specified period. The y-axis displays the number of operations trend over the extent of the intervals.

Health

The Health dashboard displays dynamically updated health information about each file server component.

The Health dashboard includes the following details:

  • Data Summary Data summary of all file servers with File Analytics enabled.
  • Host Memory Percent of used memory on the File Analytics VM (FAVM).
  • Host CPU Usage Percent of CPU used by the FAVM.
  • Storage Summary Amount of storage space used on the File Analytics data disk or FAVM disk.
  • Overall Health Overall health of File Analytics components.
  • Data Server Summary Data server usage by component.
Figure. Health Page Click to enlarge The Health page dashboard includes tiles that dynamically update to indicate the health of relevant entities.

Data Age

The Data Age widget in the dashboard provides details on data heat.

Share-level data is displayed to provide details on share capacity trends. There are three levels of data heat:

  • Hot – frequently accessed data (last accessed within the last week).
  • Warm – infrequently accessed data (last accessed within the last 2 to 4 weeks).
  • Cold – rarely accessed data (last accessed longer than 4 weeks ago).

You can configure the definitions for each level of data heat rather than using the default values. See Configuring Data Heat Levels.

Configuring Data Heat Levels

Update the values that constitute different data heat levels.

Procedure

  1. In the Data Age widget, click Explore .
  2. Click Edit Data Age Configuration .
  3. Do the following in the Hot Data section:
    1. In the entry field next to Older Than , enter an integer.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  4. Do the following in the Warm Data section to configure two ranges :
    1. In the first entry field, enter an integer to configure the first range.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    3. In the second entry field, enter an integer to configure the second range.
    4. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  5. Do the following in the Cold Data section to configure four ranges :
    1. In the first entry field, enter an integer to configure the first range.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    3. In the second entry field, enter an integer to configure the second range.
    4. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    5. In the 3rd entry field, enter an integer to configure the 3rd range.
    6. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    7. (optional) In the 4th entry field, enter an integer to configure the 4th range.
    8. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  6. Click Apply .
    Note: The new values do not affect the already calculated heat statistics. File Analytics uses the updated values for future heat calculations.

Anomalies

Data panes in the Anomalies tab display data and trends for configured anomalies.

The Anomalies tab provides options for creating anomaly policies and displays dashboards for viewing anomaly trends.

You can configure anomalies for the following operations:

  • Creating files and directories
  • Deleting files and directories
  • Permission changes
  • Permission denials
  • Renaming files and directories
  • Reading files and directories

Define anomaly rules by the specifying the following conditions:

  • Users exceed an operation count threshold
  • Users exceed an operation percentage threshold

Meeting the lower operation threshold triggers an anomaly.

Consider a scenario where you have 1 thousand files, the operation count threshold defined as 10, and the operation percentage threshold defined as 10%. The count threshold takes precedence, as 10% of 1 thousand is 100, which is greater than the count threshold of 10.

Figure. Anomalies Dashboard Click to enlarge The Anomalies dashboard displays anomaly trends.

Table 1. Anomalies Data Pane Descriptions
Pane Name Description Values
Anomaly Trend Displays the number of anomalies per day or per month. Last 7 days, Last 30 days, Last 1 year
Top Users Displays the users with the most anomalies and the number of anomalies per user. Last 7 days, Last 30 days, Last 1 year
Top Folders Displays the folders with the most anomalies and the number of anomalies per folder. Last 7 days, Last 30 days, Last 1 year
Operation Anomaly Types Displays the percentage of occurrences per anomaly type. Last 7 days, Last 30 days, Last 1 year

Anomaly Details

Clicking an anomaly bar in the Anomaly Trend graph displays the Anomaly Details view.

Figure. Anomaly Details View Click to enlarge

Table 2. Anomalies Details View Total Results Table
Column Description
Anomaly Type The configured anomaly type. Anomaly types not configured do not show up in the table.
Total User Count The number of users that have performed the operation causing the specified anomaly during the specified time range.
Total Folder Count The numbers of folders in which the anomaly occurred during the specified time range.
Total Operation Count Total number of anomalies for the specified anomaly type that occurred during the specified time range.
Time Range The time range for which the total user count, total folder count, and total operation count are specified.
Table 3. Anomalies Details View Users/Folders Table
Column Description
Username or Folders Indicates the entity for the operation count. Selecting the Users tab indicates operation count for specific users, and selecting the Folders tab indicates the operation count for specific folders.
Operation count The total number of operations causing anomalies for the selected user or folder during the time period for the bar in the Anomaly Trend graph.

Configuring Anomaly Detection

Steps for configuring anomaly rules.

About this task

To create an anomaly rule, do the following.

Note: Configure an SMTP server for File Analytics to send anomaly alerts, see Configuring an SMTP Server.

Procedure

  1. In the File Analytics web console, click the gear icon > Define Anomaly Rules. .
  2. In the Anomaly Email Recipients field, enter a comma-separated list of email recipients for all anomaly alerts and data.
    Note: File Analytics sends anomaly alerts and data to recipients whenever File Analytics detects an anomaly.
  3. To configure a new anomaly, do the following in the indicated fields:
    1. Events : Select a rule for the anomaly from one of the following:
      • Permission changed
      • Permission denied
      • Delete
      • Create
      • Rename
      • Read
      The event defines the scenario type for the anomaly.
    2. Minimum Operations % : Enter a percentage value for the minimum threshold.
      File Analytics calculates the minimum operations percentage based on the number of files. For example, if there are 100 files, and you set the minimum operations percentage to 5, five operations within the scan interval would trigger an anomaly alert.
    3. Minimum Operation Count : Enter a value for a minimum operation threshold.
      File Analytics triggers an anomaly alert after meeting the threshold.
    4. User : Choose if the anomaly rule is applicable for All Users or an Individual user.
    5. Type: the type determines the interval.
      The interval determines how far back File Analytics monitors the anomaly.
    6. Interval : Enter a value for the detection interval.
    7. (optional) Actions : Click the pencil icon to update an anomaly rule. Click the x icon to delete an existing rule.
    Figure. Anomaly Configuration Fields Click to enlarge Fill out these fields to configure a new anomaly rule.

  4. Click Save .

Configuring an SMTP Server

File Analytics uses a simple mail transport protocol (SMTP) server to send anomaly alerts.

About this task

To configure an SMTP server, do the following:

Procedure

  1. In the File Analytics web console, click the gear icon > SMTP Configuration .
  2. In the SMTP Configuration window, enter the indicated details in the following fields:
    1. Hostname Or IP Address : Enter a fully qualified domain name or IP address for the SMTP server.
    2. Port : Enter the port to use.
      The standard SMTP ports are 25 (encrypted), 587 (TLS), and 465 (SSL).
    3. Security Mode : Enter the desired security mode from the dropdown list.
      The options are:
      • NONE (unencrypted)
      • STARTTLS (TTL encryption)
      • SSL (SSL encryption)
    4. (If security mode is "NONE" go to step f.)
    5. User Name enter a user name for logging into the SMTP server. Depending on the authentication method, the user name may require a domain.
    6. Password enter password.
    7. From Email Address: enter the email address from which File Analytics will send the anomaly alerts.
    8. Recipient Email Address: enter a recipient email address to test the SMTP configuration.
    Figure. SMTP Configuration Click to enlarge Fields for configuring an SMTP server.

  3. Click Save .

Audit Trails

Use audit trails to look up operation data for a specific user, file, folder, or client.

The Audit Trails tab includes Files , Folders , Users , and Client IP options for specifying the audit type. Use the search bar for specifying the specific entity for the audit (user, folder, file, or client IP).

The results table presents details for entities that match the search criteria. Clicking the entity name (or client IP number) takes you to the Audit Trails dashboard for the target entity.

View Audit Trails

Audit a user, file, client, or folder.

About this task

Follow the steps as indicated.

Procedure

  1. Click the Audit Trails tab.
  2. Select the Files , Folders , Users , or Client IP option.
  3. Enter the audit trails target into the search bar.
  4. Click Search .
  5. To display audit results in the Audit Trails window, click the entity name (or client IP number).

Audit Trails - Users

Details for client IP Audit Trails.

Audit Trails Search - Users

When you search by user in the Audit Trails tab, search results display the following information in a table.

  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. Users Search Results Click to enlarge A table displays user search results for the query.

Audit Details Page - Users

Clicking View Audit displays the Audit Details page, which shows the following audit information for the selected user.

  • A User Events graph displays various operations the user performed during the selected period and the percentage of time each operation has occurred per total operations during the specified period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Remove Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
    • The filter bar , above the User Events graph, displays the filters in use.
    • Use the From and To fields to filter by date.
  • The Results table displays operation-specific information. See more details below.
  • The Reset Filters button removes all filters.
Figure. User Audit Details - Events Click to enlarge User Events table displays event rates for various operations performed by the user.

The Results table provides granular details of the audit results. The following data is displayed for every event.

  • User Name
  • User IP Address
  • Operation
  • Operation Date
  • Target File

Click the gear icon for options to download the data as an xls, csv, or JSON file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Folders

Dashboard details for folder audits.

The following information displays when you search by file in the Audit Trails tab.

  • Folder Name
  • Folder Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Folders Search Results Click to enlarge

The Audit Details page shows the following audit information for the selected folder.

  • A Folder Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Select All
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Remove Directory
      • Rename
        Note: Rename operation shows both change of name and change of path for specific file or folder.
      • Set Attribute
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
  • The Reset Filters button removes all filters.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

Audit Trails - Files

Dashboards details for file audit.

Audit Trails for Files

When you search by file in the Audit Trails tab, the following information displays:

  • File Name
  • File Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Files Search Results Click to enlarge A table displays file search results for the query.

Note:
  • File Analytics does not support regular expression (RegEx) based search.
  • Up to 500 million files with latest 3 months of audit data is supported for a file server.

The Audit Details page shows the following audit information for the selected file.

  • A File Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Close File
      • Create File
      • Delete
      • Make Directory
      • Open
      • Read
      • Rename
        Note: Rename operation shows both change of name and change of path for specific file or folder.
      • Set Attribute
      • Write
      • Symlink
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • Username
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Client IP

Dashboard details for client IP Audit Trails.

Audit Trails Search - Client IP

When you search by client IP in the Audit Trails tab, search results display the following information in a table.

  • Client IP
  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. IP Search Results Click to enlarge A table displays IP search results for the query

The Audit Details page shows the following audit information for the selected client.

  • A User Events graph displays various operations performed on the client during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Removed Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
      • Permission Denied (File Blocking)
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Operation
  • Target File
  • Operation Date

Click the gear icon for an option to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

Ransomware Protection

Ransomware protection for your file server.

Caution: Ransomware protection helps detect potential ransomware. Nutanix does not recommend using the File Analytics ransomware feature as an all-encompassing ransomware solution.

File Analytics scans files for ransomware in real time and notifies you in the event of a ransomware attack once you configure email notifications.

Using a curated a list of over 250 signatures that frequently appear in ransomware files, the Nutanix Files file blocking mechanism identifies and blocks files with ransomware extensions from carrying out malicious operations. You can modify the list by manually adding or removing signatures.

Note: Removing curated blocked signatures can prevent File Analytics from blocking some ransomware files.

File Analytics also monitors shares for self-service restore (SSR) policies and identifies shares that do not have SSR enabled in the ransomware dashboard. You can enable SSR through the ransomware dashboard.

Ransomware Protection Features

The ransomware dashboard includes panes for managing ransomware protection and self-service restore (SSR).

Ransomware Dashboard

The ransomware dashboard includes two main sections:

  • The SSR Status pane for viewing, enabling, and managing SSR, see Enabling SSR.
  • The Vulnerabilities (Infection Attempts) pane for viewing total vulnerabilities, vulnerable shares, malicious clients, and top recent ransomware attempts.
    • Clicking on the number of total vulnerabilities provides a detailed view of recent vulnerabilities.
    • Clicking on the number of vulnerable shares provides a detailed view of vulnerable shares.
    • Clicking on the number of malicious clients provides a detailed view of malicious clients.
  • Click Settings , to enable and configure ransomware protection, see Enabling Ransomware Protection and Configuring Ransomware Protection.
  • Click Download (.csv) to download a list of blocked ransomware signatures.
Figure. Ransomware Dashboard Click to enlarge

Enabling Ransomware Protection

Enable ransomware protection on your file server.

About this task

Procedure

  1. Go to dropdown menu > Ransomware .
  2. In the message banner, click Enable Ransomware Protection .
  3. (optional) Click Configure SMTP to Add Recipients.
    Note: This option appears only if you have not configured a simple mail transfer protocol (SMTP) server, see Configuring an SMTP Server.
  4. Under Ransomware Email Recipients , add at least one email address. If there is a ransomware attack, File Analytics sends a notification to the specified email address.
    Figure. Enable Ransomware Click to enlarge

  5. Click Enable .
    See Configuring Ransomware Protection for configuration steps.

Configuring Ransomware Protection

Configure ransomware protection on file servers.

About this task

Do the following to add signature to the blocked extension list.

Procedure

  1. Go to dropdown menu > Ransomware > > Settings .
  2. (optional) Under Search for blocked File Signatures , enter ransomware signatures in the *. (signature) format.
    1. Note: You can also remove ransomware signatures.
      To check that the signature has been blocked, click Search .
    2. If the signature has not been blocked, click Add to Block List .
    Figure. Click to enlarge

  3. (optional) To download a list of blocked ransomware signatures, click Download (.csv) .
  4. (optional) Under Ransomware Email Recipients , add a comma separated list of email addresses. If there is a ransomware attack, File Analytics sends a notification to the specified email addresses.
  5. (optional) To disable the ransomware protection feature, click Disable Ransomware Protection .

Enabling SSR

Enable self-service restore on shares identified by File Analytics.

About this task

File Analytics scans shares for SSR policies.

Procedure

  1. Go to dropdown menu > Ransomware .
  2. Click Enable SSR on Prism .
  3. Check the box next to the shares for which to enable SSR.
    Figure. Enable SSR on Shares Click to enlarge

  4. Click Enable SSR .

Reports

Generate a report for entities on the file server.

Create a report with custom attribute values or use one of the File Analytics pre-canned report templates. To create a custom report, specify the entity, attributes (and operators for some attributes), attribute values, column headings, and the number of columns. Pre-canned reports define most of the attributes and headings based on the entity and template that you choose.

The Reports dashboard displays a table or previously generated reports. You can rerun existing reports rather than creating a template. After creating a report, you can download it as a JSON or CSV file.

Reports Dashboard

The reports dashboard includes options to create, view, and download reports.

The Reports dashboard includes options to create a report, download reports as a JSON, download reports as a CSV, rerun reports, and delete reports.

The reports table includes columns for the report name, status, last run, and actions.

Figure. Reports Dashboard Click to enlarge

Clicking Create a new report takes you to the report creation screen, which includes a Report builder and a Pre-canned Reports Templates tabs. The tabs include report options and filters for report configuration.

Both tabs include the following elements:

  • The Define Report Type section includes an Entity drop-down menu to select an entity.
  • The Define Filters section includes an Attribute drop-down menu and an option to add more attributes by clicking + Add filter .
  • The Add/remove columns in this report in your report section displays default columns. Clicking the columns field lets you add addition columns to the report. Clicking the x next to the column name removes it from the report.
  • The Define number of maximum rows in this report section includes a Count section to specify the number of rows in the report.
Table 1. Report Builder – Filter Options
Entity Attributes (filters) Operator Value Column
Events event_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • audit_path (object path)
  • audit_objectname (object name)
  • audit_operation (operation)
  • audit_machine_name (source of operation)
  • audit_event_date (event date in UTC)
  • audit_username (user name)
Event_operation N/A
  • file_write
  • file_read
  • file_create
  • file_delete
  • rename
  • directory_create
  • directory_delete
  • SecurityChange (permission change)
  • set_attr
  • sym_link
Files Category
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • object_name (file name)
  • share_UUID (share name)
  • object_owner_name (owner name)
  • object_size_logical (size)
  • file_type (extension)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • fileserver_protocol
  • object_ID (file id)
  • object_last_operation_name (last operation)
  • audit_username (last operation user
  • object_last_operation_name (last operation)
  • file_path (file path)
Extensions N/A (type in value)
Deleted N/A Last (number of days from 1 to 30) days
creation_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
access_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
Size
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(number) (file size)

File size options:

  • B
  • KB
  • MB
  • GB
  • TB
Folders Deleted N/A Last (number of days from 1 to 30) days
  • object_name (Dir name)
  • object_owner_name (owner name)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • object_last_operation_name (last operation)
  • audit_username (last operation user)
  • File server protocol
  • object_ID (file id)
  • file_path (Dir path)
creation_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
Users last_event_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • user_login_name (user name)
  • Last operation
  • last_event_date (access date in UTC)
  • last_operation_audit_path
Table 2. Pre-Canned Reports – Filters
Entity Pre-canned report template Columns
Events
  • PermissionDenied events
  • Permission Denied (file blocking) events
  • audit_path (object path)
  • audit_objectname (object name)
  • audit_operation (operation)
  • audit_machine_name (source of operation)
  • audit_event_date (event date in UTC)
  • audit_username (user name)
Files
  • Largest Files
  • Oldest Files
  • Files not accessed for last 1 year
  • Files accessed in last 30 days
  • object_name (file name)
  • share_UUID (share name)
  • object_owner_name (owner name)
  • object_size_logical (size)
  • file_type (extension)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • fileserver_protocol
  • object_ID (file id)
  • object_last_operation_name (last operation)
  • audit_username (last operation user
  • object_last_operation_name (last operation)
  • file_path (file path)
Users
  • Top owners with space consumed
  • Top active users
  • All users
  • user_login_name (user name)
  • Last operation
  • last_event_date (access date in UTC)
  • last_operation_audit_path

Creating a Custom Report

Create a custom report by defining the entity, attribute, filters, and columns.

About this task

Follow the steps as indicated.

Procedure

  1. Go to dropdown menu > Reports .
  2. Click Create a new report .
  3. In the Report Builder tab, do the following:
    1. In the Define Report Type section, select an entity from the drop-down menu.
    2. In the Define Filters section, select an attribute from the attributes dropdown.
    3. Under Value , specify the values for the attribute (some attributes also require to specify an operator in the Operator field).
    4. (optional) click + Add filter to add more attributes.
    5. In the Add/Remove column in this report section, click x for the columns you want to remove.
    6. In the Define maximum number of rows in this report section, type in , or use the - and + buttons, to specify the number of rows in your report. This value indicates the number of records in the report.
  4. Click Run Preview .
    The Report Preview section populates.
  5. Click Generate report .
    1. Select either the CSV or JSON option.

Create a Pre-Canned Report

Use one of the pre-canned File Analytics templates for your report.

Procedure

  1. Go to dropdown menu > Reports .
  2. Click Create a new report .
  3. In the Pre-Canned Reports Templates tab, do the following:
    1. In the Define Report Type section, select an entity from the drop-down menu.
    2. In the Define Filters section, select an attribute from the attributes dropdown.
    3. In the Add/Remove column in this report section, click x for the columns you want to remove.
    4. In the Define maximum number of rows in this report section, type in, or use the - and + buttons, to specify the number of rows in your report. This value indicates the number of records in the report.
  4. Click Run Preview .
    The Report Preview section populates.
  5. Click Generate report .
    1. Select either the CSV or JSON option.

File Analytics Options

You can get more insight into the usage and contents of files on your system by configuring and updating File Analytics features and settings. Some options include scanning the files on your file server on demand, updating data retention, and configuring data protection.

Updating Data Retention

The data retention period determines how long File Analytics retains event data.

About this task

Follow the steps as indicated to configure data retention.

Procedure

  1. In File Analytics, click gear icon > Update Data Retention .
  2. In the Data Retention Period drop-down, select the period for data retention.
  3. Click Update .

Scanning the File System

Once enabled, File Analytics scans the metadata of all files and shares on the system. You can perform an on-demand scan of shares in your file system.

About this task

To scan shares, perform the following task.

Procedure

  1. In File Analytics, click the gear icon .
  2. In the drop-down list, click Scan File System .
  3. In the list of shares, select the target shares for the scan.
    Figure. Select Scan Targets Click to enlarge

  4. Click Scan .
    The status of the share is In Progress . Once the scan is complete, the status changes to Completed .

Deny List

Deny users, file extensions, and client IP addresses.

About this task

Use the Deny feature to block audit events from being performed on specified file extensions or by specified users and clients.
Note: Files with no extension cannot be denied.

Procedure

  1. Click the gear icon > Define Rules for Deny List .
  2. Click the pencil icon in the Client IPs , File Extensions , Users row.
  3. Add a comma separated list of entities that you want blocked.
  4. Click the done icon in the updated row, and then click Close .

Managing File Categories

File Analytics uses the file category configuration to classify file extensions.

About this task

The capacity widget in the dashboard uses the category configuration to calculate capacity details.

Procedure

  1. Click gear icon > Manage File Category .
  2. To create a category, click + New Category . (Otherwise, move on to step 3).
    1. In the Category column, name the category.
    2. In the Extensions column, specify file extensions for the category.
  3. To delete an existing category, click the x icon next to the category. (Otherwise, move on to step 4)
  4. To modify an existing category, click the pencil icon next to the category and modify the specified file extensions.
  5. Click Save .

Data Protection

Configure File Analytics disaster recovery (DR) using Prism Element.

File Analytics only supports async disaster recovery. File Analytics does not support NearSync and metro availability.

Create an async protection domain, configure a protection domain schedule, and configure remote site mapping. The remote site must have symmetric configurations to the primary site. The remote site must also deploy File Analytics to restore a File Analytics VM (FAVM).

The Data Protection section in the Prism Web Console Guide provides more detail on the disaster recovery process.

Configuring Disaster Recovery

To set up disaster recovery for File Analytics, create an async protection domain, configure a protection domain schedule, and configure remote site mapping.

About this task

By default, the File Analytics volume group resides on the same container that hosts vDisks for Nutanix Files.

Procedure

  1. If you have not done so already, configure a remote site for the local cluster.
    See the Configuring a Remote Site (Physical Cluster) topic in the Prism Web Console Guide for this procedure.
  2. Create an async DR protection domain for the File Analytics volume group as the entity. The volume group name is File_Analytics_VG .
    See Configuring a Protection Domain (Async DR) in the Prism Web Console Guide .
  3. In the Schedule tab, click the New Schedule button to add a schedule.
    Add a schedule, as File Analytics does not provide a default schedule. See Creating a Protection Domain Schedule (Files) Nutanix Files Guide.
  4. Configure local and remote container mapping.
    See the Configuring Disaster Recovery (Files) section in the Nutanix Files Guide for steps to configure mapping between local and remote containers.
  5. Create a protection domain schedule.
    See Creating a Protection Domain Schedule (Files) in the Nutanix Files Guide .

Activating Disaster Recovery

Recover a File Analytics VM (FAVM) after a planned or unplanned migration to the remote site.

About this task

Perform the following tasks on the remote site.

Procedure

  1. Fail over to the protection domain for disaster recovery activation.
    See the Failing Over a Protection Domain topic in the Prism Web Console Guide .
  2. Fail back the protection domain to the primary site.
    See the Failing Back a Protection Domain topic in the Prism Web Console Guide .

Deploying File Analytics on a Remote Site (AHV)

Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.

About this task

To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.

Before you begin

Ensure that the Nutanix Files and AOS versions match the versions on the remote and primary sites.

About this task

Run the following commands from the command prompt inside the FAVM.

Procedure

  1. Deploy a new File Analytics instance on the remote site, see Deploying File Analytics.
    Caution: Do not enable File Analytics.
    The remote site requires an iSCSI data service IP address to configure the FAVM on the remote site. This procedure deploys a new volume group File_Analytics_VG and deletes in a subsequent step.
  2. On the remote site, create a volume group by restoring the snapshot of the File_Analytics_VG .
    See Restoring an Entity from a Protection Domain in Data Protection and Recovery with Prism Element . For the How to Restore step, use the Create new entities option, and specify a name in the Volume Group Name Prefix field. The restored volume group name format is prefix -File_Analytics_VG.
  3. To configure the FAVM on the remote, follow these steps:
    Caution: If the IP address of the File Analytics VM has changed on the remote site, contact Nutanix Support before proceeding.
    1. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    2. To discover all storage devices accessed by the FAVM, run the following commands.
      nutanix@favm$  sudo blkid 
    3. Copy the cvm.config file to the temporary files directory.
      nutanix@favm$ cd /mnt/containers/config/common_config /tmp
    4. Stop the File Analytics services.
      nutanix@favm$  sudo systemctl stop monitoring
      nutanix@favm$  docker stop $(docker ps -q)
      nutanix@favm$  sudo systemctl stop docker
    5. Unmount the volume group.
      nutnix@avm$ sudo umount /mnt
    6. Detach the volume group File_Analytics_VG from the FAVM.
      See the "Managing a VM (AHV)" topic in the Prism Web Console Guide .
    7. Attach the cloned volume group prefix -File_Analytics_VG to the FAVM.
      See "Managing a VM (AHV)" in the Prism Web Console Guide .
    8. Restart the AVM to discover the attached volume group.
      nutanix@avm$ sudo reboot

    9. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    10. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      The FAVM discovers the attached volume group and assigns to the /dev/sdb device.
    11. Delete the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    12. Rename the restored volume group prefix -File_Analytics_VG to File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    13. Create a backup of the cvm.config file.
      nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
      /mnt/containers/config/common_config/cvm_bck.config
    14. Copy the cvm.config file from the /tmp directory to /common_config/ on the FAVM.
      nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
    15. Reconfigure the password of the user on Prism for internal FAVM operations. Specify a passphrase for new password . File Analytics uses the password only for internal communication between Prism and the FAVM. You must issue the same command twice.
      nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
       --password='new password' --local_update
      nutanix@favm$  sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
      --password='new password' --prism_user=admin --prism_password='Prism admin password'
    16. In File Analytics, go to gear icon > Scan File System to check if a file system scan can be initiated.
      Note: If you receive errors, disable and re-enable File Analytics, see "Disabling File Analytics" and "Enabling File Analytics."

Deploying File Analytics on a Remote Site (ESXi)

Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.

About this task

To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.

Before you begin

Ensure that the Nutanix Files and AOS versions match the versions on the remote and primary sites.

About this task

Run the following commands from the command prompt inside the FAVM.

Procedure

  1. Deploy a new File Analytics instance on the remote site, see Deploying File Analytics.
    Caution: Do not enable File Analytics.
    The remote site requires an iSCSI data service IP address to configure the FAVM on the remote site. This procedure deploys a new volume group File_Analytics_VG and deletes in a subsequent step.
  2. On the remote site, create a volume group by restoring the snapshot of the File_Analytics_VG .
    See Restoring an Entity from a Protection Domain in Data Protection and Recovery with Prism Element . For the How to Restore step, use the Create new entities option, and specify a name in the Volume Group Name Prefix field. The restored volume group name format is prefix -File_Analytics_VG.
  3. In the Storage Table view, go to the Volumes tab.
    1. Copy the target IQN prefix from the Volume Group Details column.
      Tip: Click the tooltip to see the entire IQN prefix.
  4. To configure the FAVM on the remote, follow these steps:
    Caution: If the IP address of the File Analytics VM has changed on the remote site, contact Nutanix Support before proceeding.
    1. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    2. To discover all storage devices accessed by the FAVM, run the following commands.
      nutanix@favm$  sudo blkid 
    3. Copy the cvm.config file to the temporary files directory.
      nutanix@favm$ cd /mnt/containers/config/common_config/ /tmp
    4. Stop the File Analytics services.
      nutanix@favm$  sudo systemctl stop monitoring
      nutanix@favm$  docker stop $(docker ps -q)
      nutanix@favm$  sudo systemctl stop docker
    5. Unmount and log off from all iSCSI targets.
      nutnix@avm$ sudo umount /mnt
      nutnix@avm$ sudo /sbin/iscsiadm -m node -u
      
    6. Remove the disconnected target records from the discoverydb mode of the FAVM.
      nutanix@favm$  sudo /sbin/iscsiadm -m node –o delete
    7. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      The output does not show the /dev/sdb device.
    8. Get the File Analytics Linux client iSCSI initiator name.
      nutanix@favm$  sudo cat /etc/iscsi/initiatorname.iscsi
      The output displays the initiator name.
      InitiatorName=iqn.1991-05.com.redhat:8ef967b5b8f
    9. Copy the iSCSI initiator name.
    10. Remove the iSCSI initiator name from the client whitelist of the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    11. Whitelist the AVM client on the cloned volume group prefix -File_Analytics_VG using the iSCSI initiator name of the AVM client.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    12. Let the Analytics initiator discover the cluster and its volume groups.
      nutanix@favm$  sudo /sbin/iscsiadm --mode discovery --type sendtargets --portal  data_services_IP_address:3260
      Clicking the Nutanix cluster name in Prism displays cluster details including the data service IP address. The output displays the restored iSCSI target from step 2.
    13. Connect to the volume target by specifying IQN prefix.
      nutanix@favm$  sudo /sbin/iscsiadm --mode node --targetname iqn_name --portal data_services_IP_address:3260,1 --login
    14. Restart the FAVM to restart the iSCSI host adapters, which allows the discovery of the attached volume group.
      nutanix@favm$  sudo reboot
    15. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    16. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      The FAVM discovers the attached iSCSI volume group and assigns to the /dev/sdb device.
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      /dev/sdb: UUID="30749ab7-58e7-437e-9a09-5f6d9619e85b" TYPE="ext4"
    17. Delete the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    18. Rename the restored volume group prefix -File_Analytics_VG to File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    19. Create a backup of the cvm.config file.
      nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
      /mnt/containers/config/common_config/cvm_bck.config
    20. Copy the cvm.config file from the /tmp directory to /common_config/ on the FAVM.
      nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
    21. Reconfigure the password of the user on Prism for internal FAVM operations. Specify a passphrase for new password . File Analytics uses the password only for internal communication between Prism and the FAVM. You must issue the same command twice.
      nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
       --password='new password' --local_update
      nutanix@favm$  sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
      --password='new password' --prism_user=admin --prism_password='Prism admin password'
    22. In File Analytics, go to gear icon > Scan File System to check if a file system scan can be initiated.
      Note: If you receive errors, disable and re-enable File Analytics, see "Disabling File Analytics" and "Enabling File Analytics."
Read article
File Analytics Guide

Files 3.2

Product Release Date: 2022-09-07

Last updated: 2022-11-04

File Analytics

File Analytics provides data and statistics on the operations and contents of a file server.

Once deployed, Nutanix Files adds a File Analytics VM (FAVM) to the Files cluster. A single File Analytics VM supports all file servers in the cluster; however, you must enable File Analytics separately for each file server. File Analytics protects data on the FAVM, which is kept in a separate volume group.

Once you deploy File Analytics, a new File Analytics link appears on the file server actions bar. Use the link to access File Analytics on any file server that has File Analytics enabled.
Note: File Analytics supports dual NIC configuration for segmented networks. Contact Nutanix Support for assistance.
Figure. File Analytics VM Click to enlarge

Display Features

The File Analytics web console consists of display features:

Main menu bar : The main menu bar appears at the top of every page of the File Analytics web console. The main menu bar includes the following display features:

  • Dashboard tab : View widgets that present data on file trends, distribution, and operations, see Dashboard.
  • Audit Trails tab : Search for a specific user or file and view various widgets to audit activity, see Audit Trails.
  • Anomalies tab : Create anomaly policies and view anomaly trends, see Anomalies.
  • Ransomware tab : Configure ransomware protection and self-service restore (SSR) snapshots, see Ransomware Protection.
    Warning: Ransomware protection helps detect potential ransomware. Nutanix does not recommend using the File Analytics ransomware feature as an all-encompassing ransomware solution.
  • Reports tab : Create custom reports or use pre-canned report templates, see Reports.
  • Status icon : Check the file system scan status.
  • File server drop-down : View the name of the file server for which data is displayed.
  • Settings drop-down : Manage File Analytics and configure settings, see Administration and File Analytics Options.
  • Health icon : Check the health of File Analytics, see Health.
  • Admin dropdown : Collect logs and view the current File Analytics version.

Deployment Requirements

Meet the following requirements prior to deploying File Analytics.

Ensure that you have performed the following tasks and your Files deployment meets the following specifications.

  • Assign the file server administrator role to an Active Directory (AD) user, see Managing Roles in the Nutanix Files Guide .
  • Log on as the Prism admin user to deploy the File Analytics server.
  • Configure a VLAN with one dedicated IP address for File Analytics, or you can use an IP address from an existing Files external network. This IP address must have connectivity to AD, the control VM (CVM), and Files. See "Configuring a Virtual Network For guest VM Interfaces" in the Prism Web Console Guide.
    Note: Do not install File Analytics on the Files internal network.
  • (optional) Assign the file server administrator role to an LDAP user, see Managing Roles in the Nutanix Files Guide .
  • Ensure that all software components meet the supported configurations and system limits, see the File Analytics Release Notes .

Network Requirements

Open the required ports, and ensure that your firewall allows bi-directional Internet Control Message Protocol (ICMP) traffic between the FAVM and CVMs.

The Port Reference provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.

In addition to meeting the File Analytics network requirements, ensure to meet Nutanix Files port requirements as described in the Port Reference .

Limitations

File Analytics has the following limitations.

Note: Depending on data set size, file count, and workload type, enabling File Analytics can affect the performance of Nutanix Files. High latency is more common with heavy file-metadata operations (directory and file creation, deletion, permission changes, and so on). To minimize the impact on performance, ensure that the host has enough CPU and memory resources to handle the File Analytics VM (FAVM), file servers, and guest VMs (if any).
  • Only Prism admin can deploy File Analytics.
  • File Analytics analyzes data from daily up to 1 year based on the configuration. File Analytics automatically deletes data beyond the defined configuration.
    Note: After surpassing the audit event threshold, as specified in File Analytics Release Notes , Analytics archives the oldest events. Archived audit events do not appear in the Analytics UI.
  • You cannot deploy or decommission File Analytics when a file server has high-availability (HA) mode enabled.
  • You cannot use network segmentation for Nutanix Volumes with File Analytics.
  • If file server DNS or IP changes, File Analytics does not automatically reconfigure.
  • File Analytics does not collect metadata for files on Kerberos authenticated NFS v4.0 shares.
  • File Analytics does not support hard links.
  • You cannot enable File Analytics on a file server clone.
  • You cannot move File Analytics to another storage container.
  • File Analytics creates an unprotected Prism and an unprotected file server user for integration purposes. Do not delete these users.
  • The legacy file blocking policy has an upper limit of 300 ransomware extensions.
    Note: For higher limits, it is recommended to use Nutanix Data Lens.
  • File Analytics does not support the following operations for graceful shutdown:
    • AHV: power cycle, power off
    • ESXi: power off, reset
  • File Analytics log collection from CVM fails with dual NIC setup.
  • File Analytics does not collect metadata information on shares, offline shares, and encrypted shares.
  • Teardown of File Analytics fails in case of dual NIC setup.

Administration

Overview of administrative processes for File Analytics.

As an admin, you have the required permissions for performing File Analytics administrative tasks. To add a file server admin user, see Managing Roles in the Nutanix Files Guide . The topics in this chapter describe the basics for administering your File Analytics environment. For advanced administrative options, refer to the File Analytics Options chapter.

Role-based Access Control for File Analytics

Prism Element supports role-based access control (RBAC) that allows you to configure and provide customized access to the users based on their assigned roles.

Note: Log in to File Analytics with local user created on Prism Central is not supported.

From the Prism Element dashboard, you can assign a set of predefined built-in roles (system roles) roles to users or user groups. File Analytics support the following built-in roles (system roles) that are defined by default:

Note: Only administrators (Super Admin or a Prism Admin in Prism Element) can create roles for File Analytics.
    • Viewer : Allows users with view-only access to the information and cannot perform any administrative (create or modify) tasks.
    • Cluster and User Admin : Allows users to view information, perform administrative tasks, and to create and modify operations.
    For more information on Role Based Access Control, refer to the Controlling User Access (RBAC) , Built-in Role Management , Configuring Role Mapping , and Managing Local User Accounts sections in the Security Guide .

Deploying File Analytics

Follow this procedure to deploy the File Analytics server.

Before you begin

Ensure that your environment meets all requirements prior to deployment, see Deployment Requirements.

Procedure

Deploying the File Analytics server.
  1. Go to Support Portal > Downloads > File Analytics .
  2. Download the File Analytics QCOW2 and JSON files.
  3. Log on to Prism with the user name and password of the Prism administrator.
    Note: An Active Directory (AD) user or an AD user mapped to a Prism admin role cannot deploy File Analytics.
  4. In Prism, go to the File Server view and click the Deploy File Analytics action link.
    Figure. File Analytics
    Click to enlarge

  5. Review the File Analytics requirements and best practices in the Pre-Check dialog box.
  6. In the Deploy File Analytics Server dialog box, do the following in the Image tab.
    • Under Available versions , select one of the available File Analytics versions. (continue to step 8.).
    • Install by uploading installation binary files (continue to next step).
  7. Upload installation files.
    1. In the Upload binary section, click upload the File Analytics binary to upload the File Analytics JSON and QCOW files.
      Figure. Upload Binary Link Click to enlarge
    2. Under File Analytics Metadata File (.Json) , click Choose File to choose the downloaded JSON file.
    3. Under File Analytics Installation Binary (.Qcow2) click Choose File to choose the downloaded QCOW file.
      Figure. Upload Binary Files Click to enlarge
    4. Click Upload Now after choosing the files.
  8. Click Next .
  9. In the VM Configuration tab, do the following in the indicated fields:
    1. Name : Enter a name for the File Analytics VM (FAVM).
    2. Server Size : Select either the small or large configuration. Large file servers require larger configurations for the FAVM. By default File Analytics selects the large configuration.
    3. Storage Container: select a storage container from the drop-down.
      The drop-down displays the storage containers.
      Note: From AOS 5.15.3 version onward, the drop-down displays all storage containers. For earlier AOS versions, the drop-down only displays file server storage containers.
    4. Network List : Select a VLAN.
      Note: If the selected network is unmanaged , enter more network details in the Subnet Mask , Default Gateway IP , and IP Address fields as indicated.
      Note: The FAVM must use the client-side network.
      Note: For ESXi, do not use the Controller VM (CVM) backplane network. The CVM backplane network is not supported and any later upgrade operations might fail.
  10. Click Deploy .
    In the main menu drop-down, select the Tasks view to monitor the deployment progress.

Results

Once deployment is complete, File Analytics creates an FAVM, CVM, and a new Files user to make REST API calls. Do not delete the CVM, FAVM, or the REST API user.

Enabling File Analytics

Steps for enabling File Analytics after deployment or disablement.

About this task

Attention: Nutanix recommends enabling File Analytics during off-peak hours.

Follow these steps to enable File Analytics after disabling the application.

Note: File Analytics saves all previous configurations.

Procedure

  1. In the File Server view in Prism , select the target file server.
  2. (skip to step 3 if you are re-enabling a file server) click Manage roles to add a file server admin user, see Managing Roles in the Nutanix Files Guide .
  3. In the File Server view, select the target file server and click File Analytics in the tabs bar.
  4. (Skip to step 5 if you are not re-enabling a disabled instance of File Analytics) to re-enable File Analytics, click Enable File Analytics in the message bar.
    Figure. Enabling File Analytics Link Click to enlarge
    The Enable File Analytics dialog-box appears. Skip the remaining steps.
  5. In the Data Retention field, select a data retention period. The data retention period refers to the length of time File Analytics retains audit events.
  6. In the Authentication section, enter the credentials as indicated:
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. (For SMB users only) In the SMB section, do the following in the indicated fields to provide SMB authentication details:
      • Active Directory Realm Name : Confirm the AD realm name for the file server.
      • Username : Enter the AD username for the file server administrator, see File Analytics Prerequisites .
      • Password : Enter the AD user password for the file server administrator.
    2. (For NFS users only) In the NFS Authentication section, do the following in the indicated fields to provide NFS authentication details:
      • LDAP Server URI : Enter the URI of the LDAP server.
      • Base DN : Enter the base DN for the LDAP server.
      • Password : Enter the LDAP user password for the file server administrator.

    Click to enlarge

  7. Click Enable .

Results

After enablement, File Analytics performs a one-time file system scan to pull metadata information. The duration of the scan varies depending on the protocol of the share. There is no system downtime during the scan.

Example

Scanning 3–4 million NFS files or 1 million SMB files takes about 1 hour.

Disabling File Analytics

About this task

Follow the steps as indicated to disable File Analytics.

Procedure

  1. In File Analytics click the gear icon > Disable File Analytics .
  2. In the dialog-box, click Disable .
    Disabling File Analytics disables data collection. The following message banner appears.
     File Analytics is disabled on the server. Enable File Analytics to start collecting data again or Delete File Analytics Data. 

What to do next

To delete data, click the Delete File Analytics Data link in the banner described in Step 2.

Launching File Analytics

About this task

Do the following to launch File Analytics.

Procedure

  1. From the Prism views drop-down, select the File Server view.
  2. Select the target file server from the entity tab.
  3. Click the File Analytics action button below the entity table.
    Figure. Launch File Analytics Click to enlarge The File Analytics action button.

File Analytics VM Management

To update a File Analytics VM (FAVM), refer to the sizing guidelines in the File Analytics release notes and follow the steps in the VM Management topic of the Prism Web Console Guide .

Removing File Analytics VMs

Remove a File Analytics VM (FAVM) by disabling it and deleting it from the cluster in Prism.

About this task

Follow the steps as indicated to remove an FAVM.
Note: Do not delete an FAVM using the CLI, as this operation does not decommission the FAVM.

Procedure

  1. Disable File Analytics on all file servers in the cluster, see Disabling File Analytics.
  2. In the File Server view in Prism Element, do the following:
    1. In the top actions bar, click Manage File Analytics .
    2. Click Delete to remove the FAVM.
    When you delete an FAVM, you also delete all of your File Analytics configurations and audit data stored on the FAVM.

Updating Credentials

About this task

Follow the steps as indicated to update authentication credentials for LDAP or Active Directory.

Procedure

  1. Click gear icon > Update AD/LDAP Configuration .
  2. To update Active Directory credentials, do the following in the indicated fields (otherwise move on to the next step).
    Note: AD passwords for the file server admin cannot contain the following special characters: comma (,), single quote ('), double quote ("). Using the special characters in passwords prevents File Analytics from performing file system scans.
    1. Active Directory Realm Name: confirm or replace the realm name.
    2. Username: confirm or replace the username.
    3. Password: type in the new password.
  3. To update NFS configuration, do the following (otherwise move on to the next step).
    1. LDAP Server URI: confirm or replace the server URI.
    2. Base DN: confirm or replace the base distinguished name (DN).
    3. Bind DN (Optional): confirm or replace the bind distinguished name (DN).
    4. Password: type in the new password.
  4. Click Save .

Managing Deleted Share/Export Audits

Manage the audit data of delete shares and exports.

About this task

By default, File Analytics retains deleted share and export data. The dashboard widgets do not account for data of deleted shares and exports. The deleted marker appears next to deleted shares and exports in audit trails. The Manage Share/Export Audit data window displays a list of deleted shares and exports.

Follow the directions as indicated to delete audit data for the deleted share or export.

Note: You cannot restore the deleted audit data of a deleted share or export.

Procedure

  1. Click the gear icon > Manage Deleted Share/Export Audit .
  2. Check the box next to the share or export name.
  3. Click Delete .
  4. In the confirmation window, click Delete to confirm the deletion of data.
    In the Manage Deleted Share/Export Audit , a progress bar displays the progress of the deletion process next to the share name. File Analytics considers data deletion of a deleted share a low-priority task, which can take several hours to finish.

Changing an FAVM Password

Steps for updating the password of a File Analytics VM (FAVM).

About this task

Context for the current task

Procedure

  1. Log on to an FAVM with SSH.
  2. Change the nutanix password.
    nutanix@fsvm$ sudo passwd nutanix
  3. Respond to the prompts, providing the current and new nutanix user password.
    Changing password for user nutanix.
    Old Password:
    New password:
    Retype new password:
    passwd: all authentication tokens updated successfully.
    Note:

    The password must meet the following complexity requirements:

    • At least 8 characters long
    • At least 1 lowercase letter
    • At least 1 uppercase letter
    • At least 1 number
    • At least 1 special character
    • At least 4 characters difference from the old password
    • Should not be among the last 10 passwords

Upgrades

Perform File Analytics upgrades using the Life Cycle Manager feature in Prism Element.

Before you proceed with the FA upgrade, ensure you meet the following:

  • Have a compatible version of AOS and Files.

    Refer to File Analytics release notes for compatibility details. You can upgrade both AOS and Files through Prism Element, see AOS Upgrade in the Prism Web Console Guide .

  • Check the health page of File Analytics to confirm if the overall health is green. See Health.
  • The protection domain (PD) for the File Analytics VM (FAVM) should not include any other entities.

To upgrade File Analytics, perform inventory and updates using the Life-Cycle Manager (LCM), see the Life Cycle Manager Guide for instructions on performing inventory and updates.

Note: The File Analytics UI is not accessible during upgrades.

During the upgrade process, File Analytics takes a snapshot of the volume group (VG) that contains File Analytics data. If issues occur during an upgrade, File Analytics restores the FAVM to the pre-upgrade state. If the volume group is protected and is part a protection domain, the File Analytics creates a snapshot and sets the expiry time to 30 days. If the volume group is not protected, File Analytics creates a snapshot and deletes the snapshot after completing the upgrade successfully. If any errors occur, the system keeps the snapshot for 30 days to troubleshoot the issue.

Upgrade File Analytics at a Dark Site

Upgrade File Analytics at a dark site using the Life-Cycle Manager (LCM).

About this task

Before you begin

You need a local web server reachable by your Nutanix clusters to host the LCM repository.

Procedure

  1. From a device that has public Internet access, go to Nutanix Portal > Downloads > Tools & Firmware .
    1. Download the tar file lcm_dark_site_version.tar.gz .
    2. Transfer lcm_dark_site_version.tar.gz to your local web server and untar into the release directory.
  2. From a device that has public Internet access, go to the Nutanix portal and select Downloads > File Analytics .
    1. Download the following files.
      • file_analytics_dark_site_version.tar.gz
      • nutanix_compatibility.tgz
      • nutanix_compatibility.tgz.sign
    2. Transfer file_analytics_dark_site_version.tar.gz to your local web server and untar into the release directory.
    3. Transfer the nutanix_compatibility.tgz and nutanix_compatibility.tgz.sign files to your local web server (overwrite existing files as needed).
  3. Log on to Prism Element.
  4. Click Home > LCM > > Settings .
    1. In the Fetch updates from field, enter the path to the directory where you extracted the tar file on your local server. Use the format http://webserver_IP_address/release .
    2. Click Save .
      You return to the Life Cycle Manager.
    3. In the LCM sidebar, click Inventory > Perform Inventory .
    4. Update the LCM framework before trying to update any other component.
      The LCM sidebar shows the LCM framework with the same version as the file you downloaded.

Dashboard

The Dashboard tab displays data on the operational trends of a file server.

Dashboard View

The Dashboard tab is the opening screen that appears after launching File Analytics for a specific file server. The dashboard displays widgets that present data on file trends, distribution, and operations.

Note: Widgets refresh hourly.
Figure. Analytics Dashboard Click to enlarge Widgets in the dashboard view.

Table 1. Dashboard Widgets
Tile Name Description Intervals
Capacity trend Displays capacity trends for the file server including capacity added, capacity removed, and net changes.

Clicking an event period widget displays the Capacity Trend Details view.

7 days, the last 30 days, or the last 1 year.
Data age Displays the percentage of data by age. Data age determines the data heat, including: hot, warm, and cold. Default intervals are as follows:
  • Hot data – accessed within the last week.
  • Warm data – accessed within 2 to 4 weeks.
  • Cold data – accessed 4 weeks ago or later.
Permission denials Displays users who have had excessive permission denials and the number of denials. Clicking a user displays audit details, see Audit Trails - Users for more. [user id], [number of permission denials]
File distribution by size Displays the number of files by file size. Provides trend details for top 5 files. Less than 1 MB, 1–10 MB, 10–100 MB, 100 MB to 1 GB, greater than 1 GB).
File distribution by type Displays the space taken up by various applications and file types. The file extension determines the file type. See the File types table for more details. MB or GB
File distribution by type details view Displays a trend graph of the top 5 file types. File distribution details include file type, current space used, current number of files, and change in space for the last 7 or 30 days.

Clicking View Details displays the File Distribution by Type view.
Daily size trend for top 5 files (GB), file type (see the "File Type" table), current space used (GB), current number of files (numeric), change in last 7 or 30 days (GB).
Top 5 active users Lists the users who have accessed the most files and number of operations the user performed for the specified period. When there are more than 5 active users, the more link provides details on the top 50 users. Clicking the user name displays the audit view for the user, see Audit Trails - Users for more. 24 hours, 7 days, 1 month, or 1 year.
Top 5 accessed files Lists the 5 most frequently accessed files. Clicking more provides details on the top 50 files.

Clicking the file name displays the audit view details for the file, see Audit Trails - Files for more.

24 hours, 7 days, 1 month, or 1 year.
Files operations Displays the distribution of operation types for the specified period, including a count for each operation type and the total sum of all operations.

Operations include: create, delete, read, write, rename, permission changed, set attribute, symlink, permission denied, permission denied (file blocking).

Clicking an operation displays the File Operation Trend view.
24 hours, 7 days, 1 month, or 1 year.

Capacity Trend Details

Clicking an event period in the Capacity Trend widget displays the Capacity Trend Details view for that period. The view includes three tabs Share/Export , Folder , and Category . Each tab includes columns detailing entity details: Name . Net capacity change, capacity added, and capacity removed.

Figure. Capacity Trend Details View Click to enlarge Clicking on the Capacity Trend widget in the Dashboard tab displays the Capacity Trend Details view.

Table 2. Capacity Trend Details
Category Supported File Type
Name Name of share/export, folder, or category.
Net capacity change The total difference between capacity at the beginning and the end of the specified period.
Share name (for folders only) The name of the share or export that the folder belongs to.
Capacity added Total added capacity for the specified period.
Capacity removed Total removed capacity for the specified period.

File Distribution by Type Details

Clicking View Details for the File Distribution by Type widget displays granular details of file distribution, see the File Types table for details.

Figure. File Distribution by Type Click to enlarge Clicking View Details on the File Distribution by Type widget displays the File Distribution by Type dashboard.

Table 3. Details of File Distribution Parameters
Category Supported File Type
File type Name of file type
Current space used Space capacity occupied by the file type
Current number of files Number of files for the file type
Change (in last 30 days) The increase in capacity over a 30-day period for the specified file type
Table 4. File Types
Category Supported File Type
Archives .cab, .gz, .rar, .tar, .z, .zip
Audio .aiff, .au, .mp3, .mp4, .wav, .wma
Backups .bak, .bkf, .bkp
CD/DVD images .img, .iso, .nrg
Desktop publishing .qxd
Email archives .pst
Hard drive images .tib, .gho, .ghs
Images .bmp, .gif, .jpg, .jpeg, .pdf .png, .psd, .tif, .tiff,
Installers .msi, .rpm
Log Files .log
Lotus notes .box, .ncf, .nsf, .ns2, .ns3, .ns4, .ntf
MS Office documents .accdb, .accde, .accdt, .accdr, .doc, .docx, .docm, .dot, .dotx, .dotm, .xls, .xlsx, .xlsm, .xlt, .xltx, .xltm, .xlsb, .xlam, .ppt, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .mdb
System files .bin, .dll, .exe
Text files .csv, .pdf, .txt
Video .avi, mpg, .mpeg, .mov, .m4v
Disk image .hlog, .nvram, .vmdk, .vmx, .vmxf, .vmtm, .vmem, .vmsn, .vmsd

File Operation Trend

Clicking an operation type in the File Operations widget displays the File Operation Trend view. The File Operation Trend view breaks down the specified period into smaller intervals, and displays the number of occurrences of the operation during each interval.

Figure. Operation Trend Click to enlarge A graph displays the number of times the specified operation took place over time.

Table 5. File Operation Trend View Parameters
Category Description
Operation type A drop-down option to specify the operation type. See Files Operations in the Dashboard Widgets table for a list of operation types.
Last (time period) A drop-down option to specify the period for the file operation trend.
File operation trend graph The x-axis displays shorter intervals for the specified period. The y-axis displays the number of operations trend over the extent of the intervals.

Health

The Health dashboard displays dynamically updated health information about each file server component.

The Health dashboard includes the following details:

  • Data Summary Data summary of all file servers with File Analytics enabled.
  • Host Memory Percent of used memory on the File Analytics VM (FAVM).
  • Host CPU Usage Percent of CPU used by the FAVM.
  • Storage Summary Amount of storage space used on the File Analytics data disk or FAVM disk.
  • Overall Health Overall health of File Analytics components.
  • Data Server Summary Data server usage by component.
Figure. Health Page Click to enlarge The Health page dashboard includes tiles that dynamically update to indicate the health of relevant entities.

Data Age

The Data Age widget in the dashboard provides details on data heat.

Share-level data is displayed to provide details on share capacity trends. There are three levels of data heat:

  • Hot – frequently accessed data (last accessed within the last week).
  • Warm – infrequently accessed data (last accessed within the last 2 to 4 weeks).
  • Cold – rarely accessed data (last accessed longer than 4 weeks ago).

You can configure the definitions for each level of data heat rather than using the default values. See Configuring Data Heat Levels.

Configuring Data Heat Levels

Update the values that constitute different data heat levels.

Procedure

  1. In the Data Age widget, click Explore .
  2. Click Edit Data Age Configuration .
  3. Do the following in the Hot Data section:
    1. In the entry field next to Older Than , enter an integer.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  4. Do the following in the Warm Data section to configure two ranges :
    1. In the first entry field, enter an integer to configure the first range.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    3. In the second entry field, enter an integer to configure the second range.
    4. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  5. Do the following in the Cold Data section to configure four ranges :
    1. In the first entry field, enter an integer to configure the first range.
    2. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    3. In the second entry field, enter an integer to configure the second range.
    4. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    5. In the 3rd entry field, enter an integer to configure the 3rd range.
    6. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
    7. (optional) In the 4th entry field, enter an integer to configure the 4th range.
    8. In the dropdown, choose a value for Week(s) , Month(s) , or Year(s) .
  6. Click Apply .
    Note: The new values do not affect the already calculated heat statistics. File Analytics uses the updated values for future heat calculations.

Anomalies

Data panes in the Anomalies tab display data and trends for configured anomalies.

The Anomalies tab provides options for creating anomaly policies and displays dashboards for viewing anomaly trends.

You can configure anomalies for the following operations:

  • Creating files and directories
  • Deleting files and directories
  • Permission changes
  • Permission denials
  • Renaming files and directories
  • Reading files and directories

Define anomaly rules by the specifying the following conditions:

  • Users exceed an operation count threshold
  • Users exceed an operation percentage threshold

Meeting the lower operation threshold triggers an anomaly.

Consider a scenario where you have 1 thousand files, the operation count threshold defined as 10, and the operation percentage threshold defined as 10%. The count threshold takes precedence, as 10% of 1 thousand is 100, which is greater than the count threshold of 10.

Figure. Anomalies Dashboard Click to enlarge The Anomalies dashboard displays anomaly trends.

Table 1. Anomalies Data Pane Descriptions
Pane Name Description Values
Anomaly Trend Displays the number of anomalies per day or per month. Last 7 days, Last 30 days, Last 1 year
Top Users Displays the users with the most anomalies and the number of anomalies per user. Last 7 days, Last 30 days, Last 1 year
Top Folders Displays the folders with the most anomalies and the number of anomalies per folder. Last 7 days, Last 30 days, Last 1 year
Operation Anomaly Types Displays the percentage of occurrences per anomaly type. Last 7 days, Last 30 days, Last 1 year

Anomaly Details

Clicking an anomaly bar in the Anomaly Trend graph displays the Anomaly Details view.

Figure. Anomaly Details View Click to enlarge

Table 2. Anomalies Details View Total Results Table
Column Description
Anomaly Type The configured anomaly type. Anomaly types not configured do not show up in the table.
Total User Count The number of users that have performed the operation causing the specified anomaly during the specified time range.
Total Folder Count The numbers of folders in which the anomaly occurred during the specified time range.
Total Operation Count Total number of anomalies for the specified anomaly type that occurred during the specified time range.
Time Range The time range for which the total user count, total folder count, and total operation count are specified.
Table 3. Anomalies Details View Users/Folders Table
Column Description
Username or Folders Indicates the entity for the operation count. Selecting the Users tab indicates operation count for specific users, and selecting the Folders tab indicates the operation count for specific folders.
Operation count The total number of operations causing anomalies for the selected user or folder during the time period for the bar in the Anomaly Trend graph.

Configuring Anomaly Detection

Steps for configuring anomaly rules.

About this task

To create an anomaly rule, do the following.

Note: Configure an SMTP server for File Analytics to send anomaly alerts, see Configuring an SMTP Server.

Procedure

  1. In the File Analytics web console, click the gear icon > Define Anomaly Rules. .
  2. In the Anomaly Email Recipients field, enter a comma-separated list of email recipients for all anomaly alerts and data.
    Note: File Analytics sends anomaly alerts and data to recipients whenever File Analytics detects an anomaly.
  3. To configure a new anomaly, do the following in the indicated fields:
    1. Events : Select a rule for the anomaly from one of the following:
      • Permission changed
      • Permission denied
      • Delete
      • Create
      • Rename
      • Read
      The event defines the scenario type for the anomaly.
    2. Minimum Operations % : Enter a percentage value for the minimum threshold.
      File Analytics calculates the minimum operations percentage based on the number of files. For example, if there are 100 files, and you set the minimum operations percentage to 5, five operations within the scan interval would trigger an anomaly alert.
    3. Minimum Operation Count : Enter a value for a minimum operation threshold.
      File Analytics triggers an anomaly alert after meeting the threshold.
    4. User : Choose if the anomaly rule is applicable for All Users or an Individual user.
    5. Type: the type determines the interval.
      The interval determines how far back File Analytics monitors the anomaly.
    6. Interval : Enter a value for the detection interval.
    7. (optional) Actions : Click the pencil icon to update an anomaly rule. Click the x icon to delete an existing rule.
    Figure. Anomaly Configuration Fields Click to enlarge Fill out these fields to configure a new anomaly rule.

  4. Click Save .

Configuring an SMTP Server

File Analytics uses a simple mail transport protocol (SMTP) server to send anomaly alerts.

About this task

To configure an SMTP server, do the following:

Procedure

  1. In the File Analytics web console, click the gear icon > SMTP Configuration .
  2. In the SMTP Configuration window, enter the indicated details in the following fields:
    1. Hostname Or IP Address : Enter a fully qualified domain name or IP address for the SMTP server.
    2. Port : Enter the port to use.
      The standard SMTP ports are 25 (encrypted), 587 (TLS), and 465 (SSL).
    3. Security Mode : Enter the desired security mode from the dropdown list.
      The options are:
      • NONE (unencrypted)
      • STARTTLS (TTL encryption)
      • SSL (SSL encryption)
    4. (If security mode is "NONE" go to step f.)
    5. User Name enter a user name for logging into the SMTP server. Depending on the authentication method, the user name may require a domain.
    6. Password enter password.
    7. From Email Address: enter the email address from which File Analytics will send the anomaly alerts.
    8. Recipient Email Address: enter a recipient email address to test the SMTP configuration.
    Figure. SMTP Configuration Click to enlarge Fields for configuring an SMTP server.

  3. Click Save .

Audit Trails

Use audit trails to look up operation data for a specific user, file, folder, or client.

The Audit Trails tab includes Files , Folders , Users , and Client IP options for specifying the audit type. Use the search bar for specifying the specific entity for the audit (user, folder, file, or client IP).

The results table presents details for entities that match the search criteria. Clicking the entity name (or client IP number) takes you to the Audit Trails dashboard for the target entity.

View Audit Trails

Audit a user, file, client, or folder.

About this task

Follow the steps as indicated.

Procedure

  1. Click the Audit Trails tab.
  2. Select the Files , Folders , Users , or Client IP option.
  3. Enter the audit trails target into the search bar.
  4. Click Search .
  5. To display audit results in the Audit Trails window, click the entity name (or client IP number).

Audit Trails - Users

Details for client IP Audit Trails.

Audit Trails Search - Users

When you search by user in the Audit Trails tab, search results display the following information in a table.

  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. Users Search Results Click to enlarge A table displays user search results for the query.

Audit Details Page - Users

Clicking View Audit displays the Audit Details page, which shows the following audit information for the selected user.

  • A User Events graph displays various operations the user performed during the selected period and the percentage of time each operation has occurred per total operations during the specified period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Remove Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
    • The filter bar , above the User Events graph, displays the filters in use.
    • Use the From and To fields to filter by date.
  • The Results table displays operation-specific information. See more details below.
  • The Reset Filters button removes all filters.
Figure. User Audit Details - Events Click to enlarge User Events table displays event rates for various operations performed by the user.

The Results table provides granular details of the audit results. The following data is displayed for every event.

  • User Name
  • User IP Address
  • Operation
  • Operation Date
  • Target File

Click the gear icon for options to download the data as an xls, csv, or JSON file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Folders

Dashboard details for folder audits.

The following information displays when you search by file in the Audit Trails tab.

  • Folder Name
  • Folder Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Folders Search Results Click to enlarge

The Audit Details page shows the following audit information for the selected folder.

  • A Folder Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operations include:
      • Select All
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Remove Directory
      • Rename
        Note: Rename operation shows both change of name and change of path for specific file or folder.
      • Set Attribute
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
  • The Reset Filters button removes all filters.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

Audit Trails - Files

Dashboards details for file audit.

Audit Trails for Files

When you search by file in the Audit Trails tab, the following information displays:

  • File Name
  • File Owner Name
  • Share Name
  • Parent Folder
  • Last Operation
  • Last Operation By
  • Last Operation Date
  • Action
Figure. Files Search Results Click to enlarge A table displays file search results for the query.

Note:
  • File Analytics does not support regular expression (RegEx) based search.
  • Up to 500 million files with latest 3 months of audit data is supported for a file server.

The Audit Details page shows the following audit information for the selected file.

  • A File Events graph displays various operations performed on the file during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Close File
      • Create File
      • Delete
      • Make Directory
      • Open
      • Read
      • Rename
        Note: Rename operation shows both change of name and change of path for specific file or folder.
      • Set Attribute
      • Write
      • Symlink
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • Username
  • Client IP
  • Operation
  • Operation Date

Click the gear icon for options to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.
Figure. Results Table Click to enlarge The results table displays a detailed view of the audit data.

Audit Trails - Client IP

Dashboard details for client IP Audit Trails.

Audit Trails Search - Client IP

When you search by client IP in the Audit Trails tab, search results display the following information in a table.

  • Client IP
  • User Name
  • Domain
  • Last Operation
  • Last Operation On
  • Share Name
  • Operation Date
  • Action
Figure. IP Search Results Click to enlarge A table displays IP search results for the query

The Audit Details page shows the following audit information for the selected client.

  • A User Events graph displays various operations performed on the client during the selected period, and the percentage of time each operation has occurred per total operations during that period.
    • The Filter by operations dropdown contains operation filters, which you can use to filter the audit by operation type. Operation types include:
      • Create File
      • Delete
      • Make Directory
      • Permission Changed
      • Permission Denied
      • Read
      • Removed Directory
      • Rename
      • Set Attribute
      • Write
      • Symlink
      • Permission Denied (File Blocking)
    • A filter bar , above the File Events graph displays the filters in use.
    • Use the From and to fields to filter by date.
  • The Results table displays operation-specific details.
    • The Reset Filters button removes all filters.
Figure. Files Audit Details - Events Click to enlarge File Events table displays event rates for various operations for the file.

The Results table provides granular details of the audit results. File Analytics displays the following data for every event.

  • User Name
  • Operation
  • Target File
  • Operation Date

Click the gear icon for an option to download the data as a CSV file.

Note: The maximum limitation of downloading events to CSV and JSON format is 10,000.

Ransomware Protection

Ransomware protection for your file server.

Caution: Ransomware protection helps detect potential ransomware. Nutanix does not recommend using the File Analytics ransomware feature as an all-encompassing ransomware solution.

File Analytics scans files for ransomware in real time and notifies you in the event of a ransomware attack once you configure email notifications.

Using a curated a list of over 250 signatures that frequently appear in ransomware files, the Nutanix Files file blocking mechanism identifies and blocks files with ransomware extensions from carrying out malicious operations. You can modify the list by manually adding or removing signatures from in Nutanix Files, see "File Blocking" in the Nutanix Files User Guide .

Caution: Removing curated blocked signatures may prevent File Analytics from blocking some ransomware files.

File Analytics also monitors shares for self-service restore (SSR) policies and identifies shares that do not have SSR enabled in the ransomware dashboard. You can enable SSR through the ransomware dashboard.

Ransomware Protection Features

The ransomware dashboard includes panes for managing ransomware protection and self-service restore (SSR).

Ransomware Dashboard

The ransomware dashboard includes two main sections:

  • The SSR Status pane for viewing, enabling, and managing SSR, see Enabling SSR.
  • The Vulnerabilities (Infection Attempts) pane for viewing total vulnerabilities, vulnerable shares, malicious clients, and top recent ransomware attempts.
    • Clicking on the number of total vulnerabilities provides a detailed view of recent vulnerabilities.
    • Clicking on the number of vulnerable shares provides a detailed view of vulnerable shares.
    • Clicking on the number of malicious clients provides a detailed view of malicious clients.
  • Click Settings , to enable and configure ransomware protection, see Enabling Ransomware Protection and Configuring Ransomware Protection.
  • Click Download (.csv) to download a list of blocked ransomware signatures.
Figure. Ransomware Dashboard Click to enlarge

Enabling Ransomware Protection

Enable ransomware protection on your file server.

About this task

Procedure

  1. Go to dropdown menu > Ransomware .
  2. In the message banner, click Enable Ransomware Protection .
  3. (optional) Click Configure SMTP to Add Recipients.
    Note: This option appears only if you have not configured a simple mail transfer protocol (SMTP) server, see Configuring an SMTP Server.
  4. Under Ransomware Email Recipients , add at least one email address. If there is a ransomware attack, File Analytics sends a notification to the specified email address.
    Figure. Enable Ransomware Click to enlarge

  5. Click Enable .
    See Configuring Ransomware Protection for configuration steps.

Configuring Ransomware Protection

Configure ransomware protection on file servers.

About this task

Do the following to add signature to the blocked extension list.

Procedure

  1. Go to dropdown menu > Ransomware > > Settings .
  2. (optional) Under Search for blocked File Signatures , enter ransomware signatures in the *. (signature) format.
    1. Note: You can also remove ransomware signatures.
      To check that the signature has been blocked, click Search .
    2. If the signature has not been blocked, click Add to Block List .
    Figure. Click to enlarge

  3. (optional) To download a list of blocked ransomware signatures, click Download (.csv) .
  4. (optional) Under Ransomware Email Recipients , add a comma separated list of email addresses. If there is a ransomware attack, File Analytics sends a notification to the specified email addresses.
  5. (optional) To disable the ransomware protection feature, click Disable Ransomware Protection .

Enabling SSR

Enable self-service restore on shares identified by File Analytics.

About this task

File Analytics scans shares for SSR policies.

Procedure

  1. Go to dropdown menu > Ransomware .
  2. Click Enable SSR on Prism .
  3. Check the box next to the shares for which to enable SSR.
    Figure. Enable SSR on Shares Click to enlarge

  4. Click Enable SSR .

Reports

Generate a report for entities on the file server.

Create a report with custom attribute values or use one of the File Analytics pre-canned report templates. To create a custom report, specify the entity, attributes (and operators for some attributes), attribute values, column headings, and the number of columns. Pre-canned reports define most of the attributes and headings based on the entity and template that you choose.

The Reports dashboard displays a table or previously generated reports. You can rerun existing reports rather than creating a template. After creating a report, you can download it as a JSON or CSV file.

Reports Dashboard

The reports dashboard includes options to create, view, and download reports.

The Reports dashboard includes options to create a report, download reports as a JSON, download reports as a CSV, rerun reports, and delete reports.

The reports table includes columns for the report name, status, last run, and actions.

Figure. Reports Dashboard Click to enlarge

Clicking Create a new report takes you to the report creation screen, which includes a Report builder and a Pre-canned Reports Templates tabs. The tabs include report options and filters for report configuration.

Both tabs include the following elements:

  • The Define Report Type section includes an Entity drop-down menu to select an entity.
  • The Define Filters section includes an Attribute drop-down menu and an option to add more attributes by clicking + Add filter .
  • The Add/remove columns in this report in your report section displays default columns. Clicking the columns field lets you add addition columns to the report. Clicking the x next to the column name removes it from the report.
  • The Define number of maximum rows in this report section includes a Count section to specify the number of rows in the report.
Table 1. Report Builder – Filter Options
Entity Attributes (filters) Operator Value Column
Events event_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • audit_path (object path)
  • audit_objectname (object name)
  • audit_operation (operation)
  • audit_machine_name (source of operation)
  • audit_event_date (event date in UTC)
  • audit_username (user name)
Event_operation N/A
  • file_write
  • file_read
  • file_create
  • file_delete
  • rename
  • directory_create
  • directory_delete
  • SecurityChange (permission change)
  • set_attr
  • sym_link
Files Category
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • object_name (file name)
  • share_UUID (share name)
  • object_owner_name (owner name)
  • object_size_logical (size)
  • file_type (extension)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • fileserver_protocol
  • object_ID (file id)
  • object_last_operation_name (last operation)
  • audit_username (last operation user
  • object_last_operation_name (last operation)
  • file_path (file path)
Extensions N/A (type in value)
Deleted N/A Last (number of days from 1 to 30) days
creation_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
access_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
Size
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(number) (file size)

File size options:

  • B
  • KB
  • MB
  • GB
  • TB
Folders Deleted N/A Last (number of days from 1 to 30) days
  • object_name (Dir name)
  • object_owner_name (owner name)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • object_last_operation_name (last operation)
  • audit_username (last operation user)
  • File server protocol
  • object_ID (file id)
  • file_path (Dir path)
creation_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
Users last_event_date
  • equal_to
  • greater_than
  • greater_than_equal_to
  • less_than
  • less_than_equal_to
(date)
  • user_login_name (user name)
  • Last operation
  • last_event_date (access date in UTC)
  • last_operation_audit_path
Table 2. Pre-Canned Reports – Filters
Entity Pre-canned report template Columns
Events
  • PermissionDenied events
  • Permission Denied (file blocking) events
  • audit_path (object path)
  • audit_objectname (object name)
  • audit_operation (operation)
  • audit_machine_name (source of operation)
  • audit_event_date (event date in UTC)
  • audit_username (user name)
Files
  • Largest Files
  • Oldest Files
  • Files not accessed for last 1 year
  • Files accessed in last 30 days
  • object_name (file name)
  • share_UUID (share name)
  • object_owner_name (owner name)
  • object_size_logical (size)
  • file_type (extension)
  • object_creation_date (creation date in UTC)
  • last_event_date (access date in UTC)
  • share_UUID (share name)
  • fileserver_protocol
  • object_ID (file id)
  • object_last_operation_name (last operation)
  • audit_username (last operation user
  • object_last_operation_name (last operation)
  • file_path (file path)
Users
  • Top owners with space consumed
  • Top active users
  • All users
  • user_login_name (user name)
  • Last operation
  • last_event_date (access date in UTC)
  • last_operation_audit_path

Creating a Custom Report

Create a custom report by defining the entity, attribute, filters, and columns.

About this task

Follow the steps as indicated.

Procedure

  1. Go to dropdown menu > Reports .
  2. Click Create a new report .
  3. In the Report Builder tab, do the following:
    1. In the Define Report Type section, select an entity from the drop-down menu.
    2. In the Define Filters section, select an attribute from the attributes dropdown.
    3. Under Value , specify the values for the attribute (some attributes also require to specify an operator in the Operator field).
    4. (optional) click + Add filter to add more attributes.
    5. In the Add/Remove column in this report section, click x for the columns you want to remove.
    6. In the Define maximum number of rows in this report section, type in , or use the - and + buttons, to specify the number of rows in your report. This value indicates the number of records in the report.
  4. Click Run Preview .
    The Report Preview section populates.
  5. Click Generate report .
    1. Select either the CSV or JSON option.

Create a Pre-Canned Report

Use one of the pre-canned File Analytics templates for your report.

Procedure

  1. Go to dropdown menu > Reports .
  2. Click Create a new report .
  3. In the Pre-Canned Reports Templates tab, do the following:
    1. In the Define Report Type section, select an entity from the drop-down menu.
    2. In the Define Filters section, select an attribute from the attributes dropdown.
    3. In the Add/Remove column in this report section, click x for the columns you want to remove.
    4. In the Define maximum number of rows in this report section, type in, or use the - and + buttons, to specify the number of rows in your report. This value indicates the number of records in the report.
  4. Click Run Preview .
    The Report Preview section populates.
  5. Click Generate report .
    1. Select either the CSV or JSON option.

File Analytics Options

You can get more insight into the usage and contents of files on your system by configuring and updating File Analytics features and settings. Some options include scanning the files on your file server on demand, updating data retention, and configuring data protection.

Updating Data Retention

The data retention period determines how long File Analytics retains event data.

About this task

Follow the steps as indicated to configure data retention.

Procedure

  1. In File Analytics, click gear icon > Update Data Retention .
  2. In the Data Retention Period drop-down, select the period for data retention.
  3. Click Update .

Scanning the File System

Once enabled, File Analytics scans the metadata of all files and shares on the system. You can perform an on-demand scan of shares in your file system.

About this task

To scan shares, perform the following task.

Procedure

  1. In File Analytics, click the gear icon .
  2. In the drop-down list, click Scan File System .
  3. In the list of shares, select the target shares for the scan.
    Figure. Select Scan Targets Click to enlarge

  4. Click Scan .
    The status of the share is In Progress . Once the scan is complete, the status changes to Completed .

Deny List

Deny users, file extensions, and client IP addresses.

About this task

Use the Deny feature to block audit events from being performed on specified file extensions or by specified users and clients.
Note: Files with no extension cannot be denied.

Procedure

  1. Click the gear icon > Define Rules for Deny List .
  2. Click the pencil icon in the Client IPs , File Extensions , Users row.
  3. Add a comma separated list of entities that you want blocked.
  4. Click the done icon in the updated row, and then click Close .

Managing File Categories

File Analytics uses the file category configuration to classify file extensions.

About this task

The capacity widget in the dashboard uses the category configuration to calculate capacity details.

Procedure

  1. Click gear icon > Manage File Category .
  2. To create a category, click + New Category . (Otherwise, move on to step 3).
    1. In the Category column, name the category.
    2. In the Extensions column, specify file extensions for the category.
  3. To delete an existing category, click the x icon next to the category. (Otherwise, move on to step 4)
  4. To modify an existing category, click the pencil icon next to the category and modify the specified file extensions.
  5. Click Save .

Data Protection

Configure File Analytics disaster recovery (DR) using Prism Element.

File Analytics only supports async disaster recovery. File Analytics does not support NearSync and metro availability.

Create an async protection domain, configure a protection domain schedule, and configure remote site mapping. The remote site must have symmetric configurations to the primary site. The remote site must also deploy File Analytics to restore a File Analytics VM (FAVM).

The Data Protection section in the Prism Web Console Guide provides more detail on the disaster recovery process.

Configuring Disaster Recovery

To set up disaster recovery for File Analytics, create an async protection domain, configure a protection domain schedule, and configure remote site mapping.

About this task

By default, the File Analytics volume group resides on the same container that hosts vDisks for Nutanix Files.

Procedure

  1. If you have not done so already, configure a remote site for the local cluster.
    See the Configuring a Remote Site (Physical Cluster) topic in the Prism Web Console Guide for this procedure.
  2. Create an async DR protection domain for the File Analytics volume group as the entity. The volume group name is File_Analytics_VG .
    See Configuring a Protection Domain (Async DR) in the Prism Web Console Guide .
  3. In the Schedule tab, click the New Schedule button to add a schedule.
    Add a schedule, as File Analytics does not provide a default schedule. See Creating a Protection Domain Schedule (Files) Nutanix Files Guide.
  4. Configure local and remote container mapping.
    See the Configuring Disaster Recovery (Files) section in the Nutanix Files Guide for steps to configure mapping between local and remote containers.
  5. Create a protection domain schedule.
    See Creating a Protection Domain Schedule (Files) in the Nutanix Files Guide .

Activating Disaster Recovery

Recover a File Analytics VM (FAVM) after a planned or unplanned migration to the remote site.

About this task

Perform the following tasks on the remote site.

Procedure

  1. Fail over to the protection domain for disaster recovery activation.
    See the Failing Over a Protection Domain topic in the Prism Web Console Guide .
  2. Fail back the protection domain to the primary site.
    See the Failing Back a Protection Domain topic in the Prism Web Console Guide .

Deploying File Analytics on a Remote Site (AHV)

Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.

About this task

To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.

Before you begin

Ensure that the Nutanix Files and AOS versions match the versions on the remote and primary sites.

About this task

Run the following commands from the command prompt inside the FAVM.

Procedure

  1. Deploy a new File Analytics instance on the remote site, see Deploying File Analytics.
    Caution: Do not enable File Analytics.
    The remote site requires an iSCSI data service IP address to configure the FAVM on the remote site. This procedure deploys a new volume group File_Analytics_VG and deletes in a subsequent step.
  2. On the remote site, create a volume group by restoring the snapshot of the File_Analytics_VG .
    See Restoring an Entity from a Protection Domain in Data Protection and Recovery with Prism Element . For the How to Restore step, use the Create new entities option, and specify a name in the Volume Group Name Prefix field. The restored volume group name format is prefix -File_Analytics_VG.
  3. To configure the FAVM on the remote, follow these steps:
    Caution: If the IP address of the File Analytics VM has changed on the remote site, contact Nutanix Support before proceeding.
    1. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    2. To discover all storage devices accessed by the FAVM, run the following commands.
      nutanix@favm$  sudo blkid 
    3. Copy the cvm.config file to the temporary files directory.
      nutanix@favm$ cd /mnt/containers/config/common_config /tmp
    4. Stop the File Analytics services.
      nutanix@favm$  sudo systemctl stop monitoring
      nutanix@favm$  docker stop $(docker ps -q)
      nutanix@favm$  sudo systemctl stop docker
    5. Unmount the volume group.
      nutnix@avm$ sudo umount /mnt
    6. Detach the volume group File_Analytics_VG from the FAVM.
      See the "Managing a VM (AHV)" topic in the Prism Web Console Guide .
    7. Attach the cloned volume group prefix -File_Analytics_VG to the FAVM.
      See "Managing a VM (AHV)" in the Prism Web Console Guide .
    8. Restart the AVM to discover the attached volume group.
      nutanix@avm$ sudo reboot

    9. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    10. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      The FAVM discovers the attached volume group and assigns to the /dev/sdb device.
    11. Delete the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    12. Rename the restored volume group prefix -File_Analytics_VG to File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    13. Create a backup of the cvm.config file.
      nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
      /mnt/containers/config/common_config/cvm_bck.config
    14. Copy the cvm.config file from the /tmp directory to /common_config/ on the FAVM.
      nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
    15. Reconfigure the password of the user on Prism for internal FAVM operations. Specify a passphrase for new password . File Analytics uses the password only for internal communication between Prism and the FAVM. You must issue the same command twice.
      nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
       --password='new password' --local_update
      nutanix@favm$  sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
      --password='new password' --prism_user=admin --prism_password='Prism admin password'
    16. In File Analytics, go to gear icon > Scan File System to check if a file system scan can be initiated.
      Note: If you receive errors, disable and re-enable File Analytics, see "Disabling File Analytics" and "Enabling File Analytics."

Deploying File Analytics on a Remote Site (ESXi)

Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.

About this task

To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.

Before you begin

Ensure that the Nutanix Files and AOS versions match the versions on the remote and primary sites.

About this task

Run the following commands from the command prompt inside the FAVM.

Procedure

  1. Deploy a new File Analytics instance on the remote site, see Deploying File Analytics.
    Caution: Do not enable File Analytics.
    The remote site requires an iSCSI data service IP address to configure the FAVM on the remote site. This procedure deploys a new volume group File_Analytics_VG and deletes in a subsequent step.
  2. On the remote site, create a volume group by restoring the snapshot of the File_Analytics_VG .
    See Restoring an Entity from a Protection Domain in Data Protection and Recovery with Prism Element . For the How to Restore step, use the Create new entities option, and specify a name in the Volume Group Name Prefix field. The restored volume group name format is prefix -File_Analytics_VG.
  3. In the Storage Table view, go to the Volumes tab.
    1. Copy the target IQN prefix from the Volume Group Details column.
      Tip: Click the tooltip to see the entire IQN prefix.
  4. To configure the FAVM on the remote, follow these steps:
    Caution: If the IP address of the File Analytics VM has changed on the remote site, contact Nutanix Support before proceeding.
    1. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    2. To discover all storage devices accessed by the FAVM, run the following commands.
      nutanix@favm$  sudo blkid 
    3. Copy the cvm.config file to the temporary files directory.
      nutanix@favm$ cd /mnt/containers/config/common_config/ /tmp
    4. Stop the File Analytics services.
      nutanix@favm$  sudo systemctl stop monitoring
      nutanix@favm$  docker stop $(docker ps -q)
      nutanix@favm$  sudo systemctl stop docker
    5. Unmount and log off from all iSCSI targets.
      nutnix@avm$ sudo umount /mnt
      nutnix@avm$ sudo /sbin/iscsiadm -m node -u
      
    6. Remove the disconnected target records from the discoverydb mode of the FAVM.
      nutanix@favm$  sudo /sbin/iscsiadm -m node –o delete
    7. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      The output does not show the /dev/sdb device.
    8. Get the File Analytics Linux client iSCSI initiator name.
      nutanix@favm$  sudo cat /etc/iscsi/initiatorname.iscsi
      The output displays the initiator name.
      InitiatorName=iqn.1991-05.com.redhat:8ef967b5b8f
    9. Copy the iSCSI initiator name.
    10. Remove the iSCSI initiator name from the client whitelist of the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    11. Whitelist the AVM client on the cloned volume group prefix -File_Analytics_VG using the iSCSI initiator name of the AVM client.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    12. Let the Analytics initiator discover the cluster and its volume groups.
      nutanix@favm$  sudo /sbin/iscsiadm --mode discovery --type sendtargets --portal  data_services_IP_address:3260
      Clicking the Nutanix cluster name in Prism displays cluster details including the data service IP address. The output displays the restored iSCSI target from step 2.
    13. Connect to the volume target by specifying IQN prefix.
      nutanix@favm$  sudo /sbin/iscsiadm --mode node --targetname iqn_name --portal data_services_IP_address:3260,1 --login
    14. Restart the FAVM to restart the iSCSI host adapters, which allows the discovery of the attached volume group.
      nutanix@favm$  sudo reboot
    15. Log on to the FAVM with SSH.
      Tip: See KB 1661 for default credential details.
    16. Discover all storage devices accessed by the FAVM.
      nutanix@favm$  sudo blkid
      The FAVM discovers the attached iSCSI volume group and assigns to the /dev/sdb device.
      /dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" 
      /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"
      /dev/sdb: UUID="30749ab7-58e7-437e-9a09-5f6d9619e85b" TYPE="ext4"
    17. Delete the deployed volume group File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    18. Rename the restored volume group prefix -File_Analytics_VG to File_Analytics_VG.
      See the "Modifying a Volume Group" topic in the Prism Web Console Guide .
    19. Create a backup of the cvm.config file.
      nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
      /mnt/containers/config/common_config/cvm_bck.config
    20. Copy the cvm.config file from the /tmp directory to /common_config/ on the FAVM.
      nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
    21. Reconfigure the password of the user on Prism for internal FAVM operations. Specify a passphrase for new password . File Analytics uses the password only for internal communication between Prism and the FAVM. You must issue the same command twice.
      nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
       --password='new password' --local_update
      nutanix@favm$  sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
      --password='new password' --prism_user=admin --prism_password='Prism admin password'
    22. In File Analytics, go to gear icon > Scan File System to check if a file system scan can be initiated.
      Note: If you receive errors, disable and re-enable File Analytics, see "Disabling File Analytics" and "Enabling File Analytics."
Read article
Flow Microsegmentation Guide

Flow Microsegmentation 5.20

Product Release Date: 2021-05-17

Last updated: 2022-12-13

Security Policies

Traditional data centers use firewalls to implement security checks at the perimeter—the points at which traffic enters and leaves the data center network. Such perimeter firewalls are effective at protecting the network from external threats. However, they offer no protection against threats that originate from within the data center and spread laterally, from one compromised machine to another.

The problem is compounded by virtualized workloads changing their network configurations and hosts as they start, stop, and migrate frequently. For example, IP addresses and MAC addresses can change as applications are shut down on one host and started on another. Manual enforcement of security policies through traditional firewalls, which rely on network configurations to inspect traffic, cannot keep up with these frequent changes and are error-prone.

Network-centric security policies also require the involvement of network security teams that have intimate knowledge of network configuration in terms of VLANs, subnets, and other network entities.

Nutanix Flow includes a policy-driven security framework that inspects traffic within the data center. The framework works as follows:

  • Security policies inspect traffic that originates and terminates within a data center and help eliminate the need for additional firewalls within the data center.
  • The framework uses a workload-centric approach instead of a network-centric approach. Therefore, it can scrutinize traffic to and from VMs no matter how their network configurations change and where they reside in the data center. The workload-centric, network-agnostic approach also enables the virtualization team to implement these security policies without having to rely on network security teams.
  • Security policies are applied to categories (a logical grouping of VMs) and not to the VMs themselves. Therefore, it does not matter how many VMs are started up in a given category. Traffic associated with the VMs in a category is secured without administrative intervention, at any scale.
  • Prism Central offers a visualization-based approach to configuring policies and monitoring the traffic to which a given policy applies.
  • Using Prism Central, you can configure syslog monitoring by forwarding Flow logs to an external syslog server. See Configuring Syslog Monitoring in the Prism Central Guide for details.
Note: Nutanix Flow supports only AHV hypervisor; security policies can not be applied to VMs running on other hypervisors.

Types of Policies

The types of policies in Prism Central and their use cases are described here.

Table 1. Types of Policies
Policy Type Use Case
Application Security Policy Use an application security policy when you want to secure an application by specifying allowed traffic sources and destinations. This method of securing an application is typically called application ring fencing .

For example, use an application security policy when you want to allow only those VMs in the categories department: engineering and department: customersupport (the allowed sources) to communicate with an issue tracking tool in the category AppType: IssueTracker (the secured application), and you want the issue tracking tool to be able to send traffic only to an integrated customer relationship management application in the category AppType: CRM .

The secured application itself can be divided into tiers by the use of categories (the built-in AppTier category). For example, you can divide the issue tracking tool into web, application, and database tiers and configure tier-to-tier rules.

For more information, see Application Security Policy Configuration.

Isolation Environment Policy Use an isolation environment policy when you want to block all traffic, regardless of direction, between two groups of VMs identified by their category. VMs within a group can communicate with each other.

For example, use an isolation environment policy when you want to block all traffic between VMs in the category Environment: sandbox and VMs in the category Environment: production , and you want to allow all the VMs within each of those categories to communicate with each other.

For more information, see Isolation Environment Policy Configuration.

Quarantine Policy Use a quarantine policy when you want to isolate a compromised or infected VM and optionally want to subject it to forensics.

For more information, see Quarantine Policy Configuration.

VDI Policy Use a VDI policy when you want to secure your VDI environment.

For more information, see VDI Policy Configuration

Security Policy Model

Application-centricity

The security policy model uses an application-centric policy language instead of the more complex, traditional network-centric policy language. Configuring an application security policy involves specifying which VMs belong to the application you want to protect and then identifying the entities or networks, in the inbound and outbound directions, with which you want to allow communication.

All the entities in an application security policy are identified by the categories to which they belong and not by their IP address, VLAN, or other network attributes. After a VM is associated with a category and the category is specified in a security policy, traffic associated with the VM is monitored even if it migrates to another network or changes its IP address.

The default options for allowing traffic on the inbound and outbound directions are also inherently application centric. For application security policies, the default option for inbound traffic is Allowed List , which means that Allowed List is usually the recommended option for inbound traffic. The default option can be changed to Allow All traffic. The default option in the outbound direction allows the application to send traffic to all destinations, but you can configure a destination Allowed List if desired.

For forensic quarantine policies, the default option in both directions is Allowed List , but you can Allow All traffic in both directions. For strict quarantine policies, no traffic is allowed in either direction.

All the VMs within a category can communicate with each other. For example, in a tiered application, regardless of how you configure tier-to-tier rules, the VMs within a given tier can communicate with each other.

Whitelist-Based Policy Expression

An application security policy is expressed in terms of the categories and subnets with which you want the application to communicate and therefore, by extension, the traffic you want to allow. A more granular policy expression can be achieved by specifying which protocols and ports can be used for communication.

Any category or subnet that is not in the allowed list is blocked. You cannot specify the categories and subnets you want to block because the number of such entities are typically much larger and grow at a much higher rate than the categories and subnets with which an application should be allowed to communicate. Expressing a policy in terms of allowed traffic results in a smaller, tighter policy configuration that can be modified, monitored, and controlled more easily.

Enforcement Modes

All policies, whether associated with securing an application, isolating environments, or quarantining VMs, can be run in the following modes:

Monitor Mode
Allows all traffic, including traffic that is not allowed by the policy. This mode enables you to visualize both allowed and disallowed traffic and fine-tune the policy before applying it.
Enforce Mode
Blocks all traffic that is not allowed by the policy.

You can switch a policy between these two modes as many times as you want.

Automated Enforcement

A policy uses categories to identify the VMs to which it must apply. This model allows the automatic enforcement of a policy to VMs regardless of their number and network attributes. Connectivity between Prism Central and a registered AHV cluster is required only when creating and modifying policies, or when changing the mode of operation (applied or monitoring) of a policy. Policies are applied to the VMs in a cluster even if the cluster temporarily loses network connectivity with the Prism Central instance with which it is registered. New policies and changes are applied to the cluster when connectivity is restored.

Priorities Between Policies

Prism Central does not provide a way for you to specify priorities between policies of a single type. For example, you cannot prioritize one security policy over another. There is no limit to the number of inbound and outbound rules that you can add to a security policy, allowing you to define all of an application's security requirements in a single policy. This makes priorities between policies unnecessary.

However, priorities exist between the different policy types. Quarantine policies have the highest priority followed by isolation environment policies, and application security policies, in that order. The VDI Policy takes the last precedence, for example, if an application security is protecting a VM, it cannot simultaneously be protected with the VDI policy.

Isolation environment rules take precedence over application security rules, so make sure that isolation environment policies and application security policies are not in conflict. An isolation environment rule and an application security rule are said to be in conflict if they apply to the same traffic (a scenario that is encountered when VMs in one of the categories in the isolation environment send traffic to an application in the other category, and some or all of that traffic is either allowed or disallowed by the application security policy). The effect that an isolation environment policy has on a conflicting application security policy depends on the mode in which the isolation environment policy is deployed, and is as follows:

  • If the isolation environment policy is in the applied mode, it blocks all traffic to the application, including the traffic that is allowed by the application security policy.
  • If the isolation environment policy is in the monitoring mode, it allows all traffic to the application, including any traffic that is disallowed by the application security policy.

Requirements

The Security Policies feature has the following requirements:

  • The feature is supported only on AHV clusters running AOS 5.6 or later and AHV version 20170830.115 or later.
  • The Prism Central instance must be hosted on one of the AHV clusters registered with it. The AHV cluster that hosts the Prism Central instance must be running AOS 5.6 or later.
  • The host must have at least 1 GB of additional memory for each Prism Central VM hosted on it.
  • If you are running a Prism Central scale-out instance, all the VMs in the Prism Central cluster must be powered on.
  • The AHV hosts must be allowed to communicate with the Prism Central VMs over TCP port 9446. Keeping the port open enables the hosts to send the Prism Central VMs connection tracking data. Prism Central uses that data to show network flows.
  • Flow supports only TCP, UDP, or ICMP traffic.
Caution:
  • When Flow is enabled, a Kafka container is automatically created on the cluster where Prism Central is hosted. The container is used to store data that is required for flow visualization to work and must not be deleted.
  • Cross cluster live migration of guest VMs that are part of Flow security policy is not supported.
  • Security Policies are not supported for VMs that are on the advanced networking stack. An alert is raised for VMs that are part of both VPC and Flow policy, and Flow policies are not enforced for VMs on VPCs.
  • Overlapping or conflicting policy configuration is not supported and might cause unintended interruption of network services.

Enabling Microsegmentation

Microsegmentation is disabled by default. Before you can configure and use application security policies, isolation environment policies, and quarantine policies, you must enable the feature. The feature requires a Flow license. If you have not installed a Flow license, you can try the feature for a period of 60 days. After this period expires, you will be required to install the license to continue using the feature.

About this task

To enable microsegmentation, do the following:

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and then select Prism Central Settings to display the Settings page.
  3. Click Microsegmentation from the Settings menu (on the left).
    The Enable Microsegmentation dialog box is displayed.
  4. To determine whether the registered clusters are capable of supporting microsegmentation, do the following:
    1. Click View Cluster Capability , and then review the results of the capability checks that Prism Central performed on the registered clusters.
    2. Click Back .
  5. Select the Enable Microsegmentation check box.
  6. Click OK .

Disabling Microsegmentation

Prism Central web console provides you the ability to disable the microsegmentation feature.

About this task

To disable microsegmentation, do the following:

Procedure

  1. Log on to the Prism Central web console.
  2. Click the gear icon in the main menu and then select Microsegmentation in the Settings page.
    Figure. Settings Page - Disabling Microsegmentation Click to enlarge Microsegmentation page
  3. Click Disable Microsegmentation .
    A confirmation message appears.
    Figure. Microsegmentation - Confirmation message Click to enlarge Disabling Microsegmentation
  4. Click Disable to confirm disabling the microsegmentation feature.

Built-In Categories for Security Policies

Prism Central includes built-in categories that you can use in application security policies and isolation policies. It also includes a built-in category for quarantining VMs.

Table 1. Built-In Categories
Category Description
AppTier Add values for the tiers in your application (such as web, application_logic, and database) to this category and use the values to divide the application into tiers when configuring a security policy.
AppType Associate the VMs in your application with the appropriate built-in application type such as Exchange and Apache_Spark. You can also update the category to add values for applications not listed in this category.
Environment Add values for environments that you want to isolate from each other and then associate VMs with the values.
Quarantine Add a VM to this category when you want to quarantine the VM. You cannot modify this category. The category has the following values:
Strict
Use this value when you want to block all inbound and outbound traffic.
Forensic
Use this value when you want to block all inbound and outbound traffic except the traffic to and from categories that contain forensic tools.
ADGroup This category is managed by ID Based Security (ID Firewall). Each ADGroup value represents an imported group from Active Directory. To add or remove values to use in Flow policies use the ID Based Security configuration page ( Prism Central Settings > Flow > ID Based Security ). The category values may be used in VDI policies, see VDI Policy Configuration for details.
ADGroup:Default This category is applied to the VDI VMs of the AD group when the VM inclusion criteria is set and allows you to apply a default set of rules for the VDI VMs (without the requirement of user logons).

Service

Service is a group of protocol-port combination. You can use any of the default services or create a custom service. The ability to use the service entities in the policy creation workflow reduces any manual configuration error and enables reusability of available entities.

  • To create or update a custom service, see Creating a Service.
  • To view the list of available services (built-in and custom services), go to Policies > Security > Services .

Creating a Service

About this task

To create a custom service, do the following.

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and go to Policies > Security > Services .
  3. Click Create Service .
    Figure. Create Service Tab Click to enlarge create a service page

  4. Enter a name and description for the service.
  5. Select the Protocol from the drop-down menu and enter the port number or port range in the Port field.
    You can add multiple protocol-port combinations in a single service. To add more protocol-port combination, click Add Row and specify the required values.
  6. Click Save to save the service.

Address

Address is a way to group one or many IP addresses or ranges. You can create an address entity and use that address entity while creating policies. The ability to use the addresses in the policy creation workflow reduces any manual configuration error and enables reusability of available entities.

  • To create or update an Address, see Creating an Address.
  • To view the list of available services (built-in and custom services), go to Policies > Security > Address .

Creating an Address

About this task

To create an Address, do the following.

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and go to Policies > Security > Addresses .
  3. Click Create Address .
    Figure. Create Address Tab Click to enlarge create a service page

  4. Enter a name and description for the address.
  5. Enter the IP address or a IP range in the Subnet field.
    You can add multiple subnets in a single address entity. To add more subnets, click Add Row and specify the required values.
  6. Click Save to save the service.

Application Security Policy Configuration

Creating an Application Security Policy

Before you begin

  • Create the categories you need and associate the VMs that you want to protect with those categories. You might be required to create categories for the following purposes. Some categories or category values are required while others are optional:
    • Every security policy must be associated with a value in the AppType category, so make sure that you update the AppType category with appropriate values if the built-in values do not work for you. For information about this category and its values, see Category Management in the Prism Central Guide .
    • If you need to apply the policy to an application in a specific environment (for example, development, test, or production) or an application at a specific location, create the category you need and apply it to the application. Prism Central includes a built-in Environment category that you can use or update with values of your own. You can also create your own categories.
    • If you want to specify categories for traffic sources and destinations instead of allowing all inbound and outbound traffic, create those categories and apply them to the traffic sources and destinations.
    • If you want to divide the application into tiers in a security policy, add tiers to the AppTier category. The AppTier category has a built-in default value, but you can update the category to add values of your choice.

    For information about categories and their values, see Category Management in the Prism Central Guide .

  • Security policy configuration might require more time than the default session timeout allows you. You might want to increase the session timeout so that you do not lose a configuration that is left unattended while you perform associated tasks such as referring to this documentation. For more information, see Modifying UI Settings in the Prism Web Console Guide .

About this task

To secure an application, do the following:

Procedure

  1. In the Security Policies dashboard, click Create Security Policy , and then click Secure an Application .
    The Create App Security Policy page is displayed.
  2. On the Define Policy tab, do the following in the indicated fields, and then click Next :
    Figure. Define Policy Tab Click to enlarge The Create App Security Policy page comprises tabs for defining a policy, securing an application, and then reviewing the policy. This image shows the Define Policy tab, with fields for entering a name and purpose and a drop-down list from which you can select the application that you want to secure. The Define policy tab also has Advanced Configuration section to allow or block IPV6 traffic and enabling policy hit log.
    1. Name : Enter a name for the security policy.
    2. Purpose : Describe the purpose of the security policy.
    3. Secure This App : Select the type of application that you want to secure.
      The Secure This App list displays available values in the AppType category. It uses the format AppType : value , where value represents a type of application. Every application that you want Prism Central to secure must be associated with a value from the built-in AppType category. The AppType category includes values for frequently encountered applications, such as Exchange and Hadoop. The AppType category also includes a built-in default value that you can use if your application cannot be associated with one of the other built-in values. You can also update the AppType category to add a value of your choice. For information about categories and their values, see Category Management .
    4. If you want to filter the VMs by an additional category, select Filter the app type by category , and then enter the name of the category in the text box that is displayed.
      This option enables you to apply the policy to an additional category. For example, if you are configuring a policy for an application in the category AppType: Exchange , this option enables you to further restrict the policy to specific locations (such as Location: US and Location: EU ) or environments (such as Environment: Production , Environment: Development , and Environment: Test ).
    5. Optionally, in the Advanced Configuration section, select the Allow radio button to allow IPv6 traffic . The policy rules apply to IPv4 traffic only and all IPv6 traffic is blocked by default.
      Note: If you choose to block IPv6 traffic, the IPv6 traffic remains blocked even in the monitoring mode.
    6. Optionally, click the toggle button against Policy Hit Logs to log traffic flow hits on the policy rules.
      You can configure syslog monitoring for the policy hit logs for Flow. For details, see Configuring Syslog Monitoring in the Prism Central Guide .
      Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.
  3. In the Securing an App dialog box, review the schematic that illustrates the flow of traffic through a secured app, and then click OK, Got it!
    The Secure Application tab is displayed. The schematic on this tab can be divided into three areas of configuration: the Inbound side, (for adding traffic source allowlist), the application at the center (for configuring inbound, outbound, and tier-to-tier rules), and the Outbound side (for adding traffic destination allowlist).
    Figure. Secure Application Tab Click to enlarge
  4. On the Secure Application tab, do the following, and then click Next :
    1. On the application at the center of the tab, do the following in the indicated fields:
      • If you want to divide the application into tiers (such as a web tier, an application tier, and a database tier) and configure tier-to-tier rules, first configure the application as described in this step, and then configure inbound and outbound rules. This approach ensures that the individual tiers are available when you want to configure inbound and outbound rules at the tier level. Skip this step if you want to treat the application as a single entity in the security policy.

        To divide your application into tiers and create tier-to-tier rules, do the following:

        1. On the application, click Set Rules on App Tiers, Instead .
          Note: After you click Set Rules on App Tiers, Instead , the link text, Set rules on the whole app, instead , is displayed in its place. Click Set rules on the whole app, instead if you want to discard the tiered configuration and return to configuring rules on the application as a whole.
        2. Click Add Tier , and then select a tier.

          Repeat this step to add as many tiers as you require. The following figure shows an application with a web tier, an application tier, and a database tier:

          Figure. Tiered Application Click to enlarge
        3. To delete a tier, pause over the tier you want to delete and click the delete button that is displayed.
        4. Click Set Rules Within App .
          Note: When configuring tier-to-tier rules, two modes are made available to you through the buttons Set Rules to & from App and Set Rules Within App . The Set Rules to & from App option enables you to add application tiers and to specify allowed inbound and outbound traffic. The Set Rules Within App option enables you to specify tier-to-tier rules within the application. These buttons enable you to switch between the two modes.
        5. Click each tier in the application and click Yes or No to specify whether or not you want to allow the VMs in the tier to communicate with each other.
        6. Configure a tier-to-tier rule as follows:
          1. Click the source tier (for example, if the tiers are WebTier and AppTier and you want to configure a tier-to-tier rule from WebTier to AppTier, click the source tier, WebTier).
          2. Click the plus sign that is displayed on the destination tier (in this example, click the destination tier, AppTier). The Create Tier to Tier Rule dialog box
          3. Enter a description for the rule.
            Note: The policy rule description is captured in the policy hitlog data.
            • Policy hitlog must be enabled
            • Rule description is added to the hitlog only for allowed traffic
          4. In Service Details , click Allow all traffic to allow all types of traffic or click Select a service to choose any default or custom service.
          5. Click Save .

          Configure tier-to-tier rules for as many source and destination tiers as you want.

    2. To add traffic sources, on the Inbound side of the Secure Application tab, do the following:
      • From the drop-down list, select one of the following options:
        • Allow All : Allows traffic from all sources.
        • Whitelist Only : Allows traffic only if the traffic originates from entities on the security policy's source allowlist. This option is the default option. If this option is selected, you must also configure the source allowlist by clicking Add Source .
      • Click Add Source , and then do the following:
        1. Select one of the following options from the drop-down list:
          • Category : Allows traffic only if that traffic originates from entities that are in the selected category.
          • Subnet/IP : Allows traffic only if that traffic originates from entities that are in the selected subnet.
          • Addresses : Allows traffic only if the traffic originates from the entities that are in the selected address.
        2. Enter the value (category name or subnet) in the text box, and then click Add .

          When entering the name of a category, a list of matching names is displayed, and you can select the name you want to specify. The subnet mask must be specified in the CIDR format.

        3. To add another category or subnet, click Add Source . Add as many categories or subnets as you want to allow.

        Each entry in this list represents a stream of inbound traffic.

    3. To add traffic destinations, on the Outbound side, do the following:
      • From the drop-down list, select one of the following options:
        • Allow All : Allows traffic to all destinations. This option is the default option.
        • Whitelist Only : Allows traffic only if the traffic is destined for entities on the security policy's destination allowlist. If this option is selected, you must also configure the destination allowlist by clicking Add Destination .
      • Click Add Destination , and then do the following:
        1. Select one of the following options from the drop-down list:
          • Category : Allows traffic only if that traffic is destined for entities in the selected category.
          • Subnet/IP : Allows traffic only if that traffic is destined for entities in the selected subnet.
          • Addresses : Allows traffic only if the traffic originates from the entities that are in the selected address.
        2. Enter the value (category name or subnet) in the text box, and then click Add .

          When entering the name of a category, a list of matching names is displayed, and you can select the name you want to specify. The subnet mask must be specified in the CIDR format.

        3. To add another category or subnet, click Add Destination . Add as many categories or subnets as you want to allow.

        Each entry in this list represents a stream of outbound traffic.

      • To specify the protocols that you want to allow from each stream of inbound and outbound traffic, do the following:
        1. If you added application tiers and configured tier-to-tier rules, first click Set Rules to & from App .
        2. Click the traffic source or traffic destination (a category or subnet if you have configured a allowlist or All Sources if you have chosen to allow all sources) for which you want to create a rule.
        3. Click the plus icon that appears on the application (if you are treating the application as a single entity) or application tier (if you have divided the application into tiers). The Create Inbound Rule or Create Outbound Rule dialog box appears.
        4. Enter a description for the rule.
        5. In Service Details , click Allow all traffic to allow all types of traffic or click Select a service to choose any default or custom service.
        6. Click Save .
    After you configure a rule, a dotted line appears between the two endpoints of the rule. Point to the dotted line to show the list of ports that the rule allows.
  5. On the Review tab, review the security policy configuration, and then do one of the following:
    • If you want to apply the configuration, click Apply Now .

      Applying a security policy enforces the security policy on the application, and traffic from entities that are not defined as sources in the policy is blocked.

    • If you want to save the configuration and monitor how the security policy works, click Save and Monitor .

      When a policy is in the monitoring state, the application continues to receive all traffic, but disallowed traffic is highlighted on the monitoring page. Traffic is not blocked until the policy is enforced.

      Note: A policy that you have chosen to save and monitor can be applied from the policy update page.

Modifying an Application Security Policy

About this task

To modify a security policy, do the following:

Procedure

  1. In the Security Policies dashboard, select the policy that you want to modify, click Actions , and then click Update .
  2. Make the changes you want and then apply or save and monitor the policy.
    The update options are the same as those for creating a policy. For information about the options, see Creating an Application Security Policy.

Applying an Application Security Policy

Applying a security policy enforces the security policy on the application, and any traffic from sources that are not allowed is blocked.

About this task

To apply a security policy, do the following:

Procedure

  1. In the Security Policies dashboard, select the policy that you want to apply, click Actions , and then click Apply .
  2. Confirm by typing Apply in the dialog box, and then click OK .

Monitoring an Application Security Policy (Visualizing Network Flows)

About this task

When a policy is in the monitoring state, the application continues to receive all traffic, but disallowed traffic is highlighted on the monitoring page. Traffic is not blocked until the policy is applied.

To monitor a security policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to monitor, click Actions , and then click Monitor .
  2. Confirm by typing Monitor in the dialog box, and then click OK .
    Allowed network flows and disallowed network flows are shown on the monitoring page, as shown in the following figure. Allowed flows are depicted with a blue dotted line and disallowed network flows are depicted with a red dotted line:
    Figure. Monitoring Page for an Application Security Policy Click to enlarge

  3. To show a preview of the network flow in a tooltip, pause over the dotted line that depicts the network flow in the diagram.
    A tooltip similar to the following is displayed. The tooltip shows a graph for each connection:
    Figure. Tooltip Showing a Preview of the Network Flow Click to enlarge

  4. To see a graph of a network flow, click the dotted line that depicts the network flow in the visualization.
    A more detailed graph of the network flows is displayed, as shown in the following figure:
    Figure. Network Flows Graph Click to enlarge

  5. To block unwanted flows, click Update , and then update the policy. For information about updating an application security policy, see Modifying an Application Security Policy.
  6. To apply the policy, click Apply .
    Applying a policy enforces the policy and traffic from sources that are not allowed is blocked.

Deleting an Application Security Policy

About this task

To delete an application security policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to delete.
    You can select multiple policies and delete them all at once.
  2. Click Delete in the Actions menu.

Isolation Environment Policy Configuration

An isolation environment identifies two groups of VMs by category, and it blocks communications between the groups.

You can also specify an additional category to restrict the scope of the isolation environment to that category.

For example, consider that you have an application category with values app1 and app2 and that you have associated some VMs with application: app1 and some VMs with application: app2 . Also, consider that these same VMs are distributed between two sites, and have accordingly been associated with values site1 and site2 in a category named location ( location: site1 and location: site2 ).

In this example, you might want to block communications between the VMs in the two locations. Additionally, you might want to restrict the scope of the policy to VMs in category application: app1 . In other words, app1 VMs in site1 cannot communicate with app1 VMs in site2 . The following diagram illustrates the desired outcome. The red connectors illustrate blocked traffic. The green connectors illustrate allowed traffic.

Figure. Applications Across Sites Click to enlarge

You can configure an isolation policy for this by creating the following categories and isolation policy in Prism Central:

Table 1. Sample Configurations For Categories and the Isolation Policy
Entity Values
Categories
  • Name : application
  • Values : app1 and app2
  • Name : location
  • Values : site1 and site2
Isolation Policy
  • Name : eng_isolation_policy_across_sites
  • Description : Isolate engineering VMs across sites
  • Isolate This Category : location: site1
  • From This Category : location: site2
  • Apply the isolation only within a subset of the data center : application: app1

Layer 2 Isolation

Flow supports Layer 2 isolation to enable filtering of the layer 2 packets across all isolated entities. When an isolation policy is applied between two category-based VM groups, all ingress and egress traffic (broadcast, unknown-unicast, and multicast traffic) is dropped at the destination VM group.
Note:
  • If VMs are part of both isolation policy and quarantine policy, the quarantine policy takes priority of processing over the isolation policy. For example, if VMs with category app1 are isolated from VMs with category app2 using an isolation policy, the traffic between these VM groups are not dropped if the VM groups are also part of a quarantine forensic policy that allows communication between these VMs. In this case, since the quarantine forensics policy matches the VMs, and this policy allows the traffic, the isolation policy is not enforced.
  • IPv6 traffic between isolated VMs is blocked by default with the introduction of layer 2 isolation.

Creating an Isolation Environment Policy

An isolation environment policy identifies two groups of VMs and blocks communications between the groups. The two groups are identified by category. You can specify an additional category to restrict the scope of the policy to that category.

About this task

To create an isolation environment, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), click Create Security Policy , and then click Isolate Environments .
    The Create Isolation Policy page is displayed.
    Figure. Create Isolation Policy Click to enlarge

  2. Do the following in the indicated fields:
    • Name : Enter a name for the isolation policy.
    • Purpose : Describe the purpose of the isolation policy.
    • Isolate this category : Type the name of one of the two categories that you want to isolate from each other.

      Matching names appear in a list as you type. You can click the name of the category you want.

    • From this category : Type the name of other category.
    • Apply the isolation only within a subset of the data center . If you want to restrict the scope of the policy to a specific category of VMs, select this check box, type the name of the category in the text box, and select the category from the list of matches.

      If you isolate VMs in category Environment: Production from VMs in category Environment: Staging , and you restrict the scope of the policy to VMs in the category Environment: Dev , Prism Central applies the isolation policy to the following groups:

      • VMs that are in both Environment: Production and Environment: Dev
      • VMs that are in both Environment: Staging and Environment: Dev .
    • IPv6 Traffic . Optionally, in the Advanced Configuration section, select the Allow radio button to allow IPv6 traffic . The policy rules apply to IPv4 traffic only and all IPv6 traffic is blocked by default.
    • Policy Hit Logs . Optionally, click the toggle button against Policy Hit Logs to log traffic flow hits on the policy rules. You can configure syslog monitoring for the policy hit logs for Flow. For details, see Configuring Syslog Monitoring in the Prism Central Guide .
      Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.
  3. Do one of the following:
    • Click Apply Now to apply the isolation environment.
    • Click Save and Monitor to save the configuration and place the isolation environment in the monitoring mode.
    You can switch between the monitoring and applied states by selecting the isolation environment on the Security Policies page and clicking the appropriate option in the Actions menu.

Modifying an Isolation Environment Policy

About this task

To modify an isolation environment, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the isolation policy that you want to modify, click Actions , and then click Update .
  2. Make the changes you want and then apply or save and monitor the policy.
    The update options are the same as those for creating a policy. For information about the options, see Creating an Isolation Environment Policy.

Applying an Isolation Environment Policy

Applying an isolation environment policy enforces the policy on the specified categories, and any traffic between the categories is blocked.

About this task

Note: Changing the state of an isolation environment policy affects the functioning of any conflicting application security policies. For more information, see Priorities Between Policies.

To apply an isolation environment policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to apply, click Actions , and then click Apply .
  2. Confirm by typing Apply in the dialog box, and then click OK .

Monitoring an Isolation Environment Policy (Visualizing Network Flows)

About this task

The VMs in the two categories in an isolation environment policy are allowed to communicate with each other when the policy is in the monitoring state. Traffic is blocked only during the time the policy is applied.
Note: Changing the state of an isolation environment policy affects the functioning of any conflicting application security policies. For more information, see Priorities Between Policies.

To monitor a security policy, do the following:

Procedure

  1. In the Security Policies dashboard, select the policy that you want to monitor, click Actions , and then click Monitor .
  2. Confirm by typing Monitor in the dialog box, and then click OK .
    The monitoring page shows the flows between the two categories.
  3. To view information about a particular network flow, pause over the flow.
    A tooltip similar to the following is displayed:
    Figure. Monitoring Page for an Isolation Environment Policy Click to enlarge

Deleting an Isolation Environment Policy

About this task

To delete an isolation environment policy, do the following:

Procedure

  1. In the Security Policies dashboard, select the policy that you want to delete.
    You can select multiple policies to delete them all at once.
  2. Click Delete in the Actions menu.

Quarantine Policy Configuration

Prism Central includes a built-in quarantine policy that enables you to perform the following tasks:

  • Completely isolate an infected VM that must not have any traffic associated with it.
  • Isolate an infected VM but specify a set of forensic tools that can communicate with the VM.

For these use cases, Prism Central includes built-in categories that are included in the built-in quarantine policy.

Prism Central also enables you to monitor the quarantine policy before applying it.

The quarantine policy cannot be deleted.

Configuring the Quarantine Policy

In the built-in quarantine policy, you specify categories that can communicate with VMs that have been added to the Quarantine: Forensics category.

About this task

To configure the quarantine policy, do the following;

Procedure

  1. In the Security Policies dashboard, select Quarantine , and then click Update in the Actions menu.
  2. Optionally, in the Advanced Configuration under the Define Policy tab, do the following.
    1. Select the Allow radio button to allow IPv6 traffic . The policy rules apply to IPv4 traffic only and all IPv6 traffic is blocked by default. You can configure the allow option for both Forensic and Strict modes.
    2. Optionally, click the toggle button against Policy Hit Logs to log traffic flow hits on the policy rules.
      You can configure syslog monitoring for the policy hit logs for Flow, see Configuring Syslog Monitoring in the Prism Central Guide for details. You can enable the policy hit log option for both Forensic and Strict modes.
      Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.
  3. On the Add Forensic Tools tab, do the following, and then click Next :
    1. To specify the categories that contain forensic tools, on the Inbound and Outbound sides of the policy diagram, do the following:
      • From the drop-down list, select one of the following options:
        • Allow All : Allows traffic associated with all sources or destinations.
        • Whitelist Only : Allows traffic only if the traffic is associated with the categories and subnets on the allowlist. This option is the default option. If this option is selected, you must also configure the allowlist by clicking Add Source or Add Destination .
      • Click Add Source or Add Destination , and then do the following:
        1. Select one of the following options from the drop-down list:
          • Category : Allows traffic to or from the specified category.
          • Subnet/IP : Allows traffic to or from the specified subnet.
          • Addresses : Allows traffic only if the traffic originates from the entities that are in the selected address.
        2. Enter the value (category name or subnet) in the text box, and then click Add .

          When entering the name of a category, a list of matching names is displayed, and you can select the name you want to specify. The subnet mask must be specified in the CIDR format.

        3. To add another category or subnet, click Add Source or Add Destination . Add as many categories or subnets as you want to allow.
    2. To specify the protocols and ports over which the forensic tools can communicate with the VMs in the forensic category, do the following:
        1. On the Inbound and Outbound sides of the policy diagram, click a category or subnet (if you have configured a allowlist) or All Sources (if you have chosen to allow all sources) for which you want to create a rule.
        2. Click the plus icon that appears on the Quarantine: Forensic category. The Create Inbound Rule or Create Outbound Rule dialog box
        3. Enter a description for the rule.
          Note: The policy rule description is captured in the policy hitlog data.
          • Policy hitlog must be enabled
          • Rule description is added to the hitlog only for allowed traffic
        4. In Service Details , click Allow all traffic to allow all types of traffic or click Select a service to choose any default or custom service.
        5. Click Save .
    After you configure a rule, a dotted line appears between the two endpoints of the rule. Point to the dotted line to show the list of ports that the rule allows.
  4. On the Review tab, do one of the following:
    • Click Apply Now to apply the quarantine policy.
    • Click Save and Monitor to save the configuration and place the quarantine policy in the monitoring mode.
    You can switch between the monitoring and applied states by selecting Quarantine on the Security Policies page and clicking the appropriate option in the Actions menu.

Quarantining a VM

You quarantine a VM by adding the VM to a quarantine category.

About this task

To add an infected VM to a quarantine category, do the following:

Procedure

  1. In the VMs dashboard List tab (see VMs Summary View in the Prism Central Guide ), select the infected VM, click Actions , and then click Quarantine VMs .
  2. Under Quarantine Method, click one of the following options:
    • Strict. Isolates the VM from all traffic. No exceptions can be made for forensics.
    • Forensic. Isolates the VM from all traffic except traffic from categories specified in the built-in quarantine policy. The allowed categories contain forensic tools that enable you to perform forensics on the VM.
    For VMs added to the strict quarantine, a red icon is displayed in the name column.
  3. Click Quarantine .

Removing a VM from the Quarantine

About this task

To remove a VM from the quarantine, do the following:

Procedure

  1. In the VMs dashboard List tab (see VMs Summary View in the Prism Central Guide ), select the VM that you want to remove from the quarantine, click Actions , and then click Unquarantine VMs .
    You can select multiple VMs and remove them from the quarantine in a single step.
  2. In the Unquarantine VMs dialog box, click Unquarantine .

VDI Policy Configuration

The VDI Policy is based on identity-based categorization of the VDI VMs using Active Directory group membership. Configuring VDI policy includes adding an Active Directory domain that is used for the ID firewall ( ID Based Security ) and configuring a service account for the domain.

ID Based Security

ID firewall is an extension to Flow that allows you to write security policies based on users and groups in an Active Directory domain in which your VDI VMs are attached. When using ID firewall, you can import groups from Active Directory into Prism Central as categories (in the category key ADGroup), and then write policies around these categories, just as you would for any other category. A new type of policy has been added for this purpose - the VDI Policy . ID firewall takes care of automatically placing VDI VMs in the appropriate categories on detecting user logons into the VM hosted on Nutanix infrastructure associated with Prism Central, thus allowing user and group based enforcement of Flow policies.

  • See Configuring Active Directory Domain Services to import user groups for identity-based security policies.
  • See Creating a VDI Policy to create a VDI policy.
  • See Default VDI Policy configuration to define a default VDI policy.
Note:
  • It is recommended to disable credential caching on VDI VMs for Flow ID Firewall. The Flow ID Firewall checks the domain controller events for logon attempts. If the VM connection to the domain controller is not available, a user is able to logon (if credential caching enabled) but no event is generated on the domain controller inhibiting the ID Firewall to detect the logon.
  • To disable credential caching, see Interactive logon: Number of previous logons to cache (in case domain controller is not available) on Microsoft documentation website.
  • A basic assumption of VDI Policies is that a single end-user is logged on to each desktop VM at a point in time. As a result, if multiple users log into a single desktop VM at once, the security posture of the VM may change in unpredictable ways. Please ensure that for predictable behavior, only one user is logged into desktop VMs at a time.

Creating a VDI Policy

ID firewall integrates Nutanix Flow with Microsoft Active Directory (AD), such that the groups in the AD can be imported into Prism Central as categories. These imported categories can then be used in the VDI policy as target groups, inbound traffic, and outbound traffic. Prism Central automatically places VMs inside the imported AD group categories when user logons are detected on VMs that are part of the Active Directory domain and also present on Nutanix managed clusters, thus applying security policies based on user group membership.

Before you begin

Note:
  • Flow ID firewall is supported only for AHV host compatible with AOS version 5.17 and above and Prism Central version 5.17 and above.
  • Flow ID firewall does not detect user logoffs. The policy applied to a VM is kept applied until next user logon on the same VM.
  • VMs with an AppType category assignment do not get categorized by ID Based Security .
  • You can use the Default VDI Policy to apply a default set of rules for the VDI VMs (without the requirement of user logons).
  • Since a VM user can be a member of multiple ADGroups that are mapped into Prism Central from Active Directory, when a user logs on, a VM may be placed in multiple ADGroups at once. This is the correct behavior, and the policy applied to the VM will be a union of the respective combination of inbounds and outbounds across all ADGroups the VM is placed into.
  • If not already available, configure an Active Directory domain that is used for ID firewall, see Configuring Active Directory Domain Services.
  • Configure a service account with required configuration for the Active Directory domain, see Configure Service Account for ID Firewall.

About this task

To secure a VDI environment, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ) and click Create Security Policy . Select Secure VDI Groups (VDI Policy) and click Create .
    You can create only one VDI policy for securing applications through ID Firewall.
    The Define Policy page is displayed.
  2. On the Define Policy tab, do the following in the indicated fields, and then click Next :
    1. The Policy Name and Purpose fields are auto-populated.
    2. Select either Include all VMs or Include VMs by name as the VDI VM Filter .

    You can use the VDI VM Filter for the following scenarios.

    • Include VMs by name - Select Include VMs by name and enter the matching criteria in the VM Name Contains field. Select the Assign matching VMs to an optional default category (ADGroup:Default) check-box to to apply a default posture to the VMs, see Default VDI Policy for details. Optionally, select the Keep the default category upon user logon check-box to preserve the default category even after user logon.
      Note:
      • Assign ADGroup categories only when the VM matches the filter criteria, otherwise ADGroups apply to all VMs where a logon is detected.
      • VMs with an AppType category assigned is never categorized with an ADGroup.
      • While updating the VDI policy, if inclusion criteria is changed to exclude and then re-include previously included VMs (that were previously logged on and categorized), upon re-inclusion the previous categories will not be applied; consecutively, a new logon must occur for the VM for categories to apply.
    • Include all VMs - Select Include all VMs to include all the VMs in the AD group in the policy. Note that non-VDI VMs will also be included in the policy if Include all VMs option is selected.
    1. Optionally, in the Advanced Configuration section, select the Allow option to allow IPv6 traffic . The policy rules apply to IPv4 traffic only and all IPv6 traffic is blocked by default.
      Note: If you choose to block IPv6 traffic, the IPv6 traffic remains blocked even in the monitoring mode.
    2. Optionally, turn on the Policy Hit Logs option to log traffic flow hits on the policy rules.
      You can configure syslog monitoring for the policy hit logs for Flow, see "Configuring Syslog Monitoring" in the Prism Central Guide for details.
      Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.
  3. In the Secure AD Groups tab, do the following in the indicated fields and click Next .
    1. For Inbound Traffic , click + Add Source and enter the category or subnets that the VDI group can receive the traffic from, as the source.
    2. For each VDI ADGroup , click +Add AD Group to select the AD groups (categorized VDI VMs) that you want to secure. You can click Import all AD Groups to add all imported ADGroup categories to the VDI policy.
    3. For Outbound Traffic , click + Add Destination and enter the category or subnets that the VDI group can send the traffic to, as the destination.\
      Note: If you have not used the default VDI option in Step 2b , ensure that you add all of your Active Directory domain controllers as part of this step, using either categories or subnets, for each ADGroup.
    Figure. Secure AD Groups Tab Click to enlarge
  4. Do one of the following:
    • Click Apply Now to apply the VDI Policy.
    • Click Save and Monitor to save the configuration.
    You can switch between the monitoring and applied states on the Security Policies page and clicking the appropriate option in the Actions menu.

Default VDI Policy

The Default VDI policy feature allows you to apply a default set of rules as defined by the desktop administrator for VDI VMs and users. There are two primary use cases for Default VDI Policy ( ADGroup:Default ).

  • To ensure that a VDI VM is secure even before a user logs on to the VDI VM.
  • To enable access to common network resources without the need to add the resources to every tier of a VDI policy.

You can define a default VDI policy at the time of creating a new VDI policy, or by updating any existing VDI policy. See Step 2b of the VDI Policy Configuration topic for details.

Configuring Active Directory Domain Services

Active Directory Domain Services configuration is used to import user groups for identity based security policies.

Before you begin

  • Microsegmentation must be enabled to be able to use the ID Firewall feature, see Enabling Microsegmentation.
  • You must allow WMI access from Prism Central to all the Active Directory Domain Controllers in your network firewall and Active Directory firewall.
  • Active Directory Requirements:
    • Minimum supported domain functional level in Active Directory is Windows Server 2008 R2.
    • ID Firewall checks the membership of Security Groups only, Distribution Groups are not supported.
    • NTP must be configured on Active Directory and Prism Central.
    • DNS must be configured on Prism Central if you want to use host name for domain controllers.

About this task

To configure an Active Directory domain, do the following.

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and then select Prism Central Settings to display the Settings page.
  3. Click ID Based Security from the Settings menu (on the left).
    The ID Based Security page is displayed. This page allows you to Add New Domain or use an Existing AD .
  4. If you select Use Existing AD in step 3, do the following in the indicated fields:
    1. Click the Manually Add Domain Controller button, then click + Domain Controller .
    2. Enter the IP Address or Host Name of the domain controllers that you want to monitor for user logons events. You must add all the domain controllers associated with your Active Directory manually.

      Click + and add each domain controller individually, then click the blue check mark icon to save.

      Note: DNS must be configured on Prism Central for the host name option to work.
  5. If you select Add New Domain in step 3, a set of fields is displayed. Do the following in the indicated fields:
    1. Name : Enter a directory name.

      This is a name you choose to identify this entry; it need not be the name of an actual directory.

    2. Domain : Enter the domain name.

      Enter the domain name in DNS format, for example, nutanix.com .

    3. Directory URL : Enter the LDAP address of the directory, including the port number.
    4. Service Account Username : Enter the service account user name in the user_name@domain.com format that you want Prism Central to use to detect logons and query user and group information from Active Directory.
      Caution: Do not use the Domain Admin account as the service account considering the security best practices. Create a new domain user and grant it required permissions as described in Configure Service Account for ID Firewall.

      A service account is a special user account that an application or service uses to interact with the Active Directory. Enter your Active Directory service account credentials in this (username) and the following (password) field.

      Note: Ensure that you update the service account credentials here whenever the service account password changes or when a different service account is used.
    5. Service Account Password : Enter the service account password.
    6. When all the fields are correct, click the Save button (lower right).

      ID Firewall uses the service account for ID based security with additional requirements, see Configure Service Account for ID Firewall.

    Once saved, the Referenced AD Groups section is displayed. You can add a new user group by clicking + Add User Group and edit the auto-generated Category Value . After the active directory configuration is complete, you can create the VDI Policy, see Creating a VDI Policy
  6. Optionally, click Add Inclusion Criteria under Manage the VM Inclusion Criteria to specify which VMs are assigned to AD Group categories upon user logon based on VM name.
    Note: It is recommend that users add inclusion criteria if at all possible to prevent any unintended categorizations.
    Note: The VMs with AppType category assigned cannot be categorized by ID Based Security.

Configure Service Account for ID Firewall

Active Directory service account in Prism Central is used for connectivity with the Active Directory domain services. ID Firewall also uses the same service account for ID based security.

To configure a service account for ID firewall, do the following.

  1. Create a new user in the Active Directory.
  2. Add the user to the Distributed COM Users group and the Event Log Readers domain groups.
  3. Start the dcomcnfg.exe utility and go to Component Services > Computers > My Computer > DCOM Config .
  4. Right-click on Windows Management and Instrumentation and select Properties from the menu.
  5. Switch to Security tab, select Customize option in the Access Permissions section and then click Edit .
  6. Add the user and grant Local Access and Remote Access permissions to the user. Click OK to confirm changes.
  7. Run the WMIMGMT.msc command to start Windows Management Instrumentation snap-in.
  8. Right-click on WMI control (local) and select Properties from the menu.
  9. Switch to Security tab and expand Root tree.
  10. Select CIMV2 in the expanded tree and click Security .
  11. Go to Advanced > Add > Principal and enter the user name.
  12. Change scope by selecting This namespace and subnamespaces in the Applies to drop-down menu.
  13. Click the check-box to grant the Enable Account and Remote Enable permissions. Click OK to confirm changes.
  14. Restart the winmgmt service.
    C:\> net stop winmgmt 
    C:\> net start winmgmt

    Alternatively, reboot the domain controller.

  15. Repeat step 3 to step 14 on every domain controller.

Modifying the VDI Policy

About this task

To modify the VDI policy, do the following:

Procedure

  1. In the Security Policies dashboard, select the policy that you want to modify, click Actions , and then click Update .
  2. Make the changes you want and then apply or save and monitor the policy.
    The update options are the same as those for creating a policy. For information about the options, see Creating a VDI Policy.

Applying the VDI Policy

Applying the VDI policy enforces the policy on the specified categories (VDI AD groups), and any traffic between the categories is blocked.

About this task

To apply the VDI policy, do the following:

Procedure

  1. In the Security Policies dashboard, select the policy that you want to apply, click Actions , and then click Apply .
  2. Confirm by typing Apply in the dialog box, and then click OK .

Monitoring the VDI Policy

About this task

The VMs in VDI AD Groups in the VDI policy are allowed to communicate with each other when the policy is in the monitoring state. Traffic is blocked only during the time the policy is applied.

To monitor a security policy, do the following:

Procedure

  1. In the Security Policies dashboard, select the policy that you want to monitor, click Actions , and then click Monitor .
  2. Confirm by typing Monitor in the dialog box, and then click OK .

Deleting the VDI Policy

About this task

To delete the VDI policy, do the following:

Procedure

  1. In the Security Policies dashboard, select the VDI policy.
  2. Click Delete in the Actions menu.

Applying Filtering and Grouping to a Security Policy

You can apply different types of filters to view results based on properties like source , destination, category, ports, and more. You can also group related rule attributes together for easier visualization of connection flows. Grouping and Filtering work together to provide an intuitive view for the security policy.

About this task

To apply filtering and grouping to a security policy, do the following.

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and go to Policies > Security . The Policies page is displayed.
  3. Click any policy to view the inbound, application, and outbound configuration.
  4. To view specific rule properties, do one of the following.
    • In the Search box, search for the required string using the default All filter.
    • Click the filter drop-down menu to search the policy based on any of the following filter types.
      Category
      search category name and value
      Address
      search address and subnet IP address
      Subnet IP
      search subnet IP address
      Service
      search service name
      Rule Description
      search rule description
      Ports (TCP/UDP)
      search TCP/UDP ports and services
      ICMP
      search ICMP ports and services
    Figure. Filtering Policies Click to enlarge
  5. To group related rule entities together, click the group icon.
    The group option organizes related rule attributes like subnet IP, categories, and service in distinct boxes. Also, the connection flows for all the entities in a group are displayed as a single connection flow. To view all the entities belonging to a group, click the down-arrow icon to expand the group.
    Figure. Filtering Policies Click to enlarge

Exporting and Importing Security Policies

Prism Central allows you to export and import security policies for the following security administration aspects.

  • Have a snapshot of a working security configuration so that system can be restored to the desired state when needed.
  • Ability to apply security policies as templates. This scenario is useful in ROBO environments (disaster recovery deployments) where the datacenters are being managed by multiple Prism Central instances.

Exporting Security Policies

To export or import security policy, do the following in the Security Policies dashboard.
Note: For VDI policy, the inclusion criteria and default VDI category settings are not included in the export process. You must set these manually after an import if required.
  • Click the Export & Import drop down menu.
  • To export the security policies, select Export Security Policy . The security policies binary file is downloaded.
  • To import any previously exported security policies binary file, select Import Security Policy , then click Browse to select the binary file. Click Import . The security policies are imported.
    Note: Existing policies are overridden with new policies. Policies that are not part of this import are deleted.
Read article
Flow Microsegmentation Guide

Flow Microsegmentation 6.5

Product Release Date: 2022-07-25

Last updated: 2022-12-14

Security Policies

Traditional data centers use firewalls to implement security checks at the perimeter—the points at which traffic enters and leaves the data center network. Such perimeter firewalls are effective at protecting the network from external threats. However, they offer no protection against threats that originate from within the data center and spread laterally, from one compromised machine to another.

The problem is compounded by virtualized workloads changing their network configurations and hosts as they start, stop, and migrate frequently. For example, IP addresses and MAC addresses can change as applications are shut down on one host and started on another. Manual enforcement of security policies through traditional firewalls, which rely on network configurations to inspect traffic, cannot keep up with these frequent changes and are error-prone.

Network-centric security policies also require the involvement of network security teams that have intimate knowledge of network configuration in terms of VLANs, subnets, and other network entities.

Nutanix Flow includes a policy-driven security framework that inspects traffic within the data center. The framework works as follows:

  • Security policies inspect traffic that originates and terminates within a data center and help eliminate the need for additional firewalls within the data center.
  • The framework uses a workload-centric approach instead of a network-centric approach. Therefore, it can scrutinize traffic to and from VMs no matter how their network configurations change and where they reside in the data center. The workload-centric, network-agnostic approach also enables the virtualization team to implement these security policies without having to rely on network security teams.
  • Security policies are applied to categories (a logical grouping of VMs) and not to the VMs themselves. Therefore, it does not matter how many VMs are started up in a given category. Traffic associated with the VMs in a category is secured without administrative intervention, at any scale.
  • Prism Central offers a visualization-based approach to configuring policies and monitoring the traffic to which a given policy applies.
  • Using Prism Central, you can configure syslog monitoring by forwarding Flow logs to an external syslog server. For details, see Configuring Syslog Monitoring in the Prism Central Guide .
Note: Nutanix Flow supports only AHV hypervisor; security policies can not be applied to VMs running on other hypervisors.

Types of Policies

The types of policies in Prism Central and their use cases are described here.

Table 1. Types of Policies
Policy Type Use Case
Application Security Policy Use an application security policy when you want to secure an application by specifying allowed traffic sources and destinations. This method of securing an application is typically called application ring fencing .

For example, use an application security policy when you want to allow only those VMs in the categories department: engineering and department: customersupport (the allowed sources) to communicate with an issue tracking tool in the category AppType: IssueTracker (the secured application), and you want the issue tracking tool to be able to send traffic only to an integrated customer relationship management application in the category AppType: CRM .

The secured application itself can be divided into tiers by the use of categories (the built-in AppTier category). For example, you can divide the issue tracking tool into web, application, and database tiers and configure tier-to-tier rules.

For more information, see Application Security Policy Configuration.

Isolation Environment Policy Use an isolation environment policy when you want to block all traffic, regardless of direction, between two groups of VMs identified by their category. VMs within a group can communicate with each other.

For example, use an isolation environment policy when you want to block all traffic between VMs in the category Environment: sandbox and VMs in the category Environment: production , and you want to allow all the VMs within each of those categories to communicate with each other.

For more information, see Isolation Environment Policy Configuration.

Quarantine Policy Use a quarantine policy when you want to isolate a compromised or infected VM and optionally want to subject it to forensics.

For more information, see Quarantine Policy Configuration.

VDI Policy Use a VDI policy when you want to secure your VDI environment.

For more information, see VDI Policy Configuration

Security Policy Model

Application-centricity

The security policy model uses an application-centric policy language instead of the more complex, traditional network-centric policy language. Configuring an application security policy involves specifying which VMs belong to the application you want to protect and then identifying the entities or networks, in the inbound and outbound directions, with which you want to allow communication.

All the entities in an application security policy are identified by the categories to which they belong and not by their IP address, VLAN, or other network attributes. After a VM is associated with a category and the category is specified in a security policy, traffic associated with the VM is monitored even if it migrates to another network or changes its IP address.

The default options for allowing traffic on the inbound and outbound directions are also inherently application centric. For application security policies, the default option for inbound traffic is Allowed List , which means that Allowed List is usually the recommended option for inbound traffic. The default option can be changed to Allow All traffic. The default option in the outbound direction allows the application to send traffic to all destinations, but you can configure a destination Allowed List if desired.

For forensic quarantine policies, the default option in both directions is Allowed List , but you can Allow All traffic in both directions. For strict quarantine policies, no traffic is allowed in either direction.

All the VMs within a category can communicate with each other. For example, in a tiered application, regardless of how you configure tier-to-tier rules, the VMs within a given tier can communicate with each other.

Whitelist-Based Policy Expression

An application security policy is expressed in terms of the categories and subnets with which you want the application to communicate and therefore, by extension, the traffic you want to allow. A more granular policy expression can be achieved by specifying which protocols and ports can be used for communication.

Any category or subnet that is not in the allowed list is blocked. You cannot specify the categories and subnets you want to block because the number of such entities are typically much larger and grow at a much higher rate than the categories and subnets with which an application should be allowed to communicate. Expressing a policy in terms of allowed traffic results in a smaller, tighter policy configuration that can be modified, monitored, and controlled more easily.

Enforcement Modes

All policies, whether associated with securing an application, isolating environments, or quarantining VMs, can be run in the following modes:

Monitor Mode
Allows all traffic, including traffic that is not allowed by the policy. This mode enables you to visualize both allowed and disallowed traffic and fine-tune the policy before applying it.
Enforce Mode
Blocks all traffic that is not allowed by the policy.

You can switch a policy between these two modes as many times as you want.

Automated Enforcement

A policy uses categories to identify the VMs to which it must apply. This model allows the automatic enforcement of a policy to VMs regardless of their number and network attributes. Connectivity between Prism Central and a registered AHV cluster is required only when creating and modifying policies, or when changing the mode of operation (applied or monitoring) of a policy. Policies are applied to the VMs in a cluster even if the cluster temporarily loses network connectivity with the Prism Central instance with which it is registered. New policies and changes are applied to the cluster when connectivity is restored.

Priorities Between Policies

Prism Central does not provide a way for you to specify priorities between policies of a single type. For example, you cannot prioritize one security policy over another. There is no limit to the number of inbound and outbound rules that you can add to a security policy, allowing you to define all of an application's security requirements in a single policy. This makes priorities between policies unnecessary.

However, priorities exist between the different policy types. Quarantine policies have the highest priority followed by isolation environment policies, and application security policies, in that order. The VDI Policy takes the last precedence, for example, if an application security is protecting a VM, it cannot simultaneously be protected with the VDI policy.

Isolation environment rules take precedence over application security rules, so make sure that isolation environment policies and application security policies are not in conflict. An isolation environment rule and an application security rule are said to be in conflict if they apply to the same traffic (a scenario that is encountered when VMs in one of the categories in the isolation environment send traffic to an application in the other category, and some or all of that traffic is either allowed or disallowed by the application security policy). The effect that an isolation environment policy has on a conflicting application security policy depends on the mode in which the isolation environment policy is deployed, and is as follows:

  • If the isolation environment policy is in the applied mode, it blocks all traffic to the application, including the traffic that is allowed by the application security policy.
  • If the isolation environment policy is in the monitoring mode, it allows all traffic to the application, including any traffic that is disallowed by the application security policy.

Requirements

The Security Policies feature has the following requirements:

  • The feature is supported only on AHV clusters running AOS 5.6 or later and AHV version 20170830.115 or later.
  • The Prism Central instance must be hosted on one of the AHV clusters registered with it. The AHV cluster that hosts the Prism Central instance must be running AOS 5.6 or later.
  • The host must have at least 1 GB of additional memory for each Prism Central VM hosted on it.
  • If you are running a Prism Central scale-out instance, all the VMs in the Prism Central cluster must be powered on.
  • The AHV hosts must be allowed to communicate with the Prism Central VMs over TCP port 9446. Keeping the port open enables the hosts to send the Prism Central VMs connection tracking data. Prism Central uses that data to show network flows.
  • Flow supports only TCP, UDP, or ICMP traffic.
Caution:
  • When Flow is enabled, a Kafka container is automatically created on the cluster where Prism Central is hosted. The container is used to store data that is required for flow visualization to work and must not be deleted.
  • Cross cluster live migration of guest VMs that are part of Flow security policy is not supported.
  • Security Policies are not supported for VMs that are on the advanced networking stack. An alert is raised for VMs that are part of both VPC and Flow policy, and Flow policies are not enforced for VMs on VPCs.
  • Overlapping or conflicting policy configuration is not supported and might cause unintended interruption of network services.

Enabling Microsegmentation

Microsegmentation is disabled by default. Before you can configure and use application security policies, isolation environment policies, and quarantine policies, you must enable the feature. The feature requires a Flow license. If you have not installed a Flow license, you can try the feature for a period of 60 days. After this period expires, you will be required to install the license to continue using the feature.

Before you begin

Ensure that you meet Microsegmentation requirements.

About this task

To enable microsegmentation, do the following:

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and then select Prism Central Settings to display the Settings page.
  3. Click Microsegmentation from the Settings menu (on the left).
    The Enable Microsegmentation dialog box is displayed.
  4. To determine whether the registered clusters are capable of supporting microsegmentation, do the following:
    1. Click View Cluster Capability , and then review the results of the capability checks that Prism Central performed on the registered clusters.
    2. Click Back .
  5. Select the Enable Microsegmentation check box.
  6. Click OK .

Disabling Microsegmentation

Prism Central web console provides you the ability to disable the microsegmentation feature.

About this task

To disable microsegmentation, do the following:

Procedure

  1. Log on to the Prism Central web console.
  2. Click the gear icon in the main menu and then select Microsegmentation in the Settings page.
    Figure. Settings Page - Disabling Microsegmentation Click to enlarge Microsegmentation page
  3. Click Disable Microsegmentation .
    A confirmation message appears.
    Figure. Microsegmentation - Confirmation message Click to enlarge Disabling Microsegmentation
  4. Click Disable to confirm disabling the microsegmentation feature.

Built-in Categories for Security Policies

Prism Central includes built-in categories that you can use in application security policies and isolation policies. It also includes a built-in category for quarantining VMs.

Table 1. Built-In Categories
Category Description
AppTier Add values for the tiers in your application (such as web, application_logic, and database) to this category and use the values to divide the application into tiers when configuring a security policy.
AppType Associate the VMs in your application with the appropriate built-in application type such as Exchange and Apache_Spark. You can also update the category to add values for applications not listed in this category.
Environment Add values for environments that you want to isolate from each other and then associate VMs with the values.
Quarantine Add a VM to this category when you want to quarantine the VM. You cannot modify this category. The category has the following values:
Strict
Use this value when you want to block all inbound and outbound traffic.
Forensic
Use this value when you want to block all inbound and outbound traffic except the traffic to and from categories that contain forensic tools.
ADGroup This category is managed by ID Based Security (ID Firewall). Each ADGroup value represents an imported group from Active Directory. To add or remove values to use in Flow policies use the ID Based Security configuration page ( Prism Central Settings > Flow > ID Based Security ). The category values may be used in VDI policies, see VDI Policy Configuration for details.
ADGroup:Default This category is applied to the VDI VMs of the AD group when the VM inclusion criteria is set and allows you to apply a default set of rules for the VDI VMs (without the requirement of user logons).

Services

Service is a group of protocol-port combination. You can use any of the default services or create a custom service. The ability to use the service entities in the policy creation workflow reduces any manual configuration error and enables reusability of available entities.

  • To create or update a custom service, see Creating a Service.
  • To view the list of available services (built-in and custom services), go to Policies > Security > Services .

Creating a Service

About this task

To create a custom service, do the following.

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and go to Policies > Security > Services .
  3. Click Create Service .
    Figure. Create Service Tab Click to enlarge create a service page

  4. Enter a name and description for the service.
  5. Select the Protocol from the drop-down menu and enter the port number or port range in the Port field.
    You can add multiple protocol-port combinations in a single service. To add more protocol-port combination, click Add Row and specify the required values.
  6. Click Save to save the service.

Addresses

Address is a way to group one or many IP addresses or ranges. You can create an address entity and use that address entity while creating policies. The ability to use the addresses in the policy creation work flow reduces any manual configuration error and enables reusability of available entities.

  • To create or update an Address, see Creating an Address.
  • To view the list of available services (built-in and custom services), go to Policies > Security > Address .

Creating an Address

About this task

To create an Address, do the following.

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and go to Policies > Security > Addresses .
  3. Click Create Address .
    Figure. Create Address Tab Click to enlarge create a service page

  4. Enter a name and description for the address.
  5. Enter the IP address or a IP range in the Subnet field.
    You can add multiple subnets in a single address entity. To add more subnets, click Add Row and specify the required values.
  6. Click Save to save the service.

Application Security Policy Configuration

Creating an Application Security Policy

Before you begin

  • Create the categories you need and associate the VMs that you want to protect with those categories. You might be required to create categories for the following purposes. Some categories or category values are required while others are optional:
    • Every security policy must be associated with a value in the AppType category, so make sure that you update the AppType category with appropriate values if the built-in values do not work for you. For information about this category and its values, see Category Details View in the Prism Central Guide .
    • If you need to apply the policy to an application in a specific environment (for example, development, test, or production) or an application at a specific location, create the category you need and apply it to the application. Prism Central includes a built-in Environment category that you can use or update with values of your own. You can also create your own categories.
    • If you want to specify categories for traffic sources and destinations instead of allowing all inbound and outbound traffic, create those categories and apply them to the traffic sources and destinations.
    • If you want to divide the application into tiers in a security policy, add tiers to the AppTier category. The AppTier category has a built-in default value, but you can update the category to add values of your choice.

    For information about categories and their values, see Category Management in the Prism Central Guide .

  • Security policy configuration might require more time than the default session timeout allows you. You might want to increase the session timeout so that you do not lose a configuration that is left unattended while you perform associated tasks such as referring to this documentation. For more information, see Modifying UI Settings (Prism Central) in the Prism Central Guide .

About this task

To secure an application, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), click Create Security Policy , and then click Secure an Application .
    The Create App Security Policy page is displayed.
  2. On the Define Policy tab, do the following in the indicated fields, and then click Next :
    Figure. Define Policy Tab Click to enlarge The Create App Security Policy page comprises tabs for defining a policy, securing an application, and then reviewing the policy. This image shows the Define Policy tab, with fields for entering a name and purpose and a drop-down list from which you can select the application that you want to secure. The Define policy tab also has Advanced Configuration section to allow or block IPV6 traffic and enabling policy hit log.
    1. Name : Enter a name for the security policy.
    2. Purpose : Describe the purpose of the security policy.
    3. Secure This App : Select the type of application that you want to secure.
      The Secure This App list displays available values in the AppType category. It uses the format AppType : value , where value represents a type of application. Every application that you want Prism Central to secure must be associated with a value from the built-in AppType category. The AppType category includes values for frequently encountered applications, such as Exchange and Hadoop. The AppType category also includes a built-in default value that you can use if your application cannot be associated with one of the other built-in values. You can also update the AppType category to add a value of your choice. For information about categories and their values, see Category Management in the Prism Central Guide .
    4. If you want to filter the VMs by an additional category, select Filter the app type by category , and then enter the name of the category in the text box that is displayed.
      This option enables you to apply the policy to an additional category. For example, if you are configuring a policy for an application in the category AppType: Exchange , this option enables you to further restrict the policy to specific locations (such as Location: US and Location: EU ) or environments (such as Environment: Production , Environment: Development , and Environment: Test ).
    5. Optionally, in the Advanced Configuration section, select the Allow radio button to allow IPv6 traffic . The policy rules apply to IPv4 traffic only and all IPv6 traffic is blocked by default.
      Note: If you choose to block IPv6 traffic, the IPv6 traffic remains blocked even in the monitoring mode.
    6. Optionally, click the toggle button against Policy Hit Logs to log traffic flow hits on the policy rules.
      You can configure syslog monitoring for the policy hit logs for Flow. For details, see Configuring Syslog Monitoring in the Prism Central Guide .
      Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.
  3. In the Securing an App dialog box, review the schematic that illustrates the flow of traffic through a secured app, and then click OK, Got it!
    The Secure Application tab is displayed. The schematic on this tab can be divided into three areas of configuration: the Inbound side, (for adding traffic source allowlist), the application at the center (for configuring inbound, outbound, and tier-to-tier rules), and the Outbound side (for adding traffic destination allowlist).
    Figure. Secure Application Tab Click to enlarge
  4. On the Secure Application tab, do the following, and then click Next :
    1. On the application at the center of the tab, do the following in the indicated fields:
      • If you want to divide the application into tiers (such as a web tier, an application tier, and a database tier) and configure tier-to-tier rules, first configure the application as described in this step, and then configure inbound and outbound rules. This approach ensures that the individual tiers are available when you want to configure inbound and outbound rules at the tier level. Skip this step if you want to treat the application as a single entity in the security policy.

        To divide your application into tiers and create tier-to-tier rules, do the following:

        1. On the application, click Set Rules on App Tiers, Instead .
          Note: After you click Set Rules on App Tiers, Instead , the link text, Set rules on the whole app, instead , is displayed in its place. Click Set rules on the whole app, instead if you want to discard the tiered configuration and return to configuring rules on the application as a whole.
        2. Click Add Tier , and then select a tier.

          Repeat this step to add as many tiers as you require. The following figure shows an application with a web tier, an application tier, and a database tier:

          Figure. Tiered Application Click to enlarge
        3. To delete a tier, pause over the tier you want to delete and click the delete button that is displayed.
        4. Click Set Rules Within App .
          Note: When configuring tier-to-tier rules, two modes are made available to you through the buttons Set Rules to & from App and Set Rules Within App . The Set Rules to & from App option enables you to add application tiers and to specify allowed inbound and outbound traffic. The Set Rules Within App option enables you to specify tier-to-tier rules within the application. These buttons enable you to switch between the two modes.
        5. Click each tier in the application and click Yes or No to specify whether or not you want to allow the VMs in the tier to communicate with each other.
        6. Configure a tier-to-tier rule as follows:
          1. Click the source tier (for example, if the tiers are WebTier and AppTier and you want to configure a tier-to-tier rule from WebTier to AppTier, click the source tier, WebTier).
          2. Click the plus sign that is displayed on the destination tier (in this example, click the destination tier, AppTier). The Create Tier to Tier Rule dialog box
          3. Enter a description for the rule.
            Note: The policy rule description is captured in the policy hitlog data.
            • Policy hitlog must be enabled
            • Rule description is added to the hitlog only for allowed traffic
          4. In Service Details , click Allow all traffic to allow all types of traffic or click Select a service to choose any default or custom service.
          5. Click Save .

          Configure tier-to-tier rules for as many source and destination tiers as you want.

    2. To add traffic sources, on the Inbound side of the Secure Application tab, do the following:
      • From the drop-down list, select one of the following options:
        • Allow All : Allows traffic from all sources.
        • Whitelist Only : Allows traffic only if the traffic originates from entities on the security policy's source allowlist. This option is the default option. If this option is selected, you must also configure the source allowlist by clicking Add Source .
      • Click Add Source , and then do the following:
        1. Select one of the following options from the drop-down list:
          • Category : Allows traffic only if that traffic originates from entities that are in the selected category.
          • Subnet/IP : Allows traffic only if that traffic originates from entities that are in the selected subnet.
          • Addresses : Allows traffic only if the traffic originates from the entities that are in the selected address.
        2. Enter the value (category name or subnet) in the text box, and then click Add .

          When entering the name of a category, a list of matching names is displayed, and you can select the name you want to specify. The subnet mask must be specified in the CIDR format.

        3. To add another category or subnet, click Add Source . Add as many categories or subnets as you want to allow.

        Each entry in this list represents a stream of inbound traffic.

    3. To add traffic destinations, on the Outbound side, do the following:
      • From the drop-down list, select one of the following options:
        • Allow All : Allows traffic to all destinations. This option is the default option.
        • Whitelist Only : Allows traffic only if the traffic is destined for entities on the security policy's destination allowlist. If this option is selected, you must also configure the destination allowlist by clicking Add Destination .
      • Click Add Destination , and then do the following:
        1. Select one of the following options from the drop-down list:
          • Category : Allows traffic only if that traffic is destined for entities in the selected category.
          • Subnet/IP : Allows traffic only if that traffic is destined for entities in the selected subnet.
          • Addresses : Allows traffic only if the traffic originates from the entities that are in the selected address.
        2. Enter the value (category name or subnet) in the text box, and then click Add .

          When entering the name of a category, a list of matching names is displayed, and you can select the name you want to specify. The subnet mask must be specified in the CIDR format.

        3. To add another category or subnet, click Add Destination . Add as many categories or subnets as you want to allow.

        Each entry in this list represents a stream of outbound traffic.

      • To specify the protocols that you want to allow from each stream of inbound and outbound traffic, do the following:
        1. If you added application tiers and configured tier-to-tier rules, first click Set Rules to & from App .
        2. Click the traffic source or traffic destination (a category or subnet if you have configured a allowlist or All Sources if you have chosen to allow all sources) for which you want to create a rule.
        3. Click the plus icon that appears on the application (if you are treating the application as a single entity) or application tier (if you have divided the application into tiers). The Create Inbound Rule or Create Outbound Rule dialog box appears.
        4. Enter a description for the rule.
        5. In Service Details , click Allow all traffic to allow all types of traffic or click Select a service to choose any default or custom service.
        6. Click Save .
    After you configure a rule, a dotted line appears between the two endpoints of the rule. Point to the dotted line to show the list of ports that the rule allows.
  5. On the Review tab, review the security policy configuration, and then do one of the following:
    • If you want to apply the configuration, click Apply Now .

      Applying a security policy enforces the security policy on the application, and traffic from entities that are not defined as sources in the policy is blocked.

    • If you want to save the configuration and monitor how the security policy works, click Save and Monitor .

      When a policy is in the monitoring state, the application continues to receive all traffic, but disallowed traffic is highlighted on the monitoring page. Traffic is not blocked until the policy is enforced.

      Note: A policy that you have chosen to save and monitor can be applied from the policy update page.

Modifying an Application Security Policy

About this task

To modify a security policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to modify, click Actions , and then click Update .
  2. Make the changes you want and then apply or save and monitor the policy.
    The update options are the same as those for creating a policy. For information about the options, see Creating an Application Security Policy.

Applying an Application Security Policy

Applying a security policy enforces the security policy on the application, and any traffic from sources that are not allowed is blocked.

About this task

To apply a security policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to apply, click Actions , and then click Apply .
  2. Confirm by typing Apply in the dialog box, and then click OK .

Monitoring an Application Security Policy (Visualizing Network Flows)

About this task

When a policy is in the monitoring state, the application continues to receive all traffic, but disallowed traffic is highlighted on the monitoring page. Traffic is not blocked until the policy is applied.

To monitor a security policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to monitor, click Actions , and then click Monitor .
  2. Confirm by typing Monitor in the dialog box, and then click OK .
    Allowed network flows and disallowed network flows are shown on the monitoring page, as shown in the following figure. Allowed flows are depicted with a blue dotted line and disallowed network flows are depicted with a red dotted line:
    Figure. Monitoring Page for an Application Security Policy Click to enlarge

  3. To show a preview of the network flow in a tooltip, pause over the dotted line that depicts the network flow in the diagram.
    A tooltip similar to the following is displayed. The tooltip shows a graph for each connection:
    Figure. Tooltip Showing a Preview of the Network Flow Click to enlarge

  4. To see a graph of a network flow, click the dotted line that depicts the network flow in the visualization.
    A more detailed graph of the network flows is displayed, as shown in the following figure:
    Figure. Network Flows Graph Click to enlarge

  5. To block unwanted flows, click Update , and then update the policy. For information about updating an application security policy, see Modifying an Application Security Policy.
  6. To apply the policy, click Apply .
    Applying a policy enforces the policy and traffic from sources that are not allowed is blocked.

Deleting an Application Security Policy

About this task

To delete an application security policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to delete.
    You can select multiple policies and delete them all at once.
  2. Click Delete in the Actions menu.

Isolation Environment Policy Configuration

An isolation environment identifies two groups of VMs by category, and it blocks communications between the groups.

You can also specify an additional category to restrict the scope of the isolation environment to that category.

For example, consider that you have an application category with values app1 and app2 and that you have associated some VMs with application: app1 and some VMs with application: app2 . Also, consider that these same VMs are distributed between two sites, and have accordingly been associated with values site1 and site2 in a category named location ( location: site1 and location: site2 ).

In this example, you might want to block communications between the VMs in the two locations. Additionally, you might want to restrict the scope of the policy to VMs in category application: app1 . In other words, app1 VMs in site1 cannot communicate with app1 VMs in site2 . The following diagram illustrates the desired outcome. The red connectors illustrate blocked traffic. The green connectors illustrate allowed traffic.

Figure. Applications Across Sites Click to enlarge

You can configure an isolation policy for this by creating the following categories and isolation policy in Prism Central:

Table 1. Sample Configurations For Categories and the Isolation Policy
Entity Values
Categories
  • Name : application
  • Values : app1 and app2
  • Name : location
  • Values : site1 and site2
Isolation Policy
  • Name : eng_isolation_policy_across_sites
  • Description : Isolate engineering VMs across sites
  • Isolate This Category : location: site1
  • From This Category : location: site2
  • Apply the isolation only within a subset of the data center : application: app1

Layer 2 Isolation

Flow supports Layer 2 isolation to enable filtering of the layer 2 packets across all isolated entities. When an isolation policy is applied between two category-based VM groups, all ingress and egress traffic (broadcast, unknown-unicast, and multicast traffic) is dropped at the destination VM group.
Note:
  • If VMs are part of both isolation policy and quarantine policy, the quarantine policy takes priority of processing over the isolation policy. For example, if VMs with category app1 are isolated from VMs with category app2 using an isolation policy, the traffic between these VM groups are not dropped if the VM groups are also part of a quarantine forensic policy that allows communication between these VMs. In this case, since the quarantine forensics policy matches the VMs, and this policy allows the traffic, the isolation policy is not enforced.
  • IPv6 traffic between isolated VMs is blocked by default with the introduction of layer 2 isolation.

Creating an Isolation Environment Policy

An isolation environment policy identifies two groups of VMs and blocks communications between the groups. The two groups are identified by category. You can specify an additional category to restrict the scope of the policy to that category.

About this task

To create an isolation environment, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), click Create Security Policy , and then click Isolate Environments .
    The Create Isolation Policy page is displayed.
    Figure. Create Isolation Policy Click to enlarge

  2. Do the following in the indicated fields:
    • Name : Enter a name for the isolation policy.
    • Purpose : Describe the purpose of the isolation policy.
    • Isolate this category : Type the name of one of the two categories that you want to isolate from each other.

      Matching names appear in a list as you type. You can click the name of the category you want.

    • From this category : Type the name of other category.
    • Apply the isolation only within a subset of the data center . If you want to restrict the scope of the policy to a specific category of VMs, select this check box, type the name of the category in the text box, and select the category from the list of matches.

      If you isolate VMs in category Environment: Production from VMs in category Environment: Staging , and you restrict the scope of the policy to VMs in the category Environment: Dev , Prism Central applies the isolation policy to the following groups:

      • VMs that are in both Environment: Production and Environment: Dev
      • VMs that are in both Environment: Staging and Environment: Dev .
    • IPv6 Traffic . Optionally, in the Advanced Configuration section, select the Allow radio button to allow IPv6 traffic . The policy rules apply to IPv4 traffic only and all IPv6 traffic is blocked by default.
    • Policy Hit Logs . Optionally, click the toggle button against Policy Hit Logs to log traffic flow hits on the policy rules. You can configure syslog monitoring for the policy hit logs for Flow. For details, see Configuring Syslog Monitoring in the Prism Central Guide for details.
      Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.
  3. Do one of the following:
    • Click Apply Now to apply the isolation environment.
    • Click Save and Monitor to save the configuration and place the isolation environment in the monitoring mode.
    You can switch between the monitoring and applied states by selecting the isolation environment on the Security Policies page and clicking the appropriate option in the Actions menu.

Modifying an Isolation Environment Policy

About this task

To modify an isolation environment, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the isolation policy that you want to modify, click Actions , and then click Update .
  2. Make the changes you want and then apply or save and monitor the policy.
    The update options are the same as those for creating a policy. For information about the options, see Creating an Isolation Environment Policy.

Applying an Isolation Environment Policy

Applying an isolation environment policy enforces the policy on the specified categories, and any traffic between the categories is blocked.

About this task

Note: Changing the state of an isolation environment policy affects the functioning of any conflicting application security policies. For more information, see Priorities Between Policies.

To apply an isolation environment policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to apply, click Actions , and then click Apply .
  2. Confirm by typing Apply in the dialog box, and then click OK .

Monitoring an Isolation Environment Policy (Visualizing Network Flows)

About this task

The VMs in the two categories in an isolation environment policy are allowed to communicate with each other when the policy is in the monitoring state. Traffic is blocked only during the time the policy is applied.
Note: Changing the state of an isolation environment policy affects the functioning of any conflicting application security policies. For more information, see Priorities Between Policies.

To monitor a security policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to monitor, click Actions , and then click Monitor .
  2. Confirm by typing Monitor in the dialog box, and then click OK .
    The monitoring page shows the flows between the two categories.
  3. To view information about a particular network flow, pause over the flow.
    A tooltip similar to the following is displayed:
    Figure. Monitoring Page for an Isolation Environment Policy Click to enlarge

Deleting an Isolation Environment Policy

About this task

To delete an isolation environment policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to delete.
    You can select multiple policies to delete them all at once.
  2. Click Delete in the Actions menu.

Quarantine Policy Configuration

Prism Central includes a system defined quarantine policy that enables you to perform the following tasks:

  • Completely isolate an infected VM that must not have any traffic associated with it.
  • Isolate an infected VM but specify a set of forensic tools that can communicate with the VM.

For these use cases, Prism Central includes built-in categories that are included in the system defined quarantine policy.

Note: You cannot create a quarantine policy. However, you can modify existing (system defined) quarantine policy.

Prism Central also enables you to monitor the quarantine policy before applying it.

The quarantine policy cannot be deleted.

Configuring the Quarantine Policy

In the built-in quarantine policy, you specify categories that can communicate with VMs that have been added to the Quarantine: Forensics category.

About this task

To configure the quarantine policy, do the following;

Procedure

  1. In the Security Policies dashboard, select Quarantine , and then click Update in the Actions menu.
  2. Optionally, in the Advanced Configuration under the Define Policy tab, do the following.
    1. Select the Allow radio button to allow IPv6 traffic . The policy rules apply to IPv4 traffic only and all IPv6 traffic is blocked by default. You can configure the allow option for both Forensic and Strict modes.
    2. Optionally, click the toggle button against Policy Hit Logs to log traffic flow hits on the policy rules.
      You can configure syslog monitoring for the policy hit logs for Flow. For details, see Configuring Syslog Monitoring in the Prism Central Guide . You can enable the policy hit log option for both Forensic and Strict modes.
      Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.
  3. On the Add Forensic Tools tab, do the following, and then click Next :
    1. To specify the categories that contain forensic tools, on the Inbound and Outbound sides of the policy diagram, do the following:
      • From the drop-down list, select one of the following options:
        • Allow All : Allows traffic associated with all sources or destinations.
        • Whitelist Only : Allows traffic only if the traffic is associated with the categories and subnets on the allowlist. This option is the default option. If this option is selected, you must also configure the allowlist by clicking Add Source or Add Destination .
      • Click Add Source or Add Destination , and then do the following:
        1. Select one of the following options from the drop-down list:
          • Category : Allows traffic to or from the specified category.
          • Subnet/IP : Allows traffic to or from the specified subnet.
          • Addresses : Allows traffic only if the traffic originates from the entities that are in the selected address.
        2. Enter the value (category name or subnet) in the text box, and then click Add .

          When entering the name of a category, a list of matching names is displayed, and you can select the name you want to specify. The subnet mask must be specified in the CIDR format.

        3. To add another category or subnet, click Add Source or Add Destination . Add as many categories or subnets as you want to allow.
    2. To specify the protocols and ports over which the forensic tools can communicate with the VMs in the forensic category, do the following:
        1. On the Inbound and Outbound sides of the policy diagram, click a category or subnet (if you have configured a allowlist) or All Sources (if you have chosen to allow all sources) for which you want to create a rule.
        2. Click the plus icon that appears on the Quarantine: Forensic category. The Create Inbound Rule or Create Outbound Rule dialog box
        3. Enter a description for the rule.
          Note: The policy rule description is captured in the policy hitlog data.
          • Policy hitlog must be enabled
          • Rule description is added to the hitlog only for allowed traffic
        4. In Service Details , click Allow all traffic to allow all types of traffic or click Select a service to choose any default or custom service.
        5. Click Save .
    After you configure a rule, a dotted line appears between the two endpoints of the rule. Point to the dotted line to show the list of ports that the rule allows.
  4. On the Review tab, do one of the following:
    • Click Apply Now to apply the quarantine policy.
    • Click Save and Monitor to save the configuration and place the quarantine policy in the monitoring mode.
    You can switch between the monitoring and applied states by selecting Quarantine on the Security Policies page and clicking the appropriate option in the Actions menu.

Quarantining a VM

You quarantine a VM by adding the VM to a quarantine category.

About this task

To add an infected VM to a quarantine category, do the following:

Procedure

  1. In the VMs dashboard List tab (see VMs Summary View in the Prism Central Guide ), select the infected VM, click Actions , and then click Quarantine VMs .
  2. Under Quarantine Method, click one of the following options:
    • Strict. Isolates the VM from all traffic. No exceptions can be made for forensics.
    • Forensic. Isolates the VM from all traffic except traffic from categories specified in the built-in quarantine policy. The allowed categories contain forensic tools that enable you to perform forensics on the VM.
    For VMs added to the strict quarantine, a red icon is displayed in the name column.
  3. Click Quarantine .

Removing a VM from the Quarantine

About this task

To remove a VM from the quarantine, do the following:

Procedure

  1. In the VMs dashboard List tab (see VMs Summary View in the Prism Central Guide ), select the VM that you want to remove from the quarantine, click Actions , and then click Unquarantine VMs .
    You can select multiple VMs and remove them from the quarantine in a single step.
  2. In the Unquarantine VMs dialog box, click Unquarantine .

VDI Policy Configuration

The VDI Policy is based on identity-based categorization of the VDI VMs using Active Directory group membership. Configuring VDI policy includes adding an Active Directory domain that is used for the ID firewall ( ID Based Security ) and configuring a service account for the domain.

ID Based Security

ID firewall is an extension to Flow that allows you to write security policies based on users and groups in an Active Directory domain in which your VDI VMs are attached. When using ID firewall, you can import groups from Active Directory into Prism Central as categories (in the category key ADGroup), and then write policies around these categories, just as you would for any other category. A new type of policy has been added for this purpose - the VDI Policy . ID firewall takes care of automatically placing VDI VMs in the appropriate categories on detecting user logons into the VM hosted on Nutanix infrastructure associated with Prism Central, thus allowing user and group based enforcement of Flow policies.

  • See Configuring Active Directory Domain Services to import user groups for identity-based security policies.
  • See Creating a VDI Policy to create a VDI policy.
  • See Default VDI Policy configuration to define a default VDI policy.
Note:
  • It is recommended to disable credential caching on VDI VMs for Flow ID Firewall. The Flow ID Firewall checks the domain controller events for logon attempts. If the VM connection to the domain controller is not available, a user is able to logon (if credential caching enabled) but no event is generated on the domain controller inhibiting the ID Firewall to detect the logon.
  • To disable credential caching, see Interactive logon: Number of previous logons to cache (in case domain controller is not available) on Microsoft documentation website.
  • A basic assumption of VDI Policies is that a single end-user is logged on to each desktop VM at a point in time. As a result, if multiple users log into a single desktop VM at once, the security posture of the VM may change in unpredictable ways. Please ensure that for predictable behavior, only one user is logged into the desktop VMs at a time.

Creating a VDI Policy

ID firewall integrates Nutanix Flow with Microsoft Active Directory (AD), such that the groups in the AD can be imported into Prism Central as categories. These imported categories can then be used in the VDI policy as target groups, inbound traffic, and outbound traffic. Prism Central automatically places VMs inside the imported AD group categories when user logons are detected on VMs that are part of the Active Directory domain and also present on Nutanix managed clusters, thus applying security policies based on user group membership.

Before you begin

Note:
  • Flow ID firewall is supported only for AHV host compatible with AOS version 5.17 and above and Prism Central version 5.17 and above.
  • Flow ID firewall does not detect user logoffs. The policy applied to a VM is kept applied until next user logon on the same VM.
  • VMs with an AppType category assignment do not get categorized by ID Based Security .
  • You can use the Default VDI Policy to apply a default set of rules for the VDI VMs (without the requirement of user logons).
  • Since a VM user can be a member of multiple ADGroups that are mapped into Prism Central from Active Directory, when a user logs on, a VM may be placed in multiple ADGroups at once. This is the correct behavior, and the policy applied to the VM will be a union of the respective combination of inbounds and outbounds across all ADGroups the VM is placed into.
  • If not already available, configure an Active Directory domain that is used for ID firewall, see Configuring Active Directory Domain Services.
  • Configure a service account with required configuration for the Active Directory domain, see Configure Service Account for ID Firewall.

About this task

To secure a VDI environment, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ) and click Create Security Policy . Select Secure VDI Groups (VDI Policy) and click Create .
    You can create only one VDI policy for securing applications through ID Firewall.
    The Define Policy page is displayed.
  2. On the Define Policy tab, do the following in the indicated fields, and then click Next :
    1. The Policy Name and Purpose fields are auto-populated.
    2. Select either Include all VMs or Include VMs by name as the VDI VM Filter .

    You can use the VDI VM Filter for the following scenarios.

    • Include VMs by name - Select Include VMs by name and enter the matching criteria in the VM Name Contains field. Select the Assign matching VMs to an optional default category (ADGroup:Default) check-box to to apply a default posture to the VMs, see Default VDI Policy for details. Optionally, select the Keep the default category upon user logon check-box to preserve the default category even after user logon.
      Note:
      • Assign ADGroup categories only when the VM matches the filter criteria, otherwise ADGroups apply to all VMs where a logon is detected.
      • VMs with an AppType category assigned is never categorized with an ADGroup.
      • While updating the VDI policy, if inclusion criteria is changed to exclude and then re-include previously included VMs (that were previously logged on and categorized), upon re-inclusion the previous categories will not be applied; consecutively, a new logon must occur for the VM for categories to apply.
    • Include all VMs - Select Include all VMs to include all the VMs in the AD group in the policy. Note that non-VDI VMs will also be included in the policy if Include all VMs option is selected.
    1. Optionally, in the Advanced Configuration section, select the Allow option to allow IPv6 traffic . The policy rules apply to IPv4 traffic only and all IPv6 traffic is blocked by default.
      Note: If you choose to block IPv6 traffic, the IPv6 traffic remains blocked even in the monitoring mode.
    2. Optionally, turn on the Policy Hit Logs option to log traffic flow hits on the policy rules.
      You can configure syslog monitoring for the policy hit logs for Flow. For details, see Configuring Syslog Monitoring in the Prism Central Guide .
      Note: Policy hit logs are not generated if both source and destination are in inbound or outbound category.
  3. In the Secure AD Groups tab, do the following in the indicated fields and click Next .
    1. For Inbound Traffic , click + Add Source and enter the category or subnets that the VDI group can receive the traffic from, as the source.
    2. For each VDI ADGroup , click +Add AD Group to select the AD groups (categorized VDI VMs) that you want to secure. You can click Import all AD Groups to add all imported ADGroup categories to the VDI policy.
    3. For Outbound Traffic , click + Add Destination and enter the category or subnets that the VDI group can send the traffic to, as the destination.\
      Note: If you have not used the default VDI option in Step 2b , ensure that you add all of your Active Directory domain controllers as part of this step, using either categories or subnets, for each ADGroup.
    Figure. Secure AD Groups Tab Click to enlarge
  4. Do one of the following:
    • Click Apply Now to apply the VDI Policy.
    • Click Save and Monitor to save the configuration.
    You can switch between the monitoring and applied states on the Security Policies page and clicking the appropriate option in the Actions menu.

Default VDI Policy

The Default VDI policy feature allows you to apply a default set of rules as defined by the desktop administrator for VDI VMs and users. There are two primary use cases for Default VDI Policy ( ADGroup:Default ).

  • To ensure that a VDI VM is secure even before a user logs on to the VDI VM.
  • To enable access to common network resources without the need to add the resources to every tier of a VDI policy.

You can define a default VDI policy at the time of creating a new VDI policy, or by updating any existing VDI policy. See Step 2b of the VDI Policy Configuration topic for details.

Configuring Active Directory Domain Services

Active Directory Domain Services configuration is used to import user groups for identity based security policies.

Before you begin

  • Microsegmentation must be enabled to be able to use the ID Firewall feature. For more information, see Enabling Microsegmentation.
  • You must allow WMI access from Prism Central to all the Active Directory Domain Controllers in your network firewall and Active Directory firewall.
  • Active Directory Requirements:
    • Minimum supported domain functional level in Active Directory is Windows Server 2008 R2.
    • ID Firewall checks the membership of Security Groups only, Distribution Groups are not supported.
    • NTP must be configured on Active Directory and Prism Central.
    • DNS must be configured on Prism Central if you want to use host name for domain controllers.

About this task

To configure an Active Directory domain, do the following.

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and then select Prism Central Settings to display the Settings page.
  3. Click ID Based Security from the Settings menu (on the left).
    The ID Based Security page is displayed. This page allows you to Add New Domain or use an Existing AD .
  4. If you select Use Existing AD in step 3, do the following in the indicated fields:
    1. Click the Manually Add Domain Controller button, then click + Domain Controller .
    2. Enter the IP Address or Host Name of the domain controllers that you want to monitor for user logons events. You must add all the domain controllers associated with your Active Directory manually.

      Click + and add each domain controller individually, then click the blue check mark icon to save.

      Note: DNS must be configured on Prism Central for the host name option to work.
  5. If you select Add New Domain in step 3, a set of fields is displayed. Do the following in the indicated fields:
    1. Name : Enter a directory name.

      This is a name you choose to identify this entry; it need not be the name of an actual directory.

    2. Domain : Enter the domain name.

      Enter the domain name in DNS format, for example, nutanix.com .

    3. Directory URL : Enter the LDAP address of the directory, including the port number.
    4. Service Account Username : Enter the service account user name in the user_name@domain.com format that you want Prism Central to use to detect logons and query user and group information from Active Directory.
      Caution: Do not use the Domain Admin account as the service account considering the security best practices. Create a new domain user and grant it required permissions as described in Configure Service Account for ID Firewall.

      A service account is a special user account that an application or service uses to interact with the Active Directory. Enter your Active Directory service account credentials in this (username) and the following (password) field.

      Note: Ensure that you update the service account credentials here whenever the service account password changes or when a different service account is used.
    5. Service Account Password : Enter the service account password.
    6. When all the fields are correct, click the Save button (lower right).

      ID Firewall uses the service account for ID based security with additional requirements, see Configure Service Account for ID Firewall.

    Once saved, the Referenced AD Groups section is displayed. You can add a new user group by clicking + Add User Group and edit the auto-generated Category Value . After the active directory configuration is complete, you can create the VDI Policy, see Creating a VDI Policy
  6. Select Add Inclusion Criteria under Manage the VM Inclusion Criteria to specify which VMs are assigned to AD Group categories upon user logon based on VM name.
    Note: It is recommend that users add inclusion criteria if at all possible to prevent any unintended categorizations.
    Note: The VMs with AppType category assigned cannot be categorized by ID Based Security.

Configure Service Account for ID Firewall

Active Directory service account in Prism Central is used for connectivity with the Active Directory domain services. ID Firewall also uses the same service account for ID based security.

To configure a service account for ID firewall, do the following.

  1. Create a new user in the Active Directory.
  2. Add the user to the Distributed COM Users group and the Event Log Readers domain groups.
  3. Start the dcomcnfg.exe utility and go to Component Services > Computers > My Computer > DCOM Config .
  4. Right-click on Windows Management and Instrumentation and select Properties from the menu.
  5. Switch to Security tab, select Customize option in the Access Permissions section and then click Edit .
  6. Add the user and grant Local Access and Remote Access permissions to the user. Click OK to confirm changes.
  7. Run the WMIMGMT.msc command to start Windows Management Instrumentation snap-in.
  8. Right-click on WMI control (local) and select Properties from the menu.
  9. Switch to Security tab and expand Root tree.
  10. Select CIMV2 in the expanded tree and click Security .
  11. Go to Advanced > Add > Principal and enter the user name.
  12. Change scope by selecting This namespace and subnamespaces in the Applies to drop-down menu.
  13. Click the check-box to grant the Enable Account and Remote Enable permissions. Click OK to confirm changes.
  14. Restart the winmgmt service.
    C:\> net stop winmgmt 
    C:\> net start winmgmt

    Alternatively, reboot the domain controller.

  15. Repeat step 3 to step 14 on every domain controller.

Modifying the VDI Policy

About this task

To modify the VDI policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to modify, click Actions , and then click Update .
  2. Make the changes you want and then apply or save and monitor the policy.
    The update options are the same as those for creating a policy. For information about the options, see Creating a VDI Policy.

Applying the VDI Policy

Applying the VDI policy enforces the policy on the specified categories (VDI AD groups), and any traffic between the categories is blocked.

About this task

To apply the VDI policy, do the following:

Procedure

  1. In the Security Policies dashboard ((see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to apply, click Actions , and then click Apply .
  2. Confirm by typing Apply in the dialog box, and then click OK .

Monitoring the VDI Policy

About this task

The VMs in VDI AD Groups in the VDI policy are allowed to communicate with each other when the policy is in the monitoring state. Traffic is blocked only during the time the policy is applied.

To monitor a security policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the policy that you want to monitor, click Actions , and then click Monitor .
  2. Confirm by typing Monitor in the dialog box, and then click OK .

Deleting the VDI Policy

About this task

To delete the VDI policy, do the following:

Procedure

  1. In the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide ), select the VDI policy.
  2. Click Delete in the Actions menu.

Applying Filtering and Grouping to a Security Policy

You can apply different types of filters to view results based on properties like source , destination, category, ports, and more. You can also group related rule attributes together for easier visualization of connection flows. Grouping and Filtering work together to provide an intuitive view for the security policy.

About this task

To apply filtering and grouping to a security policy, do the following.

Procedure

  1. Log on to the Prism Central web console.
  2. Click the collapse menu ("hamburger") button on the left of the main menu and go to Policies > Security . The Policies page is displayed.
  3. Click any policy to view the inbound, application, and outbound configuration.
  4. To view specific rule properties, do one of the following.
    • In the Search box, search for the required string using the default All filter.
    • Click the filter drop-down menu to search the policy based on any of the following filter types.
      Category
      search category name and value
      Address
      search address and subnet IP address
      Subnet IP
      search subnet IP address
      Service
      search service name
      Rule Description
      search rule description
      Ports (TCP/UDP)
      search TCP/UDP ports and services
      ICMP
      search ICMP ports and services
    Figure. Filtering Policies Click to enlarge
  5. To group related rule entities together, click the group icon.
    The group option organizes related rule attributes like subnet IP, categories, and service in distinct boxes. Also, the connection flows for all the entities in a group are displayed as a single connection flow. To view all the entities belonging to a group, click the down-arrow icon to expand the group.
    Figure. Filtering Policies Click to enlarge

Exporting and Importing Security Policies

Prism Central allows you to export and import security policies for the following security administration aspects.

  • Have a snapshot of a working security configuration so that system can be restored to the desired state when needed.
  • Ability to apply security policies as templates. This scenario is useful in ROBO environments (disaster recovery deployments) where the datacenters are being managed by multiple Prism Central instances.

Exporting Security Policies

To export or import security policy, do the following in the Security Policies dashboard (see Security Policies Summary View in the Prism Central Guide )
Note: For VDI policy, the inclusion criteria and default VDI category settings are not included in the export process. You must set these manually after an import if required.
  • Click the Export & Import drop down menu.
  • To export the security policies, select Export Security Policy . The security policies binary file is downloaded.
  • To import any previously exported security policies binary file, select Import Security Policy , then click Browse to select the binary file. Click Import . The security policies are imported.
    Note: Existing policies are overridden with new policies. Policies that are not part of this import are deleted.
Read article
Flow Networking Guide

Flow Virtual Networking pc.2022.4

Product Release Date: 2022-05-16

Last updated: 2022-12-09

Purpose

This Flow Networking Guide describes how to enable and deploy Nutanix Flow Networking on Prism Central.

Upgrading from EA Versions

If you have enabled the early access (EA) version of Flow Networking, disable it before upgrading the Prism Central and enabling the general availability (GA) version of Flow Networking.

Related Documentation

Links to Nutanix Support Portal software and documentation.

The Nutanix Support Portal provides software download pages, documentation, compatibility, and other information/

Documentation Description
Release Notes | Flow Networking Flow Networking Release Notes
Port Reference Port Reference: See this page for details of ports that must be open in the firewalls to enable Flow Virtual Networking to function.
Nutanix Security Guide Prism Element and Prism Central security, cluster hardening, and authentication.
AOS guides and release notes Covers AOS Administration, Hyper-V Administration for Acropolis, Command Reference, Powershell Cmdlets Reference, AOS Family Release Notes, and AOS release-specific Release Notes
Acropolis Upgrade Guide How to upgrade core and other Nutanix software.
AHV guides and release notes Administration and release information about AHV.
Prism Central and Web Console guides and release notes Administration and release information about Prism Central and Prism Element.

Flow Networking Overview

Enabled and administered from Prism Central, Flow Networking powers network virtualization to offer a seamless network experience with enhanced security. It is disabled by default.

To enable and use Flow Networking, ensure that you log on to Prism Central as a local account user with Prism Admin role. If you log on to Prism Central as a non-local account (IDP-based) user or without Prism Admin role privileges, then Prism Central does not allow you to enable or use Flow Networking. The task is reported as Failed with a User Denied Access message.

Note:

Nutanix deploys a number of ports and protocols in its software. ports that must be open in the firewalls to enable Flow Networking to function. To see the ports and protocols used Flow Networking, see Port Reference.

It is a software-defined network virtualization solution providing overlay capabilities for the on-prem AHV clusters. It integrates tools to deploy networking features like Virtual Private Cloud (VPC) and Virtual Private Network (VPN) to support flexible app-driven networking that focuses on VMs and applications instead of virtual LANs and network addresses.

After you enable it on Prism Central, Flow Networking delivers the following.

  • A simplified, Prism Central-based workflow that deploys the application-driven network virtualization feature.
  • A secure multi-tenancy solution allowing per-tenant isolation using VPC-based network segmentation and namespace isolation.
  • A secure VPN-based connectivity solution for multiple sites, with automated VPN bundle upgrades.
  • NAT-based secure egress to external networks, with IP address retention and policy-based routing.
  • Self-serve networking services using REST APIs.
  • Enhanced networking features for more effective disaster recovery.
    Note: You can enable network segmentation on a Layer 2 extended virtual subnet that does not have a gateway. For more information about Layer 2 subnet extensions, see Layer 2 Virtual Network Extension. For information about network segmentation of an extended layer 2 subnet, see Segmenting a Stretched L2 Network for Disaster Recovery in the Securing Traffic through Network Segmentation section of the Security Guide .

Deployment Workflow

You can enable Flow Networking using a simple Prism Central driven workflow, which installs the network controller. The network controller is a collection of containerized services that run directly on the Prism Central VM(s). The network controller orchestrates all the virtual networking operations.

  • Ensure that microservices infrastructure is enabled in Prism Central Settings > Prism Central Management . See Prism Central Guide for information about enabling microservices infrastructure.
  • Enable Flow Networking in Prism Central Settings > Advanced Networking . It is disabled by default. See Enabling Flow Networking

  • You can opt out of Flow networking by disabling the Advanced Networking option subject to prerequisites to disable advanced networking. See Disabling Flow Networking.

  • You can deploy Flow Networking in a dark site (a site that does not have Internet access) environment. See the Deploying Flow Networking at a Dark Site topic for more information.

  • You can upgrade the Flow networking controller. Nutanix releases an upgrade for the Flow networking controller with AOS and Prism Central releases. See Upgrading Flow Networking.

    See the AOS Family Release Notes and Release Notes | Prism Central .

  • Flow networking allows you to create and manage virtual private clouds (VPCs) and overlay subnets to leverage the underlying physical networks that connect clusters and datacenters. See Virtual Private Cloud.

  • You can upgrade the network gateway version. Network gateway is used to create VPN or VTEP gateways to connect subnets using VPN connections, or Layer 2 subnet extensions over VPN or VTEP.

Flow Networking Architecture

The Flow Networking architecture uses a three-plane approach to simplify network virtualization.

Prism Central provides the management plane, the network controller itself acts as the control plane while the AHV nodes provide the data plane. This architecture provides a strong foundation for Flow Networking. This architecture is depicted in the following chart.

Figure. Flow Networking Architecture Click to enlarge Flow Networking Architecture diagram

Deployment Scale

Flow Networking supports the following scale:

Entities Scale

Virtual Private Clouds

500

Subnets

5,000

Ports

50,000

Floating IPs

2,000 per networking controller-enabled Prism Central.

Routing Policies

1,000 per Virtual Private Cloud.

10,000 per networking controller-enabled Prism Central.

Essential Concepts

VPC

A Virtual Private Cloud (VPC) is an independent and isolated IP address space that functions as a logically isolated virtual network. A VPC could be made up of one or more subnets that are connected through a logical or virtual router. The IP addresses within a VPC must be unique. However, IP addresses may overlap across VPCs. As VPCs are provisioned on top of another IP-based infrastructure (connecting AHV nodes), they are often referred to as the overlay networks. Tenants may spin up VMs and connect them to one or more subnets within a VPC. Virtual Private Cloud (VPC) is a virtualized network of resources that are specifically isolated from the rest of the resource pool. VPC allows you to manage the isolated and secure virtual network with enhanced automation and scaling. The isolation is done using network namespace techniques like IP-based subnets or VLAN based networking.

VPC Subnets

You can use IP address-based subnets to network virtual machines within a VPC. A VPC may use multiple subnets. VPC subnets use private IP address ranges. IP addresses within a single VPC must be unique, in other words, IP addresses inside the same VPC cannot be repeated. However, IP addresses can overlap across multiple VPCs. The following figure shows two VPCs named Blue and Green. Each VPC has two subnets, 192.168.1.0/24 and 192.168.2.0/24, that are connected by a logical router. Each subnet has a VM with an IP address assigned. The subnets and VM IP addresses overlap between the two VPCs.

Figure. VPC Subnet Click to enlarge Displaying an illustration of VPC networks

The communication between VMs in the same subnets or different subnets in the same VPC (also called East-West communication) is enabled using GEneric NEtwork Virtualization Encapsulation (GENEVE). If a Prism Central manages multiple clusters, then the VMs that belong to the same VPC could be deployed across different clusters. The virtual switch on the AHV nodes provide distributed virtual switching and distributed virtual routing for all VPCs.

The communication from a VM in a VPC to an endpoint outside the VPC (called external communication or North-South communication) is enabled by an external network connection. Such a connection may be secured using VPN. The following figure shows the logical connectivity of the VPCs to the external network, and subsequently to the Internet.
Note: You must configure the default route (0.0.0.0/0) to the external subnet as the next hop for connectivity outside the cluster (north-south connectivity).
Figure. External Communication Click to enlarge