Configure Service Policy
NOTE: This section only applies to NetApp ONTAP version 9.10.1 and higher. For older NetApp ONTAP versions use System Service Firewall Policies instead.
By default, the 'default-data-files' policy is applied to the SVM CIFS/SMB interface and HTTP/HTTPS options are not available. To make the ONTAPI available through HTTP/HTTPS ports on your SVM interface for Netwrix Auditor Server, configure the 'interface service'-policy. Below is an example of the configuration:
-
Navigate to your cluster command prompt through the SSH/Telnet connection.
-
Log in as a cluster administrator and review your current service-policy configuration. Run the following command:
cluster1::> network interface show -vserver svm1 -fields service-policy
Example output:
vserver lif service-policy
svm1 lif_svm1_126 default-data-files
svm1 lif_svm1_349 default-data-files
Where
svm1– is the name of your SVM,The
lif_svm1_126 and lif_svm1_349parameter is thesvm1logical interface.The
default-data-filesparameter is the service-policy applied to lif-s. -
To display the services available through the '
default-data-files' policy, run the following command:cluster1::> network interface service-policy show -vserver svm1 -policy default-data-files
Example output:
Vserver: svm1
Policy Name: default-data-files
Included Services: data-core, data-cifs, data-fpolicy-client, data-dns-server
Service: Allowed Addresses: data-core: 0.0.0.0/0
data-cifs: 0.0.0.0/0
data-fpolicy-client: 0.0.0.0/0
data-dns-server: 0.0.0.0/0
-
Set the advanced privilege level to be able to create and modify the service-policy. Run the following command:
cluster1::> set -privilege advanced
Remember, The command prompt should be changed to “
cluster1::*>” -
Clone the existing '
default-data-files' LIF policy to be able using shares with a new service-policy. Run the following command:cluster1::*> network interface service-policy clone -vserver svm1 -policy default-data-files -target-policy netwrix-policy -target-vserver svm1
Where the '
netwrix-policy' parameter is the name of new service-policy. -
Modify the new service-policy by adding services to access over http\https protocols. Run the following command:
cluster1::*> network interface service-policy add-service -vserver svm1 -policy netwrix-policy -service management-http
cluster1::*> network interface service-policy add-service -vserver svm1 -policy netwrix-policy -service management-https
-
Return to the administrator privilege level. Run the following command:
cluster1::*> set -privilege admin
-
Apply a new service-policy to the SVM LIFs. Run the following command:
cluster1::> network interface modify -vserver svm1 -lif lif_svm1_126 -service-policy netwrix-policy
cluster1::> network interface modify -vserver svm1 -lif lif_svm1_349 -service-policy netwrix-policy
NOTE: For better security, specify the allowed ip-addresses when adding the service. Double-check that your subnet is configured on the machine where Netwrix Auditor Server resides. Allowed-addresses are: 192.168.1.0/24.
-
Check the current interface service-policy using command from the step 2:
cluster1::> network interface show -vserver svm1 -fields service-policy
Example output:
vserver lif service-policy
svm1 lif_svm1_126 netwrix-policy
svm1 lif_svm1_349 netwrix-policy
Configure System Service Firewall Policies
NOTE: This section applies to NetApp ONTAP 9.10.1 and lower. For ONTAP versions higher than 9.10.1, the system services firewall policy command context is deprecated.
See the NetApp ONTAP 9.10.1 CLI documentation for details.
Configure firewall to make file shares and Clustered Data ONTAP HTTP/HTTPS ports accessible from the computer where Netwrix Auditor Server is installed. Your firewall configuration depends on network settings and security policies in your organization. Below is an example of configuration:
-
Navigate to your cluster command prompt through the SSH/Telnet connection.
-
Log in as a cluster administrator and review your current firewall configuration. For example:
cluster1::> system services firewall show Node Enabled Logging ------------ ------------ ------- cluster1-01 true false -
Create a firewall policy or edit an existing policy to allow HTTP/HTTPS. When modifying an existing policy, be aware that some settings may be overwritten.
To... Execute... NetApp Clustered Data ONTAP 8.2 Create a policy cluster1::> system services firewall policy create -policy netwrix_policy -service http -vserver svm1 -action allow -ip-list 192.168.1.0/24cluster1::> system services firewall policy create -policy netwrix_policy -service https -vserver svm1 -action allow -ip-list 192.168.1.0/24Modify existing policy cluster1::> system services firewall policy modify -policy netwrix_policy -service http -vserver svm1 -action allow -ip-list 192.168.1.0/24cluster1::> system services firewall policy modify -policy netwrix_policy -service https -vserver svm1 -action allow -ip-list 192.168.1.0/24NetApp Clustered Data ONTAP 8.3, ONTAP 9.0 - 9.10 Create a policy cluster1::> system services firewall policy create -policy netwrix_policy -service http -vserver svm1 -allow-list 192.168.1.0/24cluster1::> system services firewall policy create -policy netwrix_policy -service https -vserver svm1 -allow-list 192.168.1.0/24Modify existing policy cluster1::> system services firewall policy modify -policy netwrix_policy -service http -vserver svm1 -allow-list 192.168.1.0/24cluster1::> system services firewall policy modify -policy netwrix_policy -service https -vserver svm1 -allow-list 192.168.1.0/24where
netwrix_policyis your Firewall policy name and192.168.1.0/24is your subnet where Netwrix Auditor Server resides. -
Apply the firewall policy to a LIF.
cluster1::>network interface modify -vserver svm -lif vs1-cifs-lif1 -firewall-policy netwrix_policyTo verify the policy was applied correctly, execute the following:
cluster1::>network interface show -fields firewall-policy