Best Practices for implementing Symantec Protection Engine for Network Attached Storage with a NetApp Filer
Article ID: 152420
Updated On:
Products
Protection Engine for NAS
Issue/Introduction
What are some best practices for implementing Symantec Protection Engine (SPE) for Network Attached Storage (NAS) with a NetApp Filer?
Environment
- SPE-NAS 8.2.x or later installed on Windows 2016 Server or later
- ONTAP 9.2 or later in cluster mode -
see supported device matrix for SPE 9.1.0 or
see supported device matrix for SPE 8.2.2
Resolution
- Ensure the server is a dedicated scanner. It should not have other applications and features installed except those necessary for scanning or required by your organization for security.
- Ensure that the Protection Engine resides on a network containing only the storage system and the Protection Engine as recommended by NetApp.
- Ensure the scanner meets system requirements
- At least 40 GB free on the drive where SPE is installed.
- At least 16 GB of RAM
- At least 4 CPU cores
- If the SPE server is a guest virtual machine (VM), ensure that all resource (RAM, CPU cores, and HD space) are reserved by the hypervisor for exclusive use by the SPE guest VM.
- The "Symantec Protection Engine" Windows service should be configured to run with a service account.
- The account must satisfy the following requirements:
- Be a member of the Backup Operators group on the NetApp filers
- Be a local administrator on the Protection Engine server
- Use the following steps to change the service account:
- Open the Windows Service control panel (services.msc).
- Right click on Symantec Protection Engine and click on Properties.
- On the Log On tab, enter the service account name and password.
- Click the OK button to save the change and close the properties dialog box.
- Restart the Symantec Protection Engine
- The account must satisfy the following requirements:
- Configure SPE to register with the NetApp filer.
- Using XMLModifier:
- Open CMD or PowerShell as Administrator
- Navigate to the SPE installation directory (normally C:\Program Files\Symantec\Scan Engine)
- Set the communication protocol to RPC with the following command:
.\xmlmodifier.exe -s /configuration/ProtocolSettings/Protocol/@value "RPC" configuration.xml - Add localhost as an RPC client to enable communication with the ONTAP AV connector (necessary for Cluster Mode and Mixed mode)
.\xmlmodifier.exe -c /configuration/ProtocolSettings/RPC/ClientList/items 127.0.0.1 configuration.xml - Add any filers that use 7-mode:
.\xmlmodifier.exe -c /configuration/ProtocolSettings/RPC/ClientList/items <ip address of 7-mode filer> configuration.xml
- Using XMLModifier:
- Tune performance settings for SPE
- Using XMLModifier:
- Open CMD or PowerShell as Administrator
- Navigate to the SPE installation directory (normally C:\Program Files\Symantec\Scan Engine)
- Determine how many CPU cores the server has using the following command from within CMD or PowerShell:
WMIC CPU Get DeviceID,NumberOfCores - Set maximum scanning threads to 3 * number of CPU cores or 24, whichever value is higher:
.\xmlmodifier.exe -s /configuration/Resources/System/MaxThreads/@value <calculated threads> configuration.xml - Set queued request threshold to 3 * number of CPU cores or 24, whichever value is higher:
.\xmlmodifier.exe -s /configuration/Resources/System/LoadMaximumQueuedClients/@value <calculated value> configuration.xml - Set memory settings:
- For SPE 8.2.x or 9.x, set the filer performance threshold
- Using XMLModifier:
- Configure NetApp filer timeouts. The default settings are optimal. NetApp recommends that they should not be changed unless NetApp support recommends changing them.
-
Use the vscan scanner-pool show -instance command on the NetApp filer to view the timeouts:
::*> vscan scanner-pool show -instance javascript:void('Edit Link') Vserver: svm1 Scanner Pool: pool1 Applied Policy: primary Current Status: on Cluster on Which Policy Is Applied: node1 Scanner Pool Config Owner: vserver List of IPs of Allowed Vscan Servers: x.x.x.x List of Host Names of Allowed Vscan Servers: x.x.x.x List of Privileged Users: domain\administrator Request Service Timeout: 30s Scan Queue Timeout: 20s Session Setup Timeout: 10s Session Teardown Timeout: 10s Max Number of Consecutive Session Setup Attempts: 5Take note of Request Service Timeout. You will use this value when configuring the Protection Engine timeout.
Note: The Request Service Timeout value is how long NetApp will wait for a scan verdict. For more information about this and other timeout settings, see NetApp's article regarding timeouts.
-
- Configure SPE's timeouts.
- SPE 8.2+:
- Use the following article to set the ScanTimeoutInSeconds value to 2/3 of the NetApp Filer Request Service Timeout: https://knowledge.broadcom.com/external/article/203355/
- Older SPE versions? See Additional Information, below.
- SPE 8.2+:
- Ensure exclusions for file types that should not be scanned are set in the NetApp configuration. See [Best practice for file type exclusions] (https://knowledge.broadcom.com/external/article/177975/best-practices-for-file-type-exclusions.html) for Symantec recommended exclusions, NetApp vscan file path exclusions, and NetApp vscan file extension exclusions for details on how to implement the recommendations in the NetApp vscan configuration.
- Ensure a sufficient number of Symantec Protection Engine servers have been configured and added to the vscan scanner pool to handle the expected scanning load without impacting real-time availability of files. See attached file xlsx for additional details on this requirement.
- The Protection Engine should now be ready for vscan to be set to on:
vscan on
Attachments
Feedback
Yes
No
Powered by
