What are some best practices for implementing Symantec Protection Engine (SPE) for Network Attached Storage (NAS) with a NetApp Filer? 

• SPE-NAS 8.2.x or later installed on Windows 2016 Server or later
• ONTAP 9.2 or later in cluster mode -
  see supported device matrix for SPE 9.1.0 or
  see supported device matrix for SPE 8.2.2

1. Ensure the server is a dedicated scanner. It should not have other applications and features installed except those necessary for scanning or required by your organization for security.
   
   
2. Ensure that the Protection Engine resides on a network containing only the storage system and the Protection Engine as recommended by NetApp.
   
   
3. Ensure the scanner meets system requirements
   • At least 40 GB free on the drive where SPE is installed.
   • At least 16 GB of RAM
   • At least 4 CPU cores
     
     
4. If the SPE server is a guest virtual machine (VM), ensure that all resource (RAM, CPU cores, and HD space) are reserved by the hypervisor for exclusive use by the SPE guest VM.
   
   
5. The "Symantec Protection Engine" Windows service should be configured to run with a service account.
   
   
   • The account must satisfy the following requirements:
     • Be a member of the Backup Operators group on the NetApp filers
     • Be a local administrator on the Protection Engine server
       
       
   • Use the following steps to change the service account:
     1. Open the Windows Service control panel (services.msc).
     2. Right click on Symantec Protection Engine and click on Properties.
     3. On the Log On tab, enter the service account name and password.
     4. Click the OK button to save the change and close the properties dialog box.
     5. Restart the Symantec Protection Engine
        
        
6. Configure SPE to register with the NetApp filer.
   
   • Using XMLModifier:
     
     
     1. Open CMD or PowerShell as Administrator
     2. Navigate to the SPE installation directory (normally C:\Program Files\Symantec\Scan Engine)
     3. Set the communication protocol to RPC with the following command:

         xmlmodifier.exe -s /configuration/ProtocolSettings/Protocol/@value "RPC" configuration.xml
        

     4. Add localhost as an RPC client to enable communication with the ONTAP AV connector (necessary for Cluster Mode and Mixed mode)

         xmlmodifier.exe -c /configuration/ProtocolSettings/RPC/ClientList/items 127.0.0.1 configuration.xml
        

     5. Add any filers that use 7-mode:

         xmlmodifier.exe -c /configuration/ProtocolSettings/RPC/ClientList/items <ip address of 7-mode filer> configuration.xml
        

     Note: The "Symantec Protection Engine" service must be restarted for any changes with xmlmodifier to take effect.
     
     
7. Tune performance settings for SPE
   
   
   • Using XMLModifier:
     
     
     1. Open CMD or PowerShell as Administrator
     2. Navigate to the SPE installation directory (normally C:\Program Files\Symantec\Scan Engine)
     3. Determine how many CPU cores the server has using the following command from within CMD or PowerShell:

         WMIC CPU Get DeviceID,NumberOfCores
        

     4. Set maximum scanning threads to 3 * number of CPU cores or 24, whichever value is higher:

         xmlmodifier.exe -s /configuration/Resources/System/MaxThreads/@value <calculated threads> configuration.xml
        

     5. Set queued request threshold to 3 * number of CPU cores or 24, whichever value is higher:

         xmlmodifier.exe -s /configuration/Resources/System/LoadMaximumQueuedClients/@value <calculated value> configuration.xml
        

     6. Set memory settings:
        • Please see Memory setting recommendations for SPE 8.1 and newer
     7. For SPE 8.2.x or 9.x, set the filer performance threshold
        
        
8. Configure NetApp filer timeouts. The default settings are optimal. NetApp recommends that they should not be changed unless NetApp support recommends changing them.

   1. Use the vscan scanner-pool show -instance command on the NetApp filer to view the timeouts:

       ::*> vscan scanner-pool show -instance
       javascript:void('Edit Link')
       Vserver: svm1
       Scanner Pool: pool1
       Applied Policy: primary
       Current Status: on
       Cluster on Which Policy Is Applied: node1
       Scanner Pool Config Owner: vserver
       List of IPs of Allowed Vscan Servers: x.x.x.x
       List of Host Names of Allowed Vscan Servers: x.x.x.x
       List of Privileged Users: domain\administrator
       Request Service Timeout: 30s
       Scan Queue Timeout: 20s
       Session Setup Timeout: 10s
       Session Teardown Timeout: 10s
       Max Number of Consecutive Session Setup Attempts: 5
      

      Take note of Request Service Timeout. You will use this value when configuring the Protection Engine timeout.

      Note: The Request Service Timeout value is how long NetApp will wait for a scan verdict. For more information about this and other timeout settings, see NetApp's article regarding timeouts.

9. Configure SPE's timeouts.
   
   
   • SPE 8.2+:
     • Use the following article to set the ScanTimeoutInSeconds value to 2/3 of the NetApp Filer Request Service Timeout: https://knowledge.broadcom.com/external/article/203355/
   • Older SPE versions? See Additional Information, below.
     
     
10. Ensure exclusions for file types that should not be scanned are set in the NetApp configuration. See [Best practice for file type exclusions] (https://knowledge.broadcom.com/external/article/177975/best-practices-for-file-type-exclusions.html) for Symantec recommended exclusions, NetApp vscan file path exclusions, and NetApp vscan file extension exclusions for details on how to implement the recommendations in the NetApp vscan configuration.
    
    
11. Ensure a sufficient number of Symantec Protection Engine servers have been configured and added to the vscan scanner pool to handle the expected scanning load without impacting real-time availability of files. See attached file xlsx for additional details on this requirement.
    
    
12. The Protection Engine should now be ready for vscan to be set to on:

    vscan on