Configure FPolicy for Varonis on NetApp Cluster Mode using PowerShell

To enable the Varonis Metadata Framework to connect to a NetApp file server operating in cluster mode, you must configure an FPolicy for it.

This PowerShell script, which I based off of Technical Report TR-4429 (referenced below for further reading), will automate:

  • Creating the FPolicy Event Object
  • Creating the FPolicy External Engine
  • Creating the FPolicy Object
  • Creating the Fpolicy Scope Object
  • Configuring the Login Method for DatAdvantage
  • Configuring the Varonis service account as CIFS superuser (To enable the Management Console to correctly detect NetApp cluster shares, the Varonis service account must be a member of the Domain Administrators group, or added as a CIFS superuser.)
  • Enabling the FPolicy
#requires -Version 2 -Modules DataONTAP
param (  
  $vservs = ('VSERVER_NAME'),
  $varcollectserver = 'VARONIS PROBE/COLLECTOR IP',
  $varsvcactdomain = 'DOMAIN',
  $varsvcactuser = 'USER'
)

Import-Module -Name DataONTAP

$FASName = Read-Host -Prompt 'Enter the FQDN of your NetApp array'
If ($FASName -eq '')  
{
  Write-Host -Object 'No selection made, script now exiting.' 
  exit
}

Connect-NcController -Name $FASName -Credential (Get-Credential)

foreach ($vserv in $vservs)  
{

  New-NcFpolicyEvent -Name fp_event_varonis_cifs -Protocol cifs -FileOperation create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr -Filter first_read, first_write -VserverContext $vserv

  New-NcFpolicyExternalEngine -Name fp_ex_eng -PrimaryServer $varcollectserver -Port 2002 -SslOption no_auth -Asynchronous -VserverContext $vserv

  New-NcFpolicyPolicy -Name Varonis -Event fp_event_varonis_cifs -EngineName fp_ex_eng -NonMandatory -VserverContext $vserv

  New-NcFpolicyScope -PolicyName Varonis -VolumesToInclude '*'  -ExportPoliciesToInclude '*' -VserverContext $vserv

  New-NcUser -UserName ($varsvcactdomain + '' + $varsvcactuser) -Vserver $vserv -Application ontapi -AuthMethod domain -Role vsadmin

  Invoke-NcSsh -Command "set -privilege advanced;vserver cifs superuser create -domain $varsvcactdomain -accountname $varsvcactuser -vserver $vserv;vserver cifs superuser show -vserver $vserv"

  Enable-NcFpolicyPolicy -Name Varonis -SequenceNumber 1 -VserverContext $vserv
}

Further reading:

  1. FPolicy Solution Guide for Clustered Data ONTAP: Varonis DatAdvantage
  2. How FPolicy on clustered Data ONTAP works with external FPolicy servers