This is one stop global knowledge base where you can learn about all the products, solutions and support features.
Last updated: 2022-06-14
File Analytics provides data and statistics on the operations and contents of a file server.
Once deployed, Nutanix Files adds a File Analytics VM (FAVM) to the Files cluster. A single File Analytics VM supports all file servers in the cluster; however, you must enable File Analytics separately for each file server. File Analytics protects data on the FAVM, which is kept in a separate volume group.
Once you deploy File Analytics, a new File Analytics link appears on the file server actions bar. Use the link to access File Analytics on any file server that has File Analytics enabled.
The File Analytics web console consists of display features:
Main menu bar : The main menu bar appears at the top of every page of the File Analytics web console. The main menu bar includes the following display features:
Meet the following requirements prior to deploying File Analytics.
Ensure that you have performed the following tasks and your Files deployment meets the following specifications.
Open the required ports, and ensure that your firewall allows bi-directional Internet Control Message Protocol (ICMP) traffic between the FAVM and CVMs.
The Port Reference provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.
In addition to meeting the File Analytics network requirements, ensure to meet Nutanix Files port requirements as described in the Port Reference .
File Analytics has the following limitations.
Overview of administrative processes for File Analytics.
As an admin, you have the required permissions for performing File Analytics administrative tasks. To add a file server admin user, see Managing Roles in the Nutanix Files Guide . The topics in this chapter describe the basics for administering your File Analytics environment. For advanced administrative options, refer to the File Analytics Options chapter.
Follow this procedure to deploy the File Analytics server.
Steps for enabling File Analytics after deployment or disablement.
Follow these steps to enable File Analytics after disabling the application.
Follow the steps as indicated to disable File Analytics.
File Analytics is disabled on the server. Enable File Analytics to start collecting data again or Delete File Analytics Data.
Do the following to launch File Analytics.
To update a File Analytics VM (FAVM), refer to the sizing guidelines in the File Analytics release notes and follow the steps in the VM Management topic of the Prism Web Console Guide .
Remove a File Analytics VM (FAVM) by disabling it and deleting it from the cluster in Prism.
Follow the steps as indicated to update authentication credentials for LDAP or Active Directory.
Manage the audit data of delete shares and exports.
By default, File Analytics retains deleted share and export data. The dashboard widgets do not account for data of deleted shares and exports. The deleted marker appears next to deleted shares and exports in audit trails. The Manage Share/Export Audit data window displays a list of deleted shares and exports.
Follow the directions as indicated to delete audit data for the deleted share or export.
Steps for updating the password of a File Analytics VM (FAVM).
Context for the current task
nutanix@fsvm$ sudo passwd nutanix
Changing password for user nutanix.
Old Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
The password must meet the following complexity requirements:
Perform File Analytics upgrades using the Life Cycle Manager feature in Prism Element.
Before you upgrade File Analytics, ensure that you are running a compatible version of AOS and Files. Refer to File Analytics release notes for compatibility details. You can upgrade both AOS and Files through Prism Element, see AOS Upgrade in the Prism Web Console Guide .
To upgrade File Analytics, perform inventory and updates using the Life-Cycle Manager (LCM), see the Life Cycle Manager Guide for instructions on performing inventory and updates. LCM cannot upgrade File Analytics when the protection domain (PD) for the File Analytics VM (FAVM) includes any other entities.
During the upgrade process, File Analytics takes a snapshot of the volume group (VG) that contains File Analytics data. If issues occur during an upgrade, File Analytics restores the FAVM to the pre-upgrade state. If the volume group is protected and is part a protection domain, the File Analytics creates a snapshot and sets the expiry time to 30 days. If the volume group is not protected, File Analytics creates a snapshot and deletes the snapshot after completing the upgrade successfully. If any errors occur, the system keeps the snapshot for 30 days to troubleshoot the issue.
Upgrade File Analytics at a dark site using the Life-Cycle Manager (LCM).
The Dashboard tab displays data on the operational trends of a file server.
The Dashboard tab is the opening screen that appears after launching File Analytics from Prism. The dashboard displays widgets that present data on file trends, distribution, and operations.
Tile Name | Description | Intervals |
---|---|---|
Capacity trend |
Displays capacity trends for the file server including capacity added, capacity
removed, and net changes.
Clicking an event period widget displays the Capacity Trend Details view. |
7 days, the last 30 days, or the last 1 year. |
Data age | Displays the percentage of data by age. Data age determines the data heat, including: hot, warm, and cold. |
Default intervals are as follows:
|
Anomaly alerts | Displays alerts for configured anomalies and ransomware detection based on blocked file types, see Configuring Anomaly Detection. | [alert] |
Permission denials | Displays users who have had excessive permission denials and the number of denials. Clicking a user displays audit details, see Audit Trails - Users for more. | [user id], [number of permission denials] |
File distribution by size | Displays the number of files by file size. Provides trend details for top 5 files. | Less than 1 MB, 1–10 MB, 10–100 MB, 100 MB to 1 GB, greater than 1 GB). |
File distribution by type | Displays the space taken up by various applications and file types. The file extension determines the file type. See the File types table for more details. | MB or GB |
File distribution by type details view |
Displays a trend graph of the top 5 file types. File distribution details include
file type, current space used, current number of files, and change in space for the
last 7 or 30 days.
Clicking View Details displays the File Distribution by Type view. |
Daily size trend for top 5 files (GB), file type (see the "File Type" table), current space used (GB), current number of files (numeric), change in last 7 or 30 days (GB). |
Top 5 active users | Lists the users who have accessed the most files and number of operations the user performed for the specified period. When there are more than 5 active users, the more link provides details on the top 50 users. Clicking the user name displays the audit view for the user, see Audit Trails - Users for more. | 24 hours, 7 days, 1 month, or 1 year. |
Top 5 accessed files |
Lists the 5 most frequently accessed files. Clicking
more
provides details on the top 50 files.
Clicking the file name displays the audit view details for the file, see Audit Trails - Files for more. |
24 hours, 7 days, 1 month, or 1 year. |
Files operations |
Displays the distribution of operation types for the specified period, including
a count for each operation type and the total sum of all operations.
Operations include: create, delete, read, write, rename, permission changed, set attribute, symlink, permission denied, permission denied (file blocking). Clicking an operation displays the File Operation Trend view. |
24 hours, 7 days, 1 month, or 1 year. |
Clicking an event period in the Capacity Trend widget displays the Capacity Trend Details view for that period. The view includes three tabs Share/Export , Folder , and Category . Each tab includes columns detailing entity details: Name . Net capacity change, capacity added, and capacity removed.
Category | Supported File Type |
---|---|
Name | Name of share/export, folder, or category. |
Net capacity change | The total difference between capacity at the beginning and the end of the specified period. |
Share name (for folders only) | The name of the share or export that the folder belongs to. |
Capacity added | Total added capacity for the specified period. |
Capacity removed | Total removed capacity for the specified period. |
Clicking View Details for the File Distribution by Type widget displays granular details of file distribution, see the File Types table for details.
Category | Supported File Type |
---|---|
File type | Name of file type |
Current space used | Space capacity occupied by the file type |
Current number of files | Number of files for the file type |
Change (in last 30 days) | The increase in capacity over a 30-day period for the specified file type |
Category | Supported File Type |
---|---|
Archives | .cab, .gz, .rar, .tar, .z, .zip |
Audio | .aiff, .au, .mp3, .mp4, .wav, .wma |
Backups | .bak, .bkf, .bkp |
CD/DVD images | .img, .iso, .nrg |
Desktop publishing | .qxd |
Email archives | .pst |
Hard drive images | .tib, .gho, .ghs |
Images | .bmp, .gif, .jpg, .jpeg, .pdf .png, .psd, .tif, .tiff, |
Installers | .msi, .rpm |
Log Files | .log |
Lotus notes | .box, .ncf, .nsf, .ns2, .ns3, .ns4, .ntf |
MS Office documents | .accdb, .accde, .accdt, .accdr, .doc, .docx, .docm, .dot, .dotx, .dotm, .xls, .xlsx, .xlsm, .xlt, .xltx, .xltm, .xlsb, .xlam, .ppt, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .mdb |
System files | .bin, .dll, .exe |
Text files | .csv, .pdf, .txt |
Video | .avi, mpg, .mpeg, .mov, .m4v |
Disk image | .hlog, .nvram, .vmdk, .vmx, .vmxf, .vmtm, .vmem, .vmsn, .vmsd |
Clicking an operation type in the File Operations widget displays the File Operation Trend view. The File Operation Trend view breaks down the specified period into smaller intervals, and displays the number of occurrences of the operation during each interval.
Category | Description |
---|---|
Operation type | A drop-down option to specify the operation type. See Files Operations in the Dashboard Widgets table for a list of operation types. |
Last (time period) | A drop-down option to specify the period for the file operation trend. |
File operation trend graph | The x-axis displays shorter intervals for the specified period. The y-axis displays the number of operations trend over the extent of the intervals. |
The Health dashboard displays dynamically updated health information about each File File Analytics component.
The Health dashboard includes the following details:
The Data Age widget in the Dashboard provides details on data heat.
Share-level data is displayed to provide details on share capacity trends. There are three levels of data heat.
You can configure the definitions for each level of data heat rather than using the default values.
Update the values that constitute different data heat levels.
Data panes in the Anomalies tab display data and trends for configured anomalies.
You can configure anomalies for the following operations:
Define anomaly rules by the specifying the following conditions:
Meeting the lower operation threshold triggers an anomaly.
Consider a scenario where you have 1 thousand files, the operation count threshold defined as 10, and the operation percentage threshold defined as 10%. The count threshold takes precedence, as 10% of 1 thousand is 100, which is greater than the count threshold of 10.
Pane Name | Description | Values |
---|---|---|
Anomaly Trend | Displays the number of anomalies per day or per month. | Last 7 days, Last 30 days, Last 1 year |
Top Users | Displays the users with the most anomalies and the number of anomalies per user. | Last 7 days, Last 30 days, Last 1 year |
Top Folders | Displays the folders with the most anomalies and the number of anomalies per folder. | Last 7 days, Last 30 days, Last 1 year |
Operation Anomaly Types | Displays the percentage of occurrences per anomaly type. | Last 7 days, Last 30 days, Last 1 year |
Clicking an anomaly bar in the Anomaly Trend graph displays the Anomaly Details view.
Column | Description |
---|---|
Anomaly Type | The configured anomaly type. Anomaly types not configured do not show up in the table. |
Total User Count | The number of users that have performed the operation causing the specified anomaly during the specified time range. |
Total Folder Count | The numbers of folders in which the anomaly occurred during the specified time range. |
Total Operation Count | Total number of anomalies for the specified anomaly type that occurred during the specified time range. |
Time Range | The time range for which the total user count, total folder count, and total operation count are specified. |
Column | Description |
---|---|
Username or Folders | Indicates the entity for the operation count. Selecting the Users tab indicates operation count for specific users, and selecting the Folders tab indicates the operation count for specific folders. |
Operation count | The total number of operations causing anomalies for the selected user or folder during the time period for the bar in the Anomaly Trend graph. |
Steps for configuring anomaly rules.
Configure an SMTP server for File Analytics to send anomaly alerts, see Configuring an SMTP Server. To create an anomaly rule, do the following.
File Analytics uses a simple mail transport protocol (SMTP) server to send anomaly alerts.
Use audit trails to look up operation data for a specific user, file, folder, or client.
The Audit Trails tab includes Files , Folders , Users , and Client IP options for specifying the audit type. Use the search bar for specifying the specific entity for the audit (user, folder, file, or client IP).
The results table presents details for entities that match the search criteria. Clicking the entity name (or client IP number) takes you to the Audit Trails dashboard for the target entity.
Audit a user, file, client, or folder.
Details for client IP Audit Trails.
When you search by user in the Audit Trails tab, search results display the following information in a table.
Clicking View Audit displays the Audit Details page, which shows the following audit information for the selected user.
The Results table provides granular details of the audit results. The following data is displayed for every event.
Click the gear icon for options to download the data as an xls, csv, or JSON file.
Dashboard details for folder audits.
The following information displays when you search by file in the Audit Trails tab.
The Audit Details page shows the following audit information for the selected folder.
The Results table provides granular details of the audit results. File Analytics displays the following data for every event.
Click the gear icon for options to download the data as a CSV file.
Dashboards details for file audit.
When you search by file in the Audit Trails tab, the following information displays:
The Audit Details page shows the following audit information for the selected file.
The Results table provides granular details of the audit results. File Analytics displays the following data for every event.
Click the gear icon for options to download the data as a CSV file.
Dashboard details for client IP Audit Trails.
When you search by client IP in the Audit Trails tab, search results display the following information in a table.
The Audit Details page shows the following audit information for the selected client.
The Results table provides granular details of the audit results. File Analytics displays the following data for every event.
Click the gear icon for an option to download the data as a CSV file.
Ransomware protection for your file server.
File Analytics scans files for ransomware in real time, and notifies you through email in the event of a ransomware attack. By using the Nutanix Files file blocking mechanism, File Analytics prevents files with signatures of potential ransomware from carrying out malicious operations. Ransomware protection automatically scans for ransomware based on a curated list of signatures that frequently appear in ransomware files. You can modify the list by manually adding other signatures.
File Analytics also monitors shares for self-service restore (SSR) policies and identifies shares that do not have SSR enabled in the ransomware dashboard. You can enable SSR through the ransomware dashboard by selecting shares identified by File Analytics.
The ransomware dashboard includes panes for managing ransomware protection and self-service restore (SSR).
The ransomware dashboard includes two main sections:
File Analytics blocks the following ransomware signatures.
Extension | Known Ransomware |
---|---|
*.micro | eslaCrypt 3.0 |
*.zepto | Locky |
*.cerber3 | Cerber 3 |
*.locky | Locky |
*.cerber | Cerber |
*.loli | LOLI |
*.mole | CryptoMix (variant) |
*.cryp1 | CryptXXX |
*.axx | AxCrypt |
*.onion | Dharma |
*.crypt | Scatter |
*.osiris | Locky (variant) |
*.crypz | CryptXXX |
*.ccc | TeslaCrypt or Cryptowall |
*.locked | Various ransomware |
*.odin | Locky |
*.cerber2 | Cerber 2 |
*.sage | Sage |
*.globe | Globe |
*.good | Scatter |
*.exx | Alpha Crypt |
*.encrypt | Alpha |
*.encrypted | Various ransomware |
*.1txt | Enigma |
*.ezz | Alpha Crypt |
*.r5a | 7ev3n |
*.wallet | Globe 3 (variant) |
*.decrypt2017 | Globe 3 |
*.zzzzz | Locky |
*.MERRY | Merry X-Mas |
*.enigma | Coverton |
*.ecc | Cryptolocker or TeslaCrypt |
*.cryptowall | Cryptowall |
*.aesir | Locky |
*.cryptolocker | CryptoLocker |
*.coded | Anubis |
*.sexy | PayDay |
*.pubg | PUBG |
*.ha3 | El-Polocker |
*.breaking_bad | Files1147@gmail(.)com |
*.dharma | CrySiS |
*.wcry | WannaCry |
*.lol! | GPCode |
*.damage | Damage |
*.MRCR1 | Merry X-Mas |
*.fantom | Fantom |
*.legion | Legion |
*.kratos | KratosCrypt |
*.crjoker | CryptoJoker |
*.LeChiffre | LeChiffre |
*.maya | HiddenTear (variant) |
*.kraken | Rakhni |
*.keybtc@inbox_com | KeyBTC |
*.rrk | Radamant v2 |
*.zcrypt | ZCRYPT |
*.crinf | DecryptorMax or CryptInfinite |
*.enc | TorrentLocker / Cryptorium |
*.surprise | Surprise |
*.windows10 | Shade |
*.serp | Serpent (variant) |
*.file0locked | Evil |
*.ytbl | Troldesh (variant) |
*.pdcr | PadCrypt |
*.venusf | Venus Locker |
*.dale | Chip |
*.potato | Potato |
*.lesli | CryptoMix |
*.angelamerkel | Angela Merkel |
*.PEGS1 | Merry X-Mas |
*.R16m01d05 | Evil-JS (variant) |
*.zzz | TeslaCrypt |
*.wflx | WildFire |
*.serpent | Serpent |
*.Dexter | Troldesh (variant) |
*.rnsmwr | Gremit |
*.thor | Locky |
*.nuclear55 | Nuke |
*.xyz | TeslaCrypt |
*.encr | FileLocker |
*.kernel_time | KeRanger OS X |
*.darkness | Rakhni |
*.evillock | Evil-JS (variant) |
*.locklock | LockLock |
*.rekt | HiddenTear (variant) / RektLocker |
*.coverton | Coverton |
*.VforVendetta | Samsam (variant) |
*.remk | STOP |
*.1cbu1 | Princess Locker |
*.purge | Globe |
*.cry | CryLocker |
*.zyklon | ZYKLON |
*.dCrypt | DummyLocker |
*.raid10 | Globe [variant] |
*.derp | Derp |
*.zorro | Zorro |
*.AngleWare | HiddenTear/MafiaWare (variant) |
*.shit | Locky |
*.btc | Jigsaw |
*.atlas | Atlas |
*.EnCiPhErEd | Xorist |
*.xxx | TeslaCrypt 3.0 |
*.realfs0ciety@sigaint.org.fs0ciety | Fsociety |
*.vbransom | VBRansom 7 |
*.exotic | Exotic |
*.crypted | Nemucod |
*.fucked | Manifestus |
*.vvv | TeslaCrypt 3.0 |
*.padcrypt | PadCrypt |
*.cryeye | DoubleLocker |
*.hush | Jigsaw |
*.RMCM1 | Merry X-Mas |
*.unavailable | Al-Namrood |
*.paym | Jigsaw |
*.stn | Satan |
*.braincrypt | Braincrypt |
*.ttt | TeslaCrypt 3.0 |
*._AiraCropEncrypted | AiraCrop |
*.spora | Spora |
*.alcatraz | Alcatraz Locker |
*.reco | STOP/DJVU |
*.crypte | Jigsaw (variant) |
*.aaa | TeslaCrypt |
*.pzdc | Scatter |
*.RARE1 | Merry X-Mas |
*.ruby | Ruby |
*.fun | Jigsaw |
*.73i87A | Xorist |
*.abc | TeslaCrypt |
*.odcodc | ODCODC |
*.crptrgr | CryptoRoger |
*.herbst | Herbst |
*.comrade | Comrade |
*.szf | SZFLocker |
*.pays | Jigsaw |
*.antihacker2017 | Xorist (variant) |
*.rip | KillLocker |
*.rdm | Radamant |
*.CCCRRRPPP | Unlock92 |
*.bript | BadEncriptor |
*.hnumkhotep | Globe 3 |
*.helpmeencedfiles | Samas/SamSam |
*.BarRax | BarRax (HiddenTear variant) |
*.magic | Magic |
*.noproblemwedecfiles​ | Samas/SamSam |
*.bitstak | Bitstak |
*.kkk | Jigsaw |
*.kyra | Globe |
*.a5zfn | Alma Locker |
*.powerfulldecrypt | Samas/SamSam |
*.vindows | Vindows Locker |
*.payms | Jigsaw |
*.lovewindows | Globe (variant) |
*.p5tkjw | Xorist |
*.madebyadam | Roga |
*.conficker | Conficker |
*.SecureCrypted | Apocalypse |
*.perl | Bart |
*.paymts | Jigsaw |
*.kernel_complete | KeRanger OS X |
*.payrms | Jigsaw |
*.paymst | Jigsaw |
*.lcked | Jigsaw (variant) |
*.covid19 | Phishing |
*.ifuckedyou | SerbRansom |
*.d4nk | PyL33T |
*.grt | Karmen HiddenTear (variant) |
*.kostya | Kostya |
*.gefickt | Jigsaw (variant) |
*.covid-19 | Phishing |
*.kernel_pid | KeRanger OS X |
*.wncry | Wana Decrypt0r 2.0 |
*.PoAr2w | Xorist |
*.Whereisyourfiles | Samas/SamSam |
*.edgel | EdgeLocker |
*.adk | Angry Duck |
*.oops | Marlboro |
*.theworldisyours | Samas/SamSam |
*.czvxce | Coverton |
*.crab | GandCrab |
*.paymrss | Jigsaw |
*.kimcilware | KimcilWare |
*.rmd | Zeta |
*.dxxd | DXXD |
*.razy | Razy |
*.vxlock | vxLock |
*.krab | GandCrab v4 |
*.rokku | Rokku |
*.lock93 | Lock93 |
*.pec | PEC 2017 |
*.mijnal | Minjal |
*.kobos | Kobos |
*.bbawasted | Bbawasted |
*.rlhwasted | RLHWasted |
*.52pojie | 52Pojie |
*.FastWind | Fastwind |
*.spare | Spare |
*.eduransom | Eduransom |
*.RE78P | RE78P |
*.pstKll | pstKll |
*.erif | |
*.kook | |
*.xienvkdoc | |
*.deadfiles | |
*.mnbzr | |
*.silvertor | |
*.MH24 | |
*.nile | |
*.ZaCaPa | |
*.tcwwasted | |
*.Spade | |
*.pandemic | |
*.covid | |
*.xati | |
*.Zyr | |
*.spybuster | |
*.ehre | |
*.wannacry | WannaCry |
*.jigsaaw | |
*.boop | |
*.Back | |
*.CYRAT | |
*.bmd | |
*.Fappy | |
*.Valley | |
*.copa | |
*.horse | |
*.CryForMe | |
*.easyransom | |
*.nginxhole | |
*.lockedv1 | Lockedv1 |
*.ziggy | Ziggy |
*.booa | Booa |
*.nobu | Nobu |
*.howareyou | Howareyou |
*.FLAMINGO | Flamingo |
*.FUSION | Fusion |
*.pay2key | Pay2Key |
*.zimba | Zimba, Dharma |
*.luckyday | Luckyday |
*.bondy | Bondy |
*.cring | Cring |
*.boom | Boom |
*.judge | Judge |
*.LIZARD | LIZARD |
*.bonsoir | Bonsoir |
*.moloch | Moloch |
*.14x | 14x |
*.cnh | CNH |
*.DeroHE | DeroHE |
Enable ransomware protection on your file server.
Configure ransomware protection on file servers.
Do the following to add signature to the blocked extension list.
Enable self-service restore on shares identified by File Analytics.
File Analytics scans shares for SSR policies.
Generate a report for entities on the file server.
Create a report with custom attribute values or use one of the File Analytics pre-configured report templates. To create a custom report, you must specify the entity, attributes, operators for some attributes, attribute values, column headings, and the number of columns.
The reports page displays a table or previously generated reports. You can rerun existing reports rather than creating a template. After creating a report, download it as a JSON or CSV file.
The reports dashboard includes options to create, view, and download reports.
The Reports dashboard includes options to create a report, download reports as a JSON, download reports as a CSV, rerun reports, and delete reports.
The reports table includes columns for the report name, status, last run, and actions.
Clicking Create a new report takes you to the report creation screen, which includes a Report builder and a Pre-canned Reports Templates tabs. The tabs include report options and filters for report configuration.
Both tabs include the following elements:
Entity | Attributes (filters) | Operator | Value | Column |
---|---|---|---|---|
Events | event_date |
|
(date) |
|
Event_operation | N/A |
|
||
Files | Category |
|
(date) |
|
Extensions | N/A | (type in value) | ||
Deleted | N/A | Last (number of days from 1 to 30) days | ||
creation_date |
|
(date) | ||
access_date |
|
(date) | ||
Size |
|
(number) (file size)
File size options:
|
||
Folders | Deleted | N/A | Last (number of days from 1 to 30) days |
|
creation_date |
|
(date) | ||
Users | last_event_date |
|
(date) |
|
Entity | Pre-canned report template | Columns |
---|---|---|
Events |
|
|
Files |
|
|
Users |
|
|
Create a custom report by defining the entity, attribute, filters, and columns.
Use one of the pre-canned File Analytics templates for your report.
You can get more insight into the usage and contents of files on your system by configuring and updating File Analytics features and settings. Some options include scanning the files on your file server on demand, updating data retention, and configuring data protection.
The data retention period determines how long File Analytics retains event data.
Follow the steps as indicated to configure data retention.
Once enabled, File Analytics scans the metadata of all files and shares on the system. You can perform an on-demand scan of shares in your file system.
Blacklist users, file extensions, and client IPs.
File Analytics uses the file category configuration to classify file extensions.
The capacity widget in the dashboard uses the category configuration to calculate capacity details.
Configure File Analytics disaster recovery (DR) using Prism Element.
File Analytics only supports async disaster recovery. File Analytics does not support NearSync and metro availability.
Create an async protection domain, configure a protection domain schedule, and configure remote site mapping. The remote site must have symmetric configurations to the primary site. The remote site must also deploy File Analytics to restore a File Analytics VM (FAVM).
The Data Protection section in the Prism Web Console Guide provides more detail on the disaster recovery process.
To set up disaster recovery for File Analytics, create an async protection domain, configure a protection domain schedule, and configure remote site mapping.
By default, the File Analytics volume group resides on the same container that hosts vDisks for Nutanix Files.
Recover a File Analytics VM (FAVM) after a planned or unplanned migration to the remote site.
Perform the following tasks on the remote site.
Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.
To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.
nutanix@favm$ sudo blkid
nutanix@favm$ cd /mnt/containers/config/common_config /tmp
nutanix@favm$ sudo systemctl stop monitoring
nutanix@favm$ docker stop $(docker ps -q)
nutanix@favm$ sudo systemctl stop docker
nutnix@avm$ sudo umount /mnt
nutanix@avm$ sudo reboot

nutanix@favm$ sudo blkid
/dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"The FAVM discovers the attached volume group and assigns to the /dev/sdb device.
nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
/mnt/containers/config/common_config/cvm_bck.config
nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --local_update
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --prism_user=admin --prism_password='Prism admin password'
Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.
To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.
nutanix@favm$ sudo blkid
nutanix@favm$ cd /mnt/containers/config/common_config/ /tmp
nutanix@favm$ sudo systemctl stop monitoring
nutanix@favm$ docker stop $(docker ps -q)
nutanix@favm$ sudo systemctl stop docker
nutnix@avm$ sudo umount /mnt
nutnix@avm$ sudo /sbin/iscsiadm -m node -u
nutanix@favm$ sudo /sbin/iscsiadm -m node –o delete
nutanix@favm$ sudo blkid
/dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"The output does not show the /dev/sdb device.
nutanix@favm$ sudo cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1991-05.com.redhat:8ef967b5b8f
nutanix@favm$ sudo /sbin/iscsiadm --mode discovery --type sendtargets --portal data_services_IP_address:3260
Clicking
the Nutanix cluster name in Prism displays cluster details including the
data service IP address. The output displays the restored iSCSI target
from step 2.
nutanix@favm$ sudo /sbin/iscsiadm --mode node --targetname iqn_name --portal data_services_IP_address:3260,1 --login
nutanix@favm$ sudo reboot
nutanix@favm$ sudo blkid
/dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4" /dev/sdb: UUID="30749ab7-58e7-437e-9a09-5f6d9619e85b" TYPE="ext4"
nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
/mnt/containers/config/common_config/cvm_bck.config
nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --local_update
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --prism_user=admin --prism_password='Prism admin password'
Last updated: 2022-06-14
File Analytics provides data and statistics on the operations and contents of a file server.
Once deployed, Files adds an File Analytics VM to the Files cluster. A single File Analytics VM supports all file servers in the cluster; however, you must enable File Analytics separately for each file server. Data on the File Analytics VM is protected, and is kept in a separate volume group.
Once you deploy File Analytics, a new File Analytics link appears on the file server actions bar. You can access File Analytics through this link for any file server where it is enabled.
The File Analytics web console consists of display features:
Main menu bar : The main menu bar appears at the top of every page of the File Analytics web console. The main menu bar includes the following display features:
Meet the following requirements prior to deploying File Analytics.
Ensure that you have performed the following tasks and your Files deployment meets the following specifications.
Open the required ports and ensure that your firewall allows bi-directional Internet Control Message Protocol (ICMP) traffic between the FAVM and CVMs.
The Port Reference provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.
In addition to meeting the File Analytics network requirements, ensure to meet Nutanix Files port requirements as described in the Port Reference .
File Analytics has the following limitations.
Overview of administrative processes for File Analytics.
As an admin, you have the privileges to perform administrative tasks for File Analytics. To add a file server admin user, see Managing Roles in the Nutanix Files Guide . The topics in this chapter describe the basics for administering your File Analytics environment. For advanced administrative options, refer to the File Analytics Options chapter.
Follow this procedure to deploy the File Analytics server.
Steps for enabling File Analytics after deployment or disablement.
Follow these steps to enable File Analytics after disabling the application.
Follow the steps as indicated to disable File Analytics.
File Analytics is disabled on the server. Enable File Analytics to start collecting data again or Delete File Analytics Data.
Do the following to launch File Analytics.
To update an File Analytics VM (FAVM), refer to the sizing guidelines in the File Analytics release notes and follow the steps in the VM Management topic of the Prism Web Console Guide .
Remove a File Analytics VM (FAVM) by disabling it and deleting it from the cluster in Prism.
Follow the steps as indicated to update authentication credentials for LDAP or Active Directory.
Manage the audit data of delete shares and exports.
By default, File Analytics retains deleted share and export data. The dashboard widgets do not account for data of deleted shares and exports. The deleted marker appears adjacent to deleted shares and exports in audit trails. The Manage Share/Export Audit data window displays a list of deleted shares and exports.
Follow the directions as indicated to delete audit data for the deleted share or export.
Perform File Analytics upgrades using the Life Cycle Manager feature in Prism Element.
Before you upgrade File Analytics, ensure that you are running a compatible version of AOS and Files. Refer to File Analytics release notes for compatibility details. You can upgrade both AOS and Files through Prism Element, see AOS Upgrade in the Prism Web Console Guide .
To upgrade File Analytics, perform inventory and updates using the Life-Cycle Manager (LCM), see the Life Cycle Manager Guide for instructions on performing inventory and updates. LCM cannot upgrade File Analytics when the protection domain (PD) for the File Analytics VM (FAVM) includes any other entities.
During the upgrade process, File Analytics takes a snapshot of the volume group (VG) that contains File Analytics data. If issues occur during an upgrade, File Analytics restores the FAVM to the pre-upgrade state. If the volume group is protected and is part a protection domain, the File Analytics creates a snapshot and sets the expiry time to 30 days. If the volume group is not protected, File Analytics creates a snapshot and deletes the snapshot after completing the upgrade successfully. If any errors occur, the system keeps the snapshot for 30 days to troubleshoot the issue.
Upgrade File Analytics at a dark site using the Life-Cycle Manager (LCM).
The Dashboard tab displays data on the operational trends of a file server.
The Dashboard tab is the opening screen that appears after launching File Analytics from Prism. The dashboard displays widgets that present data on file trends, distribution, and operations.
Tile Name | Description | Intervals |
---|---|---|
Capacity Trend |
Displays capacity trends for the file server including capacity added, capacity
removed, and net changes.
Clicking an event period widget displays the Capacity Trend Details view. |
Seven days, the last 30 days, or the last 1 year. |
Data Age | Displays the percentage of data by age. | Less than 3 months, 3–6 months, 6–12 months, and > 12 months. |
Anomaly Alerts | Displays alerts for configured anomalies, see Configuring Anomaly Detection. | |
Permission Denials | Displays users who have had excessive permission denials and the number of denials. Clicking a user displays audit details, see Audit Trails - Users for more. | [user id], [number of permission denials] |
File Distribution by Size | Displays the number of files by file size. Provides trend details for top 5 files. | Less than 1 MB, 1–10 MB, 10–100 MB, 100 MB to 1 GB, greater than 1 GB). |
File Distribution by Type | Displays the space taken up by various applications and file types. The file type is determined by the file extension. See the File Types table for more details. | MB or GB |
File Distribution by Type Details view |
Displays a trend graph of the top 5 file types. File distribution details include
file type, current space used, current number of file, and change in space for the
last 7 or 30 days.
Clicking View Details displays the File Distribution by Type view. |
Daily size trend for top 5 files (GB), file type (see File Type table), current space used (GB), current number of files (numeric), change in last 7 or 30 days (GB). |
Top 5 active users | Lists the users who have accessed the most files and number of operations the user performed for the specified period. When there are more than 5 active users, the more link provides details on the top 50 users. Clicking the user name displays the audit view for the user, see Audit Trails - Users for more. | 24 hours, 7 days, 1 month, or 1 year. |
Top 5 accessed files |
Lists the 5 most frequently accessed files. Clicking
more
provides details on the top 50 files.
Clicking the file name displays the audit view details for the file, see Audit Trails - Files for more. |
Twenty-four hours, 7 days, 1 month, or 1 year. |
Files Operations |
Displays the distribution of operation types for the specified period including a
count for each operation type and the total sum of all operations.
Operations include: create, delete, read, write, rename, permission changed, set attribute, symlink, permission denied, permission denied (file blocking). Clicking an operation displays the File Operation Trend view. |
Twenty-four hours, 7 days, 1 month, or 1 year. |
Clicking an event period in the Capacity Trend widget displays the Capacity Trend Details view for that period. The view includes three tabs Share/Export , Folder , and Category . Each tab includes columns detailing entity details: Name . Net Capacity Change, Capacity Added, and Capacity Removed.
Category | Supported File Type |
---|---|
Name | Name of share/export, folder, or category. |
Net Capacity Change | The total difference between capacity at the beginning and the end of the specified period. |
Share Name (for folders only) | The name of the share or export that the folder belongs to. |
Capacity Added | Total added capacity for the specified period. |
Capacity Removed | Total removed capacity for the specified period. |
Clicking View Details for the File Distribution by Type widget displays granular details of file distribution, see the File Types table below for details.
Category | Supported File Type |
---|---|
File Type | Name of file type |
Current Space Used | Space capacity occupied by the file type |
Current Number of Files | Number of files for the file type |
Change (In Last 30 Days) | The increase in capacity over a 30 day period of time for the specified file type . |
Category | Supported File Type |
---|---|
Archives | .cab, .gz, .rar, .tar, .z, .zip |
Audio | .aiff, .au, .mp3, .mp4, .wav, .wma |
Backups | .bak, .bkf, .bkp |
CD/DVD Images | .img, .iso, .nrg |
Desktop Publishing | .qxd |
Email Archives | .pst |
Hard Drive images | .tib, .gho, .ghs |
Images | .bmp, .gif, .jpg, .jpeg, .pdf .png, .psd, .tif, .tiff, |
Installers | .msi, .rpm |
Log Files | .log |
Lotus Notes | .box, .ncf, .nsf, .ns2, .ns3, .ns4, .ntf |
MS Office Documents | .accdb, .accde, .accdt, .accdr, .doc, .docx, .docm, .dot, .dotx, .dotm, .xls, .xlsx, .xlsm, .xlt, .xltx, .xltm, .xlsb, .xlam, .ppt, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .mdb |
System Files | .bin, .dll, .exe |
Text Files | .csv, .pdf, .txt |
Video | .avi, mpg, .mpeg, .mov, .m4v |
Disk Image | .hlog, .nvram, .vmdk, .vmx, .vmxf, .vmtm, .vmem, .vmsn, .vmsd |
Clicking an operation type in the File Operations widget displays the File Operation Trend view. The File Operation Trend view breaks down the specified period into smaller intervals, and displays the number of occurrences of the operation during each interval.
Category | Description |
---|---|
Operation Type | A drop-down option to specify the operation type. See Files Operations in the Dashboard Widgets table for a list of operation types. |
Last (time period) | A drop-down option to specify the period for the file operation trend. |
File operation trend graph | The x-axis displays shorter intervals for the specified period. The y-axis displays the number of operations trend over the extent of the intervals. |
File Analytics uses the file category configuration to classify file extensions.
The capacity widget in the dashboard uses the category configuration to calculate capacity details.
The Health dashboard displays dynamically updated health information about each File File Analytics component.
The Health dashboard includes the following details:
Data panes in the Anomalies tab display data and trends for configured anomalies.
You can configure anomalies for the following operations:
Define anomaly rules by the specifying the following conditions:
Meeting the lower operation threshold triggers an anomaly.
Consider a scenario where you have 1 thousand files, the operation count threshold defined as 10, and the operation percentage threshold defined as 10%. The count threshold takes precedence, as 10% of 1 thousand is 100, which is greater than the count threshold of 10.
Pane Name | Description | Values |
---|---|---|
Anomaly Trend | Displays the number of anomalies per day or per month. | Last 7 days, Last 30 days, Last 1 year |
Top Users | Displays the users with the most anomalies and the number of anomalies per user. | Last 7 days, Last 30 days, Last 1 year |
Top Folders | Displays the folders with the most anomalies and the number of anomalies per folder. | Last 7 days, Last 30 days, Last 1 year |
Operation Anomaly Types | Displays the percentage of occurrences per anomaly type. | Last 7 days, Last 30 days, Last 1 year |
Clicking an anomaly bar in the Anomaly Trend graph displays the Anomaly Details view.
Column | Description |
---|---|
Anomaly Type | The configured anomaly type. Anomaly types not configured do not show up in the table. |
Total User Count | The number of users that have performed the operation causing the specified anomaly during the specified time range. |
Total Folder Count | The numbers of folders in which the anomaly occurred during the specified time range. |
Total Operation Count | Total number of anomalies for the specified anomaly type that occurred during the specified time range. |
Time Range | The time range for which the total user count, total folder count, and total operation count are specified. |
Column | Description |
---|---|
Username or Folders | Indicates the entity for the operation count. Selecting the Users tab indicates operation count for specific users, and selecting the Folders tab indicates the operation count for specific folders. |
Operation count | The total number of operations causing anomalies for the selected user or folder during the time period for the bar in the Anomaly Trend graph. |
Steps for configuring anomaly rules.
Configure an SMTP server for File Analytics to send anomaly alerts, see Configuring an SMTP Server. To create an anomaly rule, do the following.
File Analytics uses a simple mail transport protocol (SMTP) server to send anomaly alerts.
Use audit trails to look up operation data for a specific user, file, folder, or client.
The Audit Trails tab includes Files , Folders , Users , and Client IP options for specifying the audit type. Use the search bar for specifying the specific entity for the audit (user, folder, file, or client IP).
The results table presents details for entities that match the search criteria. Clicking the entity name (or client IP number) takes you to the Audit Trails dashboard for the target entity.
Audit a user, file, client, or folder.
Details for client IP Audit Trails.
When you search by user in the Audit Trails tab, search results display the following information in a table.
Clicking View Audit displays the Audit Details page, which shows the following audit information for the selected user.
The Results table provides granular details of the audit results. The following data is displayed for every event.
Click the gear icon for options to download the data as an xls, csv, or JSON file.
Dashboard details for folder audits.
The following information displays when you search by file in the Audit Trails tab.
The Audit Details page shows the following audit information for the selected folder.
The Results table provides granular details of the audit results. File Analytics displays the following data for every event.
Click the gear icon for options to download the data as a CSV file.
Dashboards details for file audit.
When you search by file in the Audit Trails tab, the following information displays:
The Audit Details page shows the following audit information for the selected file.
The Results table provides granular details of the audit results. File Analytics displays the following data for every event.
Click the gear icon for options to download the data as a CSV file.
Dashboard details for client IP Audit Trails.
When you search by client IP in the Audit Trails tab, search results display the following information in a table.
The Audit Details page shows the following audit information for the selected client.
The Results table provides granular details of the audit results. File Analytics displays the following data for every event.
Click the gear icon for an option to download the data as a CSV file.
You can get more insight into the usage and contents of files on your system by configuring and updating File Analytics features and settings. Some options include scanning the files on your file server on demand, updating data retention, and configuring data protection.
The data retention period determines how long File Analytics retains event data.
Follow the steps as indicated to configure data retention.
Once enabled, File Analytics scans the metadata of all files and shares on the system. You can perform an on-demand scan of shares in your file system.
Blacklist users, file extensions, and client IPs.
Configure File Analytics disaster recovery (DR) using Prism Element.
File Analytics only supports async disaster recovery. File Analytics does not support NearSync and metro availability.
Create an async protection domain, configure a protection domain schedule, and configure remote site mapping. The remote site must have symmetric configurations to the primary site. The remote site must also deploy File Analytics to restore a File Analytics VM (FAVM).
The Data Protection section in the Prism Web Console Guide provides more detail on the disaster recovery process.
To set up disaster recovery for File Analytics, create an async protection domain, configure a protection domain schedule, and configure remote site mapping.
By default, the File Analytics volume group resides on the same container that hosts vDisks for Nutanix Files.
Recover a File Analytics VM (FAVM) after a planned or unplanned migration to the remote site.
Perform the following tasks on the remote site.
Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.
To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.
nutanix@favm$ sudo blkid
nutanix@favm$ cd /mnt/containers/config/common_config/
nutnix@avm$ sudo cp cvm.config /tmp
nutanix@favm$ sudo systemctl stop monitoring
nutanix@favm$ docker stop $(docker ps -q)
nutanix@favm$ sudo systemctl stop docker
nutnix@avm$ sudo umount /mnt
nutnix@avm$ sudo /sbin/iscsiadm -m node -u
nutanix@favm$ sudo /sbin/iscsiadm -m node –o delete
nutanix@favm$ sudo blkid
/dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"The output does not show the /dev/sdb device.
nutanix@favm$ sudo cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1991-05.com.redhat:8ef967b5b8f
nutanix@favm$ sudo /sbin/iscsiadm --mode discovery --type sendtargets --portal data_services_IP_address:3260
Clicking
the Nutanix cluster name in Prism displays cluster details including the
data service IP address. The output displays the restored iSCSI target
from step 2.
nutanix@favm$ sudo /sbin/iscsiadm --mode node --targetname iqn_name --portal data_services_IP_address:3260,1 --login
nutanix@favm$ sudo reboot
nutanix@favm$ sudo blkid
/dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4" /dev/sdb: UUID="30749ab7-58e7-437e-9a09-5f6d9619e85b" TYPE="ext4"
nutanix@favm$ cd /mnt/containers/config/common_config/
nutanix@favm$ mv cvm.config cvm_bck.config
nutanix@favm$ cd /tmp
nutanix@favm$ mv cvm.config /mnt/containers/config/common_config/
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --local_update
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --prism_user=admin --prism_password='Prism admin password'
Product Release Date: 2022-04-05
Last updated: 2022-11-04
File Analytics provides data and statistics on the operations and contents of a file server.
Once deployed, Nutanix Files adds a File Analytics VM (FAVM) to the Files cluster. A single File Analytics VM supports all file servers in the cluster; however, you must enable File Analytics separately for each file server. File Analytics protects data on the FAVM, which is kept in a separate volume group.
The File Analytics web console consists of display features:
Main menu bar : The main menu bar appears at the top of every page of the File Analytics web console. The main menu bar includes the following display features:
Meet the following requirements prior to deploying File Analytics.
Ensure that you have performed the following tasks and your Files deployment meets the following specifications.
Open the required ports, and ensure that your firewall allows bi-directional Internet Control Message Protocol (ICMP) traffic between the FAVM and CVMs.
The Port Reference provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.
In addition to meeting the File Analytics network requirements, ensure to meet Nutanix Files port requirements as described in the Port Reference .
File Analytics has the following limitations.
Overview of administrative processes for File Analytics.
As an admin, you have the required permissions for performing File Analytics administrative tasks. To add a file server admin user, see Managing Roles in the Nutanix Files Guide . The topics in this chapter describe the basics for administering your File Analytics environment. For advanced administrative options, refer to the File Analytics Options chapter.
Prism Element supports role-based access control (RBAC) that allows you to configure and provide customized access to the users based on their assigned roles.
From the Prism Element dashboard, you can assign a set of predefined built-in roles (system roles) roles to users or user groups. File Analytics support the following built-in roles (system roles) that are defined by default:
Follow this procedure to deploy the File Analytics server.
Steps for enabling File Analytics after deployment or disablement.
Follow these steps to enable File Analytics after disabling the application.
Follow the steps as indicated to disable File Analytics.
File Analytics is disabled on the server. Enable File Analytics to start collecting data again or Delete File Analytics Data.
Do the following to launch File Analytics.
To update a File Analytics VM (FAVM), refer to the sizing guidelines in the File Analytics release notes and follow the steps in the VM Management topic of the Prism Web Console Guide .
Remove a File Analytics VM (FAVM) by disabling it and deleting it from the cluster in Prism.
Follow the steps as indicated to update authentication credentials for LDAP or Active Directory.
Manage the audit data of delete shares and exports.
By default, File Analytics retains deleted share and export data. The dashboard widgets do not account for data of deleted shares and exports. The deleted marker appears next to deleted shares and exports in audit trails. The Manage Share/Export Audit data window displays a list of deleted shares and exports.
Follow the directions as indicated to delete audit data for the deleted share or export.
Steps for updating the password of a File Analytics VM (FAVM).
Context for the current task
nutanix@fsvm$ sudo passwd nutanix
Changing password for user nutanix.
Old Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
The password must meet the following complexity requirements:
Perform File Analytics upgrades using the Life Cycle Manager feature in Prism Element.
Before you proceed with the FA upgrade, ensure you meet the following:
Refer to File Analytics release notes for compatibility details. You can upgrade both AOS and Files through Prism Element, see AOS Upgrade in the Prism Web Console Guide .
To upgrade File Analytics, perform inventory and updates using the Life-Cycle Manager (LCM), see the Life Cycle Manager Guide for instructions on performing inventory and updates.
During the upgrade process, File Analytics takes a snapshot of the volume group (VG) that contains File Analytics data. If issues occur during an upgrade, File Analytics restores the FAVM to the pre-upgrade state. If the volume group is protected and is part a protection domain, the File Analytics creates a snapshot and sets the expiry time to 30 days. If the volume group is not protected, File Analytics creates a snapshot and deletes the snapshot after completing the upgrade successfully. If any errors occur, the system keeps the snapshot for 30 days to troubleshoot the issue.
Upgrade File Analytics at a dark site using the Life-Cycle Manager (LCM).
The Dashboard tab displays data on the operational trends of a file server.
The Dashboard tab is the opening screen that appears after launching File Analytics for a specific file server. The dashboard displays widgets that present data on file trends, distribution, and operations.
Tile Name | Description | Intervals |
---|---|---|
Capacity trend |
Displays capacity trends for the file server including capacity added, capacity
removed, and net changes.
Clicking an event period widget displays the Capacity Trend Details view. |
7 days, the last 30 days, or the last 1 year. |
Data age | Displays the percentage of data by age. Data age determines the data heat, including: hot, warm, and cold. |
Default intervals are as follows:
|
Permission denials | Displays users who have had excessive permission denials and the number of denials. Clicking a user displays audit details, see Audit Trails - Users for more. | [user id], [number of permission denials] |
File distribution by size | Displays the number of files by file size. Provides trend details for top 5 files. | Less than 1 MB, 1–10 MB, 10–100 MB, 100 MB to 1 GB, greater than 1 GB). |
File distribution by type | Displays the space taken up by various applications and file types. The file extension determines the file type. See the File types table for more details. | MB or GB |
File distribution by type details view |
Displays a trend graph of the top 5 file types. File distribution details include
file type, current space used, current number of files, and change in space for the
last 7 or 30 days.
Clicking View Details displays the File Distribution by Type view. |
Daily size trend for top 5 files (GB), file type (see the "File Type" table), current space used (GB), current number of files (numeric), change in last 7 or 30 days (GB). |
Top 5 active users | Lists the users who have accessed the most files and number of operations the user performed for the specified period. When there are more than 5 active users, the more link provides details on the top 50 users. Clicking the user name displays the audit view for the user, see Audit Trails - Users for more. | 24 hours, 7 days, 1 month, or 1 year. |
Top 5 accessed files |
Lists the 5 most frequently accessed files. Clicking
more
provides details on the top 50 files.
Clicking the file name displays the audit view details for the file, see Audit Trails - Files for more. |
24 hours, 7 days, 1 month, or 1 year. |
Files operations |
Displays the distribution of operation types for the specified period, including
a count for each operation type and the total sum of all operations.
Operations include: create, delete, read, write, rename, permission changed, set attribute, symlink, permission denied, permission denied (file blocking). Clicking an operation displays the File Operation Trend view. |
24 hours, 7 days, 1 month, or 1 year. |
Clicking an event period in the Capacity Trend widget displays the Capacity Trend Details view for that period. The view includes three tabs Share/Export , Folder , and Category . Each tab includes columns detailing entity details: Name . Net capacity change, capacity added, and capacity removed.
Category | Supported File Type |
---|---|
Name | Name of share/export, folder, or category. |
Net capacity change | The total difference between capacity at the beginning and the end of the specified period. |
Share name (for folders only) | The name of the share or export that the folder belongs to. |
Capacity added | Total added capacity for the specified period. |
Capacity removed | Total removed capacity for the specified period. |
Clicking View Details for the File Distribution by Type widget displays granular details of file distribution, see the File Types table for details.
Category | Supported File Type |
---|---|
File type | Name of file type |
Current space used | Space capacity occupied by the file type |
Current number of files | Number of files for the file type |
Change (in last 30 days) | The increase in capacity over a 30-day period for the specified file type |
Category | Supported File Type |
---|---|
Archives | .cab, .gz, .rar, .tar, .z, .zip |
Audio | .aiff, .au, .mp3, .mp4, .wav, .wma |
Backups | .bak, .bkf, .bkp |
CD/DVD images | .img, .iso, .nrg |
Desktop publishing | .qxd |
Email archives | .pst |
Hard drive images | .tib, .gho, .ghs |
Images | .bmp, .gif, .jpg, .jpeg, .pdf .png, .psd, .tif, .tiff, |
Installers | .msi, .rpm |
Log Files | .log |
Lotus notes | .box, .ncf, .nsf, .ns2, .ns3, .ns4, .ntf |
MS Office documents | .accdb, .accde, .accdt, .accdr, .doc, .docx, .docm, .dot, .dotx, .dotm, .xls, .xlsx, .xlsm, .xlt, .xltx, .xltm, .xlsb, .xlam, .ppt, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .mdb |
System files | .bin, .dll, .exe |
Text files | .csv, .pdf, .txt |
Video | .avi, mpg, .mpeg, .mov, .m4v |
Disk image | .hlog, .nvram, .vmdk, .vmx, .vmxf, .vmtm, .vmem, .vmsn, .vmsd |
Clicking an operation type in the File Operations widget displays the File Operation Trend view. The File Operation Trend view breaks down the specified period into smaller intervals, and displays the number of occurrences of the operation during each interval.
Category | Description |
---|---|
Operation type | A drop-down option to specify the operation type. See Files Operations in the Dashboard Widgets table for a list of operation types. |
Last (time period) | A drop-down option to specify the period for the file operation trend. |
File operation trend graph | The x-axis displays shorter intervals for the specified period. The y-axis displays the number of operations trend over the extent of the intervals. |
The Health dashboard displays dynamically updated health information about each file server component.
The Health dashboard includes the following details:
The Data Age widget in the dashboard provides details on data heat.
Share-level data is displayed to provide details on share capacity trends. There are three levels of data heat:
You can configure the definitions for each level of data heat rather than using the default values. See Configuring Data Heat Levels.
Update the values that constitute different data heat levels.
Data panes in the Anomalies tab display data and trends for configured anomalies.
The Anomalies tab provides options for creating anomaly policies and displays dashboards for viewing anomaly trends.
You can configure anomalies for the following operations:
Define anomaly rules by the specifying the following conditions:
Meeting the lower operation threshold triggers an anomaly.
Consider a scenario where you have 1 thousand files, the operation count threshold defined as 10, and the operation percentage threshold defined as 10%. The count threshold takes precedence, as 10% of 1 thousand is 100, which is greater than the count threshold of 10.
Pane Name | Description | Values |
---|---|---|
Anomaly Trend | Displays the number of anomalies per day or per month. | Last 7 days, Last 30 days, Last 1 year |
Top Users | Displays the users with the most anomalies and the number of anomalies per user. | Last 7 days, Last 30 days, Last 1 year |
Top Folders | Displays the folders with the most anomalies and the number of anomalies per folder. | Last 7 days, Last 30 days, Last 1 year |
Operation Anomaly Types | Displays the percentage of occurrences per anomaly type. | Last 7 days, Last 30 days, Last 1 year |
Clicking an anomaly bar in the Anomaly Trend graph displays the Anomaly Details view.
Column | Description |
---|---|
Anomaly Type | The configured anomaly type. Anomaly types not configured do not show up in the table. |
Total User Count | The number of users that have performed the operation causing the specified anomaly during the specified time range. |
Total Folder Count | The numbers of folders in which the anomaly occurred during the specified time range. |
Total Operation Count | Total number of anomalies for the specified anomaly type that occurred during the specified time range. |
Time Range | The time range for which the total user count, total folder count, and total operation count are specified. |
Column | Description |
---|---|
Username or Folders | Indicates the entity for the operation count. Selecting the Users tab indicates operation count for specific users, and selecting the Folders tab indicates the operation count for specific folders. |
Operation count | The total number of operations causing anomalies for the selected user or folder during the time period for the bar in the Anomaly Trend graph. |
Steps for configuring anomaly rules.
To create an anomaly rule, do the following.
File Analytics uses a simple mail transport protocol (SMTP) server to send anomaly alerts.
Use audit trails to look up operation data for a specific user, file, folder, or client.
The Audit Trails tab includes Files , Folders , Users , and Client IP options for specifying the audit type. Use the search bar for specifying the specific entity for the audit (user, folder, file, or client IP).
The results table presents details for entities that match the search criteria. Clicking the entity name (or client IP number) takes you to the Audit Trails dashboard for the target entity.
Audit a user, file, client, or folder.
Details for client IP Audit Trails.
When you search by user in the Audit Trails tab, search results display the following information in a table.
Clicking View Audit displays the Audit Details page, which shows the following audit information for the selected user.
The Results table provides granular details of the audit results. The following data is displayed for every event.
Click the gear icon for options to download the data as an xls, csv, or JSON file.
Dashboard details for folder audits.
The following information displays when you search by file in the Audit Trails tab.
The Audit Details page shows the following audit information for the selected folder.
The Results table provides granular details of the audit results. File Analytics displays the following data for every event.
Click the gear icon for options to download the data as a CSV file.
Dashboards details for file audit.
When you search by file in the Audit Trails tab, the following information displays:
The Audit Details page shows the following audit information for the selected file.
The Results table provides granular details of the audit results. File Analytics displays the following data for every event.
Click the gear icon for options to download the data as a CSV file.
Dashboard details for client IP Audit Trails.
When you search by client IP in the Audit Trails tab, search results display the following information in a table.
The Audit Details page shows the following audit information for the selected client.
The Results table provides granular details of the audit results. File Analytics displays the following data for every event.
Click the gear icon for an option to download the data as a CSV file.
Ransomware protection for your file server.
File Analytics scans files for ransomware in real time and notifies you in the event of a ransomware attack once you configure email notifications.
Using a curated a list of over 250 signatures that frequently appear in ransomware files, the Nutanix Files file blocking mechanism identifies and blocks files with ransomware extensions from carrying out malicious operations. You can modify the list by manually adding or removing signatures.
File Analytics also monitors shares for self-service restore (SSR) policies and identifies shares that do not have SSR enabled in the ransomware dashboard. You can enable SSR through the ransomware dashboard.
The ransomware dashboard includes panes for managing ransomware protection and self-service restore (SSR).
The ransomware dashboard includes two main sections:
Enable ransomware protection on your file server.
Configure ransomware protection on file servers.
Do the following to add signature to the blocked extension list.
Enable self-service restore on shares identified by File Analytics.
File Analytics scans shares for SSR policies.
Generate a report for entities on the file server.
Create a report with custom attribute values or use one of the File Analytics pre-canned report templates. To create a custom report, specify the entity, attributes (and operators for some attributes), attribute values, column headings, and the number of columns. Pre-canned reports define most of the attributes and headings based on the entity and template that you choose.
The Reports dashboard displays a table or previously generated reports. You can rerun existing reports rather than creating a template. After creating a report, you can download it as a JSON or CSV file.
The reports dashboard includes options to create, view, and download reports.
The Reports dashboard includes options to create a report, download reports as a JSON, download reports as a CSV, rerun reports, and delete reports.
The reports table includes columns for the report name, status, last run, and actions.
Clicking Create a new report takes you to the report creation screen, which includes a Report builder and a Pre-canned Reports Templates tabs. The tabs include report options and filters for report configuration.
Both tabs include the following elements:
Entity | Attributes (filters) | Operator | Value | Column |
---|---|---|---|---|
Events | event_date |
|
(date) |
|
Event_operation | N/A |
|
||
Files | Category |
|
(date) |
|
Extensions | N/A | (type in value) | ||
Deleted | N/A | Last (number of days from 1 to 30) days | ||
creation_date |
|
(date) | ||
access_date |
|
(date) | ||
Size |
|
(number) (file size)
File size options:
|
||
Folders | Deleted | N/A | Last (number of days from 1 to 30) days |
|
creation_date |
|
(date) | ||
Users | last_event_date |
|
(date) |
|
Entity | Pre-canned report template | Columns |
---|---|---|
Events |
|
|
Files |
|
|
Users |
|
|
Create a custom report by defining the entity, attribute, filters, and columns.
Use one of the pre-canned File Analytics templates for your report.
You can get more insight into the usage and contents of files on your system by configuring and updating File Analytics features and settings. Some options include scanning the files on your file server on demand, updating data retention, and configuring data protection.
The data retention period determines how long File Analytics retains event data.
Follow the steps as indicated to configure data retention.
Once enabled, File Analytics scans the metadata of all files and shares on the system. You can perform an on-demand scan of shares in your file system.
Deny users, file extensions, and client IP addresses.
File Analytics uses the file category configuration to classify file extensions.
The capacity widget in the dashboard uses the category configuration to calculate capacity details.
Configure File Analytics disaster recovery (DR) using Prism Element.
File Analytics only supports async disaster recovery. File Analytics does not support NearSync and metro availability.
Create an async protection domain, configure a protection domain schedule, and configure remote site mapping. The remote site must have symmetric configurations to the primary site. The remote site must also deploy File Analytics to restore a File Analytics VM (FAVM).
The Data Protection section in the Prism Web Console Guide provides more detail on the disaster recovery process.
To set up disaster recovery for File Analytics, create an async protection domain, configure a protection domain schedule, and configure remote site mapping.
By default, the File Analytics volume group resides on the same container that hosts vDisks for Nutanix Files.
Recover a File Analytics VM (FAVM) after a planned or unplanned migration to the remote site.
Perform the following tasks on the remote site.
Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.
To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.
nutanix@favm$ sudo blkid
nutanix@favm$ cd /mnt/containers/config/common_config /tmp
nutanix@favm$ sudo systemctl stop monitoring
nutanix@favm$ docker stop $(docker ps -q)
nutanix@favm$ sudo systemctl stop docker
nutnix@avm$ sudo umount /mnt
nutanix@avm$ sudo reboot

nutanix@favm$ sudo blkid
/dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"The FAVM discovers the attached volume group and assigns to the /dev/sdb device.
nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
/mnt/containers/config/common_config/cvm_bck.config
nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --local_update
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --prism_user=admin --prism_password='Prism admin password'
Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.
To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.
nutanix@favm$ sudo blkid
nutanix@favm$ cd /mnt/containers/config/common_config/ /tmp
nutanix@favm$ sudo systemctl stop monitoring
nutanix@favm$ docker stop $(docker ps -q)
nutanix@favm$ sudo systemctl stop docker
nutnix@avm$ sudo umount /mnt
nutnix@avm$ sudo /sbin/iscsiadm -m node -u
nutanix@favm$ sudo /sbin/iscsiadm -m node –o delete
nutanix@favm$ sudo blkid
/dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"The output does not show the /dev/sdb device.
nutanix@favm$ sudo cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1991-05.com.redhat:8ef967b5b8f
nutanix@favm$ sudo /sbin/iscsiadm --mode discovery --type sendtargets --portal data_services_IP_address:3260
Clicking
the Nutanix cluster name in Prism displays cluster details including the
data service IP address. The output displays the restored iSCSI target
from step 2.
nutanix@favm$ sudo /sbin/iscsiadm --mode node --targetname iqn_name --portal data_services_IP_address:3260,1 --login
nutanix@favm$ sudo reboot
nutanix@favm$ sudo blkid
/dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4" /dev/sdb: UUID="30749ab7-58e7-437e-9a09-5f6d9619e85b" TYPE="ext4"
nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
/mnt/containers/config/common_config/cvm_bck.config
nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --local_update
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --prism_user=admin --prism_password='Prism admin password'
Product Release Date: 2022-09-07
Last updated: 2022-11-04
File Analytics provides data and statistics on the operations and contents of a file server.
Once deployed, Nutanix Files adds a File Analytics VM (FAVM) to the Files cluster. A single File Analytics VM supports all file servers in the cluster; however, you must enable File Analytics separately for each file server. File Analytics protects data on the FAVM, which is kept in a separate volume group.
The File Analytics web console consists of display features:
Main menu bar : The main menu bar appears at the top of every page of the File Analytics web console. The main menu bar includes the following display features:
Meet the following requirements prior to deploying File Analytics.
Ensure that you have performed the following tasks and your Files deployment meets the following specifications.
Open the required ports, and ensure that your firewall allows bi-directional Internet Control Message Protocol (ICMP) traffic between the FAVM and CVMs.
The Port Reference provides detailed port information for Nutanix products and services, including port sources and destinations, service descriptions, directionality, and protocol requirements.
In addition to meeting the File Analytics network requirements, ensure to meet Nutanix Files port requirements as described in the Port Reference .
File Analytics has the following limitations.
Overview of administrative processes for File Analytics.
As an admin, you have the required permissions for performing File Analytics administrative tasks. To add a file server admin user, see Managing Roles in the Nutanix Files Guide . The topics in this chapter describe the basics for administering your File Analytics environment. For advanced administrative options, refer to the File Analytics Options chapter.
Prism Element supports role-based access control (RBAC) that allows you to configure and provide customized access to the users based on their assigned roles.
From the Prism Element dashboard, you can assign a set of predefined built-in roles (system roles) roles to users or user groups. File Analytics support the following built-in roles (system roles) that are defined by default:
Follow this procedure to deploy the File Analytics server.
Steps for enabling File Analytics after deployment or disablement.
Follow these steps to enable File Analytics after disabling the application.
Follow the steps as indicated to disable File Analytics.
File Analytics is disabled on the server. Enable File Analytics to start collecting data again or Delete File Analytics Data.
Do the following to launch File Analytics.
To update a File Analytics VM (FAVM), refer to the sizing guidelines in the File Analytics release notes and follow the steps in the VM Management topic of the Prism Web Console Guide .
Remove a File Analytics VM (FAVM) by disabling it and deleting it from the cluster in Prism.
Follow the steps as indicated to update authentication credentials for LDAP or Active Directory.
Manage the audit data of delete shares and exports.
By default, File Analytics retains deleted share and export data. The dashboard widgets do not account for data of deleted shares and exports. The deleted marker appears next to deleted shares and exports in audit trails. The Manage Share/Export Audit data window displays a list of deleted shares and exports.
Follow the directions as indicated to delete audit data for the deleted share or export.
Steps for updating the password of a File Analytics VM (FAVM).
Context for the current task
nutanix@fsvm$ sudo passwd nutanix
Changing password for user nutanix.
Old Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
The password must meet the following complexity requirements:
Perform File Analytics upgrades using the Life Cycle Manager feature in Prism Element.
Before you proceed with the FA upgrade, ensure you meet the following:
Refer to File Analytics release notes for compatibility details. You can upgrade both AOS and Files through Prism Element, see AOS Upgrade in the Prism Web Console Guide .
To upgrade File Analytics, perform inventory and updates using the Life-Cycle Manager (LCM), see the Life Cycle Manager Guide for instructions on performing inventory and updates.
During the upgrade process, File Analytics takes a snapshot of the volume group (VG) that contains File Analytics data. If issues occur during an upgrade, File Analytics restores the FAVM to the pre-upgrade state. If the volume group is protected and is part a protection domain, the File Analytics creates a snapshot and sets the expiry time to 30 days. If the volume group is not protected, File Analytics creates a snapshot and deletes the snapshot after completing the upgrade successfully. If any errors occur, the system keeps the snapshot for 30 days to troubleshoot the issue.
Upgrade File Analytics at a dark site using the Life-Cycle Manager (LCM).
The Dashboard tab displays data on the operational trends of a file server.
The Dashboard tab is the opening screen that appears after launching File Analytics for a specific file server. The dashboard displays widgets that present data on file trends, distribution, and operations.
Tile Name | Description | Intervals |
---|---|---|
Capacity trend |
Displays capacity trends for the file server including capacity added, capacity
removed, and net changes.
Clicking an event period widget displays the Capacity Trend Details view. |
7 days, the last 30 days, or the last 1 year. |
Data age | Displays the percentage of data by age. Data age determines the data heat, including: hot, warm, and cold. |
Default intervals are as follows:
|
Permission denials | Displays users who have had excessive permission denials and the number of denials. Clicking a user displays audit details, see Audit Trails - Users for more. | [user id], [number of permission denials] |
File distribution by size | Displays the number of files by file size. Provides trend details for top 5 files. | Less than 1 MB, 1–10 MB, 10–100 MB, 100 MB to 1 GB, greater than 1 GB). |
File distribution by type | Displays the space taken up by various applications and file types. The file extension determines the file type. See the File types table for more details. | MB or GB |
File distribution by type details view |
Displays a trend graph of the top 5 file types. File distribution details include
file type, current space used, current number of files, and change in space for the
last 7 or 30 days.
Clicking View Details displays the File Distribution by Type view. |
Daily size trend for top 5 files (GB), file type (see the "File Type" table), current space used (GB), current number of files (numeric), change in last 7 or 30 days (GB). |
Top 5 active users | Lists the users who have accessed the most files and number of operations the user performed for the specified period. When there are more than 5 active users, the more link provides details on the top 50 users. Clicking the user name displays the audit view for the user, see Audit Trails - Users for more. | 24 hours, 7 days, 1 month, or 1 year. |
Top 5 accessed files |
Lists the 5 most frequently accessed files. Clicking
more
provides details on the top 50 files.
Clicking the file name displays the audit view details for the file, see Audit Trails - Files for more. |
24 hours, 7 days, 1 month, or 1 year. |
Files operations |
Displays the distribution of operation types for the specified period, including
a count for each operation type and the total sum of all operations.
Operations include: create, delete, read, write, rename, permission changed, set attribute, symlink, permission denied, permission denied (file blocking). Clicking an operation displays the File Operation Trend view. |
24 hours, 7 days, 1 month, or 1 year. |
Clicking an event period in the Capacity Trend widget displays the Capacity Trend Details view for that period. The view includes three tabs Share/Export , Folder , and Category . Each tab includes columns detailing entity details: Name . Net capacity change, capacity added, and capacity removed.
Category | Supported File Type |
---|---|
Name | Name of share/export, folder, or category. |
Net capacity change | The total difference between capacity at the beginning and the end of the specified period. |
Share name (for folders only) | The name of the share or export that the folder belongs to. |
Capacity added | Total added capacity for the specified period. |
Capacity removed | Total removed capacity for the specified period. |
Clicking View Details for the File Distribution by Type widget displays granular details of file distribution, see the File Types table for details.
Category | Supported File Type |
---|---|
File type | Name of file type |
Current space used | Space capacity occupied by the file type |
Current number of files | Number of files for the file type |
Change (in last 30 days) | The increase in capacity over a 30-day period for the specified file type |
Category | Supported File Type |
---|---|
Archives | .cab, .gz, .rar, .tar, .z, .zip |
Audio | .aiff, .au, .mp3, .mp4, .wav, .wma |
Backups | .bak, .bkf, .bkp |
CD/DVD images | .img, .iso, .nrg |
Desktop publishing | .qxd |
Email archives | .pst |
Hard drive images | .tib, .gho, .ghs |
Images | .bmp, .gif, .jpg, .jpeg, .pdf .png, .psd, .tif, .tiff, |
Installers | .msi, .rpm |
Log Files | .log |
Lotus notes | .box, .ncf, .nsf, .ns2, .ns3, .ns4, .ntf |
MS Office documents | .accdb, .accde, .accdt, .accdr, .doc, .docx, .docm, .dot, .dotx, .dotm, .xls, .xlsx, .xlsm, .xlt, .xltx, .xltm, .xlsb, .xlam, .ppt, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .mdb |
System files | .bin, .dll, .exe |
Text files | .csv, .pdf, .txt |
Video | .avi, mpg, .mpeg, .mov, .m4v |
Disk image | .hlog, .nvram, .vmdk, .vmx, .vmxf, .vmtm, .vmem, .vmsn, .vmsd |
Clicking an operation type in the File Operations widget displays the File Operation Trend view. The File Operation Trend view breaks down the specified period into smaller intervals, and displays the number of occurrences of the operation during each interval.
Category | Description |
---|---|
Operation type | A drop-down option to specify the operation type. See Files Operations in the Dashboard Widgets table for a list of operation types. |
Last (time period) | A drop-down option to specify the period for the file operation trend. |
File operation trend graph | The x-axis displays shorter intervals for the specified period. The y-axis displays the number of operations trend over the extent of the intervals. |
The Health dashboard displays dynamically updated health information about each file server component.
The Health dashboard includes the following details:
The Data Age widget in the dashboard provides details on data heat.
Share-level data is displayed to provide details on share capacity trends. There are three levels of data heat:
You can configure the definitions for each level of data heat rather than using the default values. See Configuring Data Heat Levels.
Update the values that constitute different data heat levels.
Data panes in the Anomalies tab display data and trends for configured anomalies.
The Anomalies tab provides options for creating anomaly policies and displays dashboards for viewing anomaly trends.
You can configure anomalies for the following operations:
Define anomaly rules by the specifying the following conditions:
Meeting the lower operation threshold triggers an anomaly.
Consider a scenario where you have 1 thousand files, the operation count threshold defined as 10, and the operation percentage threshold defined as 10%. The count threshold takes precedence, as 10% of 1 thousand is 100, which is greater than the count threshold of 10.
Pane Name | Description | Values |
---|---|---|
Anomaly Trend | Displays the number of anomalies per day or per month. | Last 7 days, Last 30 days, Last 1 year |
Top Users | Displays the users with the most anomalies and the number of anomalies per user. | Last 7 days, Last 30 days, Last 1 year |
Top Folders | Displays the folders with the most anomalies and the number of anomalies per folder. | Last 7 days, Last 30 days, Last 1 year |
Operation Anomaly Types | Displays the percentage of occurrences per anomaly type. | Last 7 days, Last 30 days, Last 1 year |
Clicking an anomaly bar in the Anomaly Trend graph displays the Anomaly Details view.
Column | Description |
---|---|
Anomaly Type | The configured anomaly type. Anomaly types not configured do not show up in the table. |
Total User Count | The number of users that have performed the operation causing the specified anomaly during the specified time range. |
Total Folder Count | The numbers of folders in which the anomaly occurred during the specified time range. |
Total Operation Count | Total number of anomalies for the specified anomaly type that occurred during the specified time range. |
Time Range | The time range for which the total user count, total folder count, and total operation count are specified. |
Column | Description |
---|---|
Username or Folders | Indicates the entity for the operation count. Selecting the Users tab indicates operation count for specific users, and selecting the Folders tab indicates the operation count for specific folders. |
Operation count | The total number of operations causing anomalies for the selected user or folder during the time period for the bar in the Anomaly Trend graph. |
Steps for configuring anomaly rules.
To create an anomaly rule, do the following.
File Analytics uses a simple mail transport protocol (SMTP) server to send anomaly alerts.
Use audit trails to look up operation data for a specific user, file, folder, or client.
The Audit Trails tab includes Files , Folders , Users , and Client IP options for specifying the audit type. Use the search bar for specifying the specific entity for the audit (user, folder, file, or client IP).
The results table presents details for entities that match the search criteria. Clicking the entity name (or client IP number) takes you to the Audit Trails dashboard for the target entity.
Audit a user, file, client, or folder.
Details for client IP Audit Trails.
When you search by user in the Audit Trails tab, search results display the following information in a table.
Clicking View Audit displays the Audit Details page, which shows the following audit information for the selected user.
The Results table provides granular details of the audit results. The following data is displayed for every event.
Click the gear icon for options to download the data as an xls, csv, or JSON file.
Dashboard details for folder audits.
The following information displays when you search by file in the Audit Trails tab.
The Audit Details page shows the following audit information for the selected folder.
The Results table provides granular details of the audit results. File Analytics displays the following data for every event.
Click the gear icon for options to download the data as a CSV file.
Dashboards details for file audit.
When you search by file in the Audit Trails tab, the following information displays:
The Audit Details page shows the following audit information for the selected file.
The Results table provides granular details of the audit results. File Analytics displays the following data for every event.
Click the gear icon for options to download the data as a CSV file.
Dashboard details for client IP Audit Trails.
When you search by client IP in the Audit Trails tab, search results display the following information in a table.
The Audit Details page shows the following audit information for the selected client.
The Results table provides granular details of the audit results. File Analytics displays the following data for every event.
Click the gear icon for an option to download the data as a CSV file.
Ransomware protection for your file server.
File Analytics scans files for ransomware in real time and notifies you in the event of a ransomware attack once you configure email notifications.
Using a curated a list of over 250 signatures that frequently appear in ransomware files, the Nutanix Files file blocking mechanism identifies and blocks files with ransomware extensions from carrying out malicious operations. You can modify the list by manually adding or removing signatures from in Nutanix Files, see "File Blocking" in the Nutanix Files User Guide .
File Analytics also monitors shares for self-service restore (SSR) policies and identifies shares that do not have SSR enabled in the ransomware dashboard. You can enable SSR through the ransomware dashboard.
The ransomware dashboard includes panes for managing ransomware protection and self-service restore (SSR).
The ransomware dashboard includes two main sections:
Enable ransomware protection on your file server.
Configure ransomware protection on file servers.
Do the following to add signature to the blocked extension list.
Enable self-service restore on shares identified by File Analytics.
File Analytics scans shares for SSR policies.
Generate a report for entities on the file server.
Create a report with custom attribute values or use one of the File Analytics pre-canned report templates. To create a custom report, specify the entity, attributes (and operators for some attributes), attribute values, column headings, and the number of columns. Pre-canned reports define most of the attributes and headings based on the entity and template that you choose.
The Reports dashboard displays a table or previously generated reports. You can rerun existing reports rather than creating a template. After creating a report, you can download it as a JSON or CSV file.
The reports dashboard includes options to create, view, and download reports.
The Reports dashboard includes options to create a report, download reports as a JSON, download reports as a CSV, rerun reports, and delete reports.
The reports table includes columns for the report name, status, last run, and actions.
Clicking Create a new report takes you to the report creation screen, which includes a Report builder and a Pre-canned Reports Templates tabs. The tabs include report options and filters for report configuration.
Both tabs include the following elements:
Entity | Attributes (filters) | Operator | Value | Column |
---|---|---|---|---|
Events | event_date |
|
(date) |
|
Event_operation | N/A |
|
||
Files | Category |
|
(date) |
|
Extensions | N/A | (type in value) | ||
Deleted | N/A | Last (number of days from 1 to 30) days | ||
creation_date |
|
(date) | ||
access_date |
|
(date) | ||
Size |
|
(number) (file size)
File size options:
|
||
Folders | Deleted | N/A | Last (number of days from 1 to 30) days |
|
creation_date |
|
(date) | ||
Users | last_event_date |
|
(date) |
|
Entity | Pre-canned report template | Columns |
---|---|---|
Events |
|
|
Files |
|
|
Users |
|
|
Create a custom report by defining the entity, attribute, filters, and columns.
Use one of the pre-canned File Analytics templates for your report.
You can get more insight into the usage and contents of files on your system by configuring and updating File Analytics features and settings. Some options include scanning the files on your file server on demand, updating data retention, and configuring data protection.
The data retention period determines how long File Analytics retains event data.
Follow the steps as indicated to configure data retention.
Once enabled, File Analytics scans the metadata of all files and shares on the system. You can perform an on-demand scan of shares in your file system.
Deny users, file extensions, and client IP addresses.
File Analytics uses the file category configuration to classify file extensions.
The capacity widget in the dashboard uses the category configuration to calculate capacity details.
Configure File Analytics disaster recovery (DR) using Prism Element.
File Analytics only supports async disaster recovery. File Analytics does not support NearSync and metro availability.
Create an async protection domain, configure a protection domain schedule, and configure remote site mapping. The remote site must have symmetric configurations to the primary site. The remote site must also deploy File Analytics to restore a File Analytics VM (FAVM).
The Data Protection section in the Prism Web Console Guide provides more detail on the disaster recovery process.
To set up disaster recovery for File Analytics, create an async protection domain, configure a protection domain schedule, and configure remote site mapping.
By default, the File Analytics volume group resides on the same container that hosts vDisks for Nutanix Files.
Recover a File Analytics VM (FAVM) after a planned or unplanned migration to the remote site.
Perform the following tasks on the remote site.
Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.
To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.
nutanix@favm$ sudo blkid
nutanix@favm$ cd /mnt/containers/config/common_config /tmp
nutanix@favm$ sudo systemctl stop monitoring
nutanix@favm$ docker stop $(docker ps -q)
nutanix@favm$ sudo systemctl stop docker
nutnix@avm$ sudo umount /mnt
nutanix@avm$ sudo reboot

nutanix@favm$ sudo blkid
/dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"The FAVM discovers the attached volume group and assigns to the /dev/sdb device.
nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
/mnt/containers/config/common_config/cvm_bck.config
nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --local_update
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --prism_user=admin --prism_password='Prism admin password'
Deploy a File Analytics VM (FAVM) after a planned or unplanned (disaster) migration to the remote site.
To perform disaster recovery, deploy and enable File Analytics on the remote site. Restore the data using a snapshot of the volume group from the primary FAVM.
nutanix@favm$ sudo blkid
nutanix@favm$ cd /mnt/containers/config/common_config/ /tmp
nutanix@favm$ sudo systemctl stop monitoring
nutanix@favm$ docker stop $(docker ps -q)
nutanix@favm$ sudo systemctl stop docker
nutnix@avm$ sudo umount /mnt
nutnix@avm$ sudo /sbin/iscsiadm -m node -u
nutanix@favm$ sudo /sbin/iscsiadm -m node –o delete
nutanix@favm$ sudo blkid
/dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4"The output does not show the /dev/sdb device.
nutanix@favm$ sudo cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1991-05.com.redhat:8ef967b5b8f
nutanix@favm$ sudo /sbin/iscsiadm --mode discovery --type sendtargets --portal data_services_IP_address:3260
Clicking
the Nutanix cluster name in Prism displays cluster details including the
data service IP address. The output displays the restored iSCSI target
from step 2.
nutanix@favm$ sudo /sbin/iscsiadm --mode node --targetname iqn_name --portal data_services_IP_address:3260,1 --login
nutanix@favm$ sudo reboot
nutanix@favm$ sudo blkid
/dev/sr0: UUID="2019-06-11-12-18-52-00" LABEL="cidata" TYPE="iso9660" /dev/sda1: LABEL="_master-x86_64-2" UUID="b1fb6e26-a782-4cf7-b5de-32941cc92722" TYPE="ext4" /dev/sdb: UUID="30749ab7-58e7-437e-9a09-5f6d9619e85b" TYPE="ext4"
nutanix@favm$ mv /mnt/containers/config/common_config/cvm.config \
/mnt/containers/config/common_config/cvm_bck.config
nutanix@favm$ mv /tmp/cvm.config /mnt/containers/config/common_config/
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --local_update
nutanix@favm$ sudo python /opt/nutanix/analytics/bin/reset_password.py --user_type=prism \
--password='new password' --prism_user=admin --prism_password='Prism admin password'
Product Release Date: 2021-05-17
Last updated: 2022-12-13
Traditional data centers use firewalls to implement security checks at the perimeter—the points at which traffic enters and leaves the data center network. Such perimeter firewalls are effective at protecting the network from external threats. However, they offer no protection against threats that originate from within the data center and spread laterally, from one compromised machine to another.
The problem is compounded by virtualized workloads changing their network configurations and hosts as they start, stop, and migrate frequently. For example, IP addresses and MAC addresses can change as applications are shut down on one host and started on another. Manual enforcement of security policies through traditional firewalls, which rely on network configurations to inspect traffic, cannot keep up with these frequent changes and are error-prone.
Network-centric security policies also require the involvement of network security teams that have intimate knowledge of network configuration in terms of VLANs, subnets, and other network entities.
Nutanix Flow includes a policy-driven security framework that inspects traffic within the data center. The framework works as follows:
The types of policies in Prism Central and their use cases are described here.
Policy Type | Use Case |
---|---|
Application Security Policy |
Use an application security policy when you want to secure an application by
specifying allowed traffic sources and destinations. This method of securing an
application is typically called
application ring fencing
.
For example,
use an application security policy when you want to allow only those VMs in the
categories
The secured application itself can be divided into tiers by the use of categories (the built-in AppTier category). For example, you can divide the issue tracking tool into web, application, and database tiers and configure tier-to-tier rules. For more information, see Application Security Policy Configuration. |
Isolation Environment Policy |
Use an isolation environment policy when you want to block all traffic,
regardless of direction, between two groups of VMs identified by their category. VMs
within a group can communicate with each other.
For example, use an isolation
environment policy when you want to block all traffic between VMs in the category
For more information, see Isolation Environment Policy Configuration. |
Quarantine Policy |
Use a quarantine policy when you want to isolate a compromised or infected VM and
optionally want to subject it to forensics.
For more information, see Quarantine Policy Configuration. |
VDI Policy |
Use a VDI policy when you want to secure your VDI environment.
For more information, see VDI Policy Configuration |
The security policy model uses an application-centric policy language instead of the more complex, traditional network-centric policy language. Configuring an application security policy involves specifying which VMs belong to the application you want to protect and then identifying the entities or networks, in the inbound and outbound directions, with which you want to allow communication.
All the entities in an application security policy are identified by the categories to which they belong and not by their IP address, VLAN, or other network attributes. After a VM is associated with a category and the category is specified in a security policy, traffic associated with the VM is monitored even if it migrates to another network or changes its IP address.
The default options for allowing traffic on the inbound and outbound directions are also inherently application centric. For application security policies, the default option for inbound traffic is Allowed List , which means that Allowed List is usually the recommended option for inbound traffic. The default option can be changed to Allow All traffic. The default option in the outbound direction allows the application to send traffic to all destinations, but you can configure a destination Allowed List if desired.
For forensic quarantine policies, the default option in both directions is Allowed List , but you can Allow All traffic in both directions. For strict quarantine policies, no traffic is allowed in either direction.
All the VMs within a category can communicate with each other. For example, in a tiered application, regardless of how you configure tier-to-tier rules, the VMs within a given tier can communicate with each other.
An application security policy is expressed in terms of the categories and subnets with which you want the application to communicate and therefore, by extension, the traffic you want to allow. A more granular policy expression can be achieved by specifying which protocols and ports can be used for communication.
Any category or subnet that is not in the allowed list is blocked. You cannot specify the categories and subnets you want to block because the number of such entities are typically much larger and grow at a much higher rate than the categories and subnets with which an application should be allowed to communicate. Expressing a policy in terms of allowed traffic results in a smaller, tighter policy configuration that can be modified, monitored, and controlled more easily.
All policies, whether associated with securing an application, isolating environments, or quarantining VMs, can be run in the following modes:
You can switch a policy between these two modes as many times as you want.
A policy uses categories to identify the VMs to which it must apply. This model allows the automatic enforcement of a policy to VMs regardless of their number and network attributes. Connectivity between Prism Central and a registered AHV cluster is required only when creating and modifying policies, or when changing the mode of operation (applied or monitoring) of a policy. Policies are applied to the VMs in a cluster even if the cluster temporarily loses network connectivity with the Prism Central instance with which it is registered. New policies and changes are applied to the cluster when connectivity is restored.
Prism Central does not provide a way for you to specify priorities between policies of a single type. For example, you cannot prioritize one security policy over another. There is no limit to the number of inbound and outbound rules that you can add to a security policy, allowing you to define all of an application's security requirements in a single policy. This makes priorities between policies unnecessary.
However, priorities exist between the different policy types. Quarantine policies have the highest priority followed by isolation environment policies, and application security policies, in that order. The VDI Policy takes the last precedence, for example, if an application security is protecting a VM, it cannot simultaneously be protected with the VDI policy.
Isolation environment rules take precedence over application security rules, so make sure that isolation environment policies and application security policies are not in conflict. An isolation environment rule and an application security rule are said to be in conflict if they apply to the same traffic (a scenario that is encountered when VMs in one of the categories in the isolation environment send traffic to an application in the other category, and some or all of that traffic is either allowed or disallowed by the application security policy). The effect that an isolation environment policy has on a conflicting application security policy depends on the mode in which the isolation environment policy is deployed, and is as follows:
The Security Policies feature has the following requirements:
Microsegmentation is disabled by default. Before you can configure and use application security policies, isolation environment policies, and quarantine policies, you must enable the feature. The feature requires a Flow license. If you have not installed a Flow license, you can try the feature for a period of 60 days. After this period expires, you will be required to install the license to continue using the feature.
To enable microsegmentation, do the following:
Prism Central web console provides you the ability to disable the microsegmentation feature.
To disable microsegmentation, do the following:
Prism Central includes built-in categories that you can use in application security policies and isolation policies. It also includes a built-in category for quarantining VMs.
Category | Description |
---|---|
AppTier | Add values for the tiers in your application (such as web, application_logic, and database) to this category and use the values to divide the application into tiers when configuring a security policy. |
AppType | Associate the VMs in your application with the appropriate built-in application type such as Exchange and Apache_Spark. You can also update the category to add values for applications not listed in this category. |
Environment | Add values for environments that you want to isolate from each other and then associate VMs with the values. |
Quarantine |
Add a VM to this category when you want to quarantine the VM. You cannot modify
this category. The category has the following values:
|
ADGroup | This category is managed by ID Based Security (ID Firewall). Each ADGroup value represents an imported group from Active Directory. To add or remove values to use in Flow policies use the ID Based Security configuration page ( Prism Central Settings > Flow > ID Based Security ). The category values may be used in VDI policies, see VDI Policy Configuration for details. |
ADGroup:Default | This category is applied to the VDI VMs of the AD group when the VM inclusion criteria is set and allows you to apply a default set of rules for the VDI VMs (without the requirement of user logons). |
Service is a group of protocol-port combination. You can use any of the default services or create a custom service. The ability to use the service entities in the policy creation workflow reduces any manual configuration error and enables reusability of available entities.
To create a custom service, do the following.
Address is a way to group one or many IP addresses or ranges. You can create an address entity and use that address entity while creating policies. The ability to use the addresses in the policy creation workflow reduces any manual configuration error and enables reusability of available entities.
To create an Address, do the following.
default
value, but you can update the category to
add values of your choice.
For information about categories and their values, see Category Management in the Prism Central Guide .
To secure an application, do the following:
AppType
:
value
, where value represents a type of
application. Every application that you want Prism Central to secure
must be associated with a value from the built-in AppType category. The
AppType category includes values for frequently encountered
applications, such as Exchange and Hadoop. The AppType category also
includes a built-in
default
value that you can use if
your application cannot be associated with one of the other built-in
values. You can also update the
AppType
category to add
a value of your choice. For information about categories and their
values, see
Category Management
.
AppType: Exchange
, this option enables you to
further restrict the policy to specific locations (such as
Location: US
and
Location: EU
) or
environments (such as
Environment: Production
,
Environment: Development
, and
Environment:
Test
).
To divide your application into tiers and create tier-to-tier rules, do the following:
Repeat this step to add as many tiers as you require. The following figure shows an application with a web tier, an application tier, and a database tier:
Configure tier-to-tier rules for as many source and destination tiers as you want.
When entering the name of a category, a list of matching names is displayed, and you can select the name you want to specify. The subnet mask must be specified in the CIDR format.
Each entry in this list represents a stream of inbound traffic.
When entering the name of a category, a list of matching names is displayed, and you can select the name you want to specify. The subnet mask must be specified in the CIDR format.
Each entry in this list represents a stream of outbound traffic.
Applying a security policy enforces the security policy on the application, and traffic from entities that are not defined as sources in the policy is blocked.
When a policy is in the monitoring state, the application continues to receive all traffic, but disallowed traffic is highlighted on the monitoring page. Traffic is not blocked until the policy is enforced.
To modify a security policy, do the following:
Applying a security policy enforces the security policy on the application, and any traffic from sources that are not allowed is blocked.
To apply a security policy, do the following:
To monitor a security policy, do the following:
To delete an application security policy, do the following:
An isolation environment identifies two groups of VMs by category, and it blocks communications between the groups.
You can also specify an additional category to restrict the scope of the isolation environment to that category.
For example, consider that you have an
application
category with values
app1
and
app2
and that you have associated some VMs with
application: app1
and some VMs with
application: app2
.
Also, consider that these same VMs are distributed between two sites, and have accordingly
been associated with values site1 and site2 in a category named location (
location:
site1
and
location: site2
).
In this example, you might want to block communications between the VMs in the two locations.
Additionally, you might want to restrict the scope of the policy to VMs in category
application: app1
. In other words,
app1
VMs in
site1
cannot communicate with
app1
VMs in
site2
. The following diagram illustrates the desired outcome. The red
connectors illustrate blocked traffic. The green connectors illustrate allowed traffic.
You can configure an isolation policy for this by creating the following categories and isolation policy in Prism Central:
Entity | Values |
---|---|
Categories |
|
|
|
Isolation Policy |
|
An isolation environment policy identifies two groups of VMs and blocks communications between the groups. The two groups are identified by category. You can specify an additional category to restrict the scope of the policy to that category.
To create an isolation environment, do the following:
Matching names appear in a list as you type. You can click the name of the category you want.
If you isolate
VMs in category
Environment: Production
from VMs in
category
Environment: Staging
, and you restrict the
scope of the policy to VMs in the category
Environment:
Dev
, Prism Central applies the isolation policy to the
following groups:
Environment: Production
and
Environment: Dev
Environment: Staging
and
Environment: Dev
.
To modify an isolation environment, do the following:
Applying an isolation environment policy enforces the policy on the specified categories, and any traffic between the categories is blocked.
To apply an isolation environment policy, do the following:
To monitor a security policy, do the following:
To delete an isolation environment policy, do the following:
Prism Central includes a built-in quarantine policy that enables you to perform the following tasks:
For these use cases, Prism Central includes built-in categories that are included in the built-in quarantine policy.
Prism Central also enables you to monitor the quarantine policy before applying it.
The quarantine policy cannot be deleted.
In the built-in quarantine policy, you specify categories that can communicate with VMs that have been added to the Quarantine: Forensics category.
To configure the quarantine policy, do the following;
When entering the name of a category, a list of matching names is displayed, and you can select the name you want to specify. The subnet mask must be specified in the CIDR format.
You quarantine a VM by adding the VM to a quarantine category.
To add an infected VM to a quarantine category, do the following:
To remove a VM from the quarantine, do the following:
The VDI Policy is based on identity-based categorization of the VDI VMs using Active Directory group membership. Configuring VDI policy includes adding an Active Directory domain that is used for the ID firewall ( ID Based Security ) and configuring a service account for the domain.
ID firewall is an extension to Flow that allows you to write security policies based on users and groups in an Active Directory domain in which your VDI VMs are attached. When using ID firewall, you can import groups from Active Directory into Prism Central as categories (in the category key ADGroup), and then write policies around these categories, just as you would for any other category. A new type of policy has been added for this purpose - the VDI Policy . ID firewall takes care of automatically placing VDI VMs in the appropriate categories on detecting user logons into the VM hosted on Nutanix infrastructure associated with Prism Central, thus allowing user and group based enforcement of Flow policies.
ID firewall integrates Nutanix Flow with Microsoft Active Directory (AD), such that the groups in the AD can be imported into Prism Central as categories. These imported categories can then be used in the VDI policy as target groups, inbound traffic, and outbound traffic. Prism Central automatically places VMs inside the imported AD group categories when user logons are detected on VMs that are part of the Active Directory domain and also present on Nutanix managed clusters, thus applying security policies based on user group membership.
You can use the VDI VM Filter for the following scenarios.
The Default VDI policy feature allows you to apply a default set of rules as defined by the desktop administrator for VDI VMs and users. There are two primary use cases for Default VDI Policy ( ADGroup:Default ).
You can define a default VDI policy at the time of creating a new VDI policy, or by updating any existing VDI policy. See Step 2b of the VDI Policy Configuration topic for details.
Active Directory Domain Services configuration is used to import user groups for identity based security policies.
To configure an Active Directory domain, do the following.
Click + and add each domain controller individually, then click the blue check mark icon to save.
This is a name you choose to identify this entry; it need not be the name of an actual directory.
Enter the domain name in DNS format, for example, nutanix.com .
A service account is a special user account that an application or service uses to interact with the Active Directory. Enter your Active Directory service account credentials in this (username) and the following (password) field.
ID Firewall uses the service account for ID based security with additional requirements, see Configure Service Account for ID Firewall.
Active Directory service account in Prism Central is used for connectivity with the Active Directory domain services. ID Firewall also uses the same service account for ID based security.
To configure a service account for ID firewall, do the following.
WMIMGMT.msc
command to start
Windows Management Instrumentation
snap-in.
winmgmt
service.
C:\> net stop winmgmt
C:\> net start winmgmt
Alternatively, reboot the domain controller.
To modify the VDI policy, do the following:
Applying the VDI policy enforces the policy on the specified categories (VDI AD groups), and any traffic between the categories is blocked.
To apply the VDI policy, do the following:
To monitor a security policy, do the following:
To delete the VDI policy, do the following:
You can apply different types of filters to view results based on properties like source , destination, category, ports, and more. You can also group related rule attributes together for easier visualization of connection flows. Grouping and Filtering work together to provide an intuitive view for the security policy.
To apply filtering and grouping to a security policy, do the following.
Prism Central allows you to export and import security policies for the following security administration aspects.
Product Release Date: 2022-07-25
Last updated: 2022-12-14
Traditional data centers use firewalls to implement security checks at the perimeter—the points at which traffic enters and leaves the data center network. Such perimeter firewalls are effective at protecting the network from external threats. However, they offer no protection against threats that originate from within the data center and spread laterally, from one compromised machine to another.
The problem is compounded by virtualized workloads changing their network configurations and hosts as they start, stop, and migrate frequently. For example, IP addresses and MAC addresses can change as applications are shut down on one host and started on another. Manual enforcement of security policies through traditional firewalls, which rely on network configurations to inspect traffic, cannot keep up with these frequent changes and are error-prone.
Network-centric security policies also require the involvement of network security teams that have intimate knowledge of network configuration in terms of VLANs, subnets, and other network entities.
Nutanix Flow includes a policy-driven security framework that inspects traffic within the data center. The framework works as follows:
The types of policies in Prism Central and their use cases are described here.
Policy Type | Use Case |
---|---|
Application Security Policy |
Use an application security policy when you want to secure an application by
specifying allowed traffic sources and destinations. This method of securing an
application is typically called
application ring fencing
.
For example,
use an application security policy when you want to allow only those VMs in the
categories
The secured application itself can be divided into tiers by the use of categories (the built-in AppTier category). For example, you can divide the issue tracking tool into web, application, and database tiers and configure tier-to-tier rules. For more information, see Application Security Policy Configuration. |
Isolation Environment Policy |
Use an isolation environment policy when you want to block all traffic,
regardless of direction, between two groups of VMs identified by their category. VMs
within a group can communicate with each other.
For example, use an isolation
environment policy when you want to block all traffic between VMs in the category
For more information, see Isolation Environment Policy Configuration. |
Quarantine Policy |
Use a quarantine policy when you want to isolate a compromised or infected VM and
optionally want to subject it to forensics.
For more information, see Quarantine Policy Configuration. |
VDI Policy |
Use a VDI policy when you want to secure your VDI environment.
For more information, see VDI Policy Configuration |
The security policy model uses an application-centric policy language instead of the more complex, traditional network-centric policy language. Configuring an application security policy involves specifying which VMs belong to the application you want to protect and then identifying the entities or networks, in the inbound and outbound directions, with which you want to allow communication.
All the entities in an application security policy are identified by the categories to which they belong and not by their IP address, VLAN, or other network attributes. After a VM is associated with a category and the category is specified in a security policy, traffic associated with the VM is monitored even if it migrates to another network or changes its IP address.
The default options for allowing traffic on the inbound and outbound directions are also inherently application centric. For application security policies, the default option for inbound traffic is Allowed List , which means that Allowed List is usually the recommended option for inbound traffic. The default option can be changed to Allow All traffic. The default option in the outbound direction allows the application to send traffic to all destinations, but you can configure a destination Allowed List if desired.
For forensic quarantine policies, the default option in both directions is Allowed List , but you can Allow All traffic in both directions. For strict quarantine policies, no traffic is allowed in either direction.
All the VMs within a category can communicate with each other. For example, in a tiered application, regardless of how you configure tier-to-tier rules, the VMs within a given tier can communicate with each other.
An application security policy is expressed in terms of the categories and subnets with which you want the application to communicate and therefore, by extension, the traffic you want to allow. A more granular policy expression can be achieved by specifying which protocols and ports can be used for communication.
Any category or subnet that is not in the allowed list is blocked. You cannot specify the categories and subnets you want to block because the number of such entities are typically much larger and grow at a much higher rate than the categories and subnets with which an application should be allowed to communicate. Expressing a policy in terms of allowed traffic results in a smaller, tighter policy configuration that can be modified, monitored, and controlled more easily.
All policies, whether associated with securing an application, isolating environments, or quarantining VMs, can be run in the following modes:
You can switch a policy between these two modes as many times as you want.
A policy uses categories to identify the VMs to which it must apply. This model allows the automatic enforcement of a policy to VMs regardless of their number and network attributes. Connectivity between Prism Central and a registered AHV cluster is required only when creating and modifying policies, or when changing the mode of operation (applied or monitoring) of a policy. Policies are applied to the VMs in a cluster even if the cluster temporarily loses network connectivity with the Prism Central instance with which it is registered. New policies and changes are applied to the cluster when connectivity is restored.
Prism Central does not provide a way for you to specify priorities between policies of a single type. For example, you cannot prioritize one security policy over another. There is no limit to the number of inbound and outbound rules that you can add to a security policy, allowing you to define all of an application's security requirements in a single policy. This makes priorities between policies unnecessary.
However, priorities exist between the different policy types. Quarantine policies have the highest priority followed by isolation environment policies, and application security policies, in that order. The VDI Policy takes the last precedence, for example, if an application security is protecting a VM, it cannot simultaneously be protected with the VDI policy.
Isolation environment rules take precedence over application security rules, so make sure that isolation environment policies and application security policies are not in conflict. An isolation environment rule and an application security rule are said to be in conflict if they apply to the same traffic (a scenario that is encountered when VMs in one of the categories in the isolation environment send traffic to an application in the other category, and some or all of that traffic is either allowed or disallowed by the application security policy). The effect that an isolation environment policy has on a conflicting application security policy depends on the mode in which the isolation environment policy is deployed, and is as follows:
The Security Policies feature has the following requirements:
Microsegmentation is disabled by default. Before you can configure and use application security policies, isolation environment policies, and quarantine policies, you must enable the feature. The feature requires a Flow license. If you have not installed a Flow license, you can try the feature for a period of 60 days. After this period expires, you will be required to install the license to continue using the feature.
To enable microsegmentation, do the following:
Prism Central web console provides you the ability to disable the microsegmentation feature.
To disable microsegmentation, do the following:
Prism Central includes built-in categories that you can use in application security policies and isolation policies. It also includes a built-in category for quarantining VMs.
Category | Description |
---|---|
AppTier | Add values for the tiers in your application (such as web, application_logic, and database) to this category and use the values to divide the application into tiers when configuring a security policy. |
AppType | Associate the VMs in your application with the appropriate built-in application type such as Exchange and Apache_Spark. You can also update the category to add values for applications not listed in this category. |
Environment | Add values for environments that you want to isolate from each other and then associate VMs with the values. |
Quarantine |
Add a VM to this category when you want to quarantine the VM. You cannot modify
this category. The category has the following values:
|
ADGroup | This category is managed by ID Based Security (ID Firewall). Each ADGroup value represents an imported group from Active Directory. To add or remove values to use in Flow policies use the ID Based Security configuration page ( Prism Central Settings > Flow > ID Based Security ). The category values may be used in VDI policies, see VDI Policy Configuration for details. |
ADGroup:Default | This category is applied to the VDI VMs of the AD group when the VM inclusion criteria is set and allows you to apply a default set of rules for the VDI VMs (without the requirement of user logons). |
Service is a group of protocol-port combination. You can use any of the default services or create a custom service. The ability to use the service entities in the policy creation workflow reduces any manual configuration error and enables reusability of available entities.
To create a custom service, do the following.
Address is a way to group one or many IP addresses or ranges. You can create an address entity and use that address entity while creating policies. The ability to use the addresses in the policy creation work flow reduces any manual configuration error and enables reusability of available entities.
To create an Address, do the following.
default
value, but you can update the category to
add values of your choice.
For information about categories and their values, see Category Management in the Prism Central Guide .
To secure an application, do the following:
AppType
:
value
, where value represents a type of
application. Every application that you want Prism Central to secure
must be associated with a value from the built-in AppType category. The
AppType category includes values for frequently encountered
applications, such as Exchange and Hadoop. The AppType category also
includes a built-in
default
value that you can use if
your application cannot be associated with one of the other built-in
values. You can also update the
AppType
category to add
a value of your choice. For information about categories and their
values, see Category Management in the
Prism Central Guide
.
AppType: Exchange
, this option enables you to
further restrict the policy to specific locations (such as
Location: US
and
Location: EU
) or
environments (such as
Environment: Production
,
Environment: Development
, and
Environment:
Test
).
To divide your application into tiers and create tier-to-tier rules, do the following:
Repeat this step to add as many tiers as you require. The following figure shows an application with a web tier, an application tier, and a database tier:
Configure tier-to-tier rules for as many source and destination tiers as you want.
When entering the name of a category, a list of matching names is displayed, and you can select the name you want to specify. The subnet mask must be specified in the CIDR format.
Each entry in this list represents a stream of inbound traffic.
When entering the name of a category, a list of matching names is displayed, and you can select the name you want to specify. The subnet mask must be specified in the CIDR format.
Each entry in this list represents a stream of outbound traffic.
Applying a security policy enforces the security policy on the application, and traffic from entities that are not defined as sources in the policy is blocked.
When a policy is in the monitoring state, the application continues to receive all traffic, but disallowed traffic is highlighted on the monitoring page. Traffic is not blocked until the policy is enforced.
To modify a security policy, do the following:
Applying a security policy enforces the security policy on the application, and any traffic from sources that are not allowed is blocked.
To apply a security policy, do the following:
To monitor a security policy, do the following:
To delete an application security policy, do the following:
An isolation environment identifies two groups of VMs by category, and it blocks communications between the groups.
You can also specify an additional category to restrict the scope of the isolation environment to that category.
For example, consider that you have an
application
category with values
app1
and
app2
and that you have associated some VMs with
application: app1
and some VMs with
application: app2
.
Also, consider that these same VMs are distributed between two sites, and have accordingly
been associated with values site1 and site2 in a category named location (
location:
site1
and
location: site2
).
In this example, you might want to block communications between the VMs in the two locations.
Additionally, you might want to restrict the scope of the policy to VMs in category
application: app1
. In other words,
app1
VMs in
site1
cannot communicate with
app1
VMs in
site2
. The following diagram illustrates the desired outcome. The red
connectors illustrate blocked traffic. The green connectors illustrate allowed traffic.
You can configure an isolation policy for this by creating the following categories and isolation policy in Prism Central:
Entity | Values |
---|---|
Categories |
|
|
|
Isolation Policy |
|
An isolation environment policy identifies two groups of VMs and blocks communications between the groups. The two groups are identified by category. You can specify an additional category to restrict the scope of the policy to that category.
To create an isolation environment, do the following:
Matching names appear in a list as you type. You can click the name of the category you want.
If you isolate
VMs in category
Environment: Production
from VMs in
category
Environment: Staging
, and you restrict the
scope of the policy to VMs in the category
Environment:
Dev
, Prism Central applies the isolation policy to the
following groups:
Environment: Production
and
Environment: Dev
Environment: Staging
and
Environment: Dev
.
To modify an isolation environment, do the following:
Applying an isolation environment policy enforces the policy on the specified categories, and any traffic between the categories is blocked.
To apply an isolation environment policy, do the following:
To monitor a security policy, do the following:
To delete an isolation environment policy, do the following:
Prism Central includes a system defined quarantine policy that enables you to perform the following tasks:
For these use cases, Prism Central includes built-in categories that are included in the system defined quarantine policy.
Prism Central also enables you to monitor the quarantine policy before applying it.
The quarantine policy cannot be deleted.
In the built-in quarantine policy, you specify categories that can communicate with VMs that have been added to the Quarantine: Forensics category.
To configure the quarantine policy, do the following;
When entering the name of a category, a list of matching names is displayed, and you can select the name you want to specify. The subnet mask must be specified in the CIDR format.
You quarantine a VM by adding the VM to a quarantine category.
To add an infected VM to a quarantine category, do the following:
To remove a VM from the quarantine, do the following:
The VDI Policy is based on identity-based categorization of the VDI VMs using Active Directory group membership. Configuring VDI policy includes adding an Active Directory domain that is used for the ID firewall ( ID Based Security ) and configuring a service account for the domain.
ID firewall is an extension to Flow that allows you to write security policies based on users and groups in an Active Directory domain in which your VDI VMs are attached. When using ID firewall, you can import groups from Active Directory into Prism Central as categories (in the category key ADGroup), and then write policies around these categories, just as you would for any other category. A new type of policy has been added for this purpose - the VDI Policy . ID firewall takes care of automatically placing VDI VMs in the appropriate categories on detecting user logons into the VM hosted on Nutanix infrastructure associated with Prism Central, thus allowing user and group based enforcement of Flow policies.
ID firewall integrates Nutanix Flow with Microsoft Active Directory (AD), such that the groups in the AD can be imported into Prism Central as categories. These imported categories can then be used in the VDI policy as target groups, inbound traffic, and outbound traffic. Prism Central automatically places VMs inside the imported AD group categories when user logons are detected on VMs that are part of the Active Directory domain and also present on Nutanix managed clusters, thus applying security policies based on user group membership.
You can use the VDI VM Filter for the following scenarios.
The Default VDI policy feature allows you to apply a default set of rules as defined by the desktop administrator for VDI VMs and users. There are two primary use cases for Default VDI Policy ( ADGroup:Default ).
You can define a default VDI policy at the time of creating a new VDI policy, or by updating any existing VDI policy. See Step 2b of the VDI Policy Configuration topic for details.
Active Directory Domain Services configuration is used to import user groups for identity based security policies.
To configure an Active Directory domain, do the following.
Click + and add each domain controller individually, then click the blue check mark icon to save.
This is a name you choose to identify this entry; it need not be the name of an actual directory.
Enter the domain name in DNS format, for example, nutanix.com .
A service account is a special user account that an application or service uses to interact with the Active Directory. Enter your Active Directory service account credentials in this (username) and the following (password) field.
ID Firewall uses the service account for ID based security with additional requirements, see Configure Service Account for ID Firewall.
Active Directory service account in Prism Central is used for connectivity with the Active Directory domain services. ID Firewall also uses the same service account for ID based security.
To configure a service account for ID firewall, do the following.
WMIMGMT.msc
command to start
Windows Management Instrumentation
snap-in.
winmgmt
service.
C:\> net stop winmgmt
C:\> net start winmgmt
Alternatively, reboot the domain controller.
To modify the VDI policy, do the following:
Applying the VDI policy enforces the policy on the specified categories (VDI AD groups), and any traffic between the categories is blocked.
To apply the VDI policy, do the following:
To monitor a security policy, do the following:
To delete the VDI policy, do the following:
You can apply different types of filters to view results based on properties like source , destination, category, ports, and more. You can also group related rule attributes together for easier visualization of connection flows. Grouping and Filtering work together to provide an intuitive view for the security policy.
To apply filtering and grouping to a security policy, do the following.
Prism Central allows you to export and import security policies for the following security administration aspects.