Best Practices for implementing Symantec Protection Engine for Network Attached Storage with a NetApp Filer
Last Updated January 16, 2018
What are some best practices for implementing Symantec Protection Engine for Network Attached Storage with a NetApp Filer?
Below is a list of best practices to use while installing and configuring Symantec AntiVirus for Network Attached Storage (Symantec Scan Engine) with the NetApp Filer,
1. Make sure that the server Protection Engine is installed on is a Windows 2008 or later server.
NOTE: Protection Engine 7.0.x and 7.5.x runs as a 32-bit process on a 64-bit operating system. Version 7.8.x and 7.9.x run as 64-bit processes as they are 64-bit applications.
2. Make sure that no other networking or OS-related services and software (other than the strictly necessary ones) are installed and running on the Scan Engine server.
3. The Protection Engine server should have at least 8GB of RAM, multi-core CPU with at least 4 cores, and at least 20 GB of free disk space. It is recommended to have 20+GB of free disk space.
4. Protection Engine Service account.
The Protection Engine Windows service should be configured with a Windows account. The Windows account should have the following permissions:
Member of the Backup Operators group on the NetApp Filer Local admin on the Protection Engine computer
Use the following steps to make this change:
a. Open the Windows Services Control Panel. b. Right click on Symantec Protection Engine and select the Log On tab. c. Enter the Windows account name and password. Click the OK button to close the properties. d. Restart the Symantec Protection Engine service.
5. Configure Scan Engine to register with the NetApp Filer.
a. Open the Scan Engine console (
https://localhost:8004). b. Click the Configuration tab. Then click Views|Protocol. c. Click the RPC radio option for Select Communication Protocol. d. Enter the IP address of the NetApp filer in the RPC client list textbox. If in clustered mode (C-Mode) enter the loopback IP address (127.0.0.1), then enter the LFS IP address in the OnTap AV Client that is installed on the Protection Engine server e. Click the Apply icon to save the changes.
NOTE: The NetApp filter does not use Protection Engine until the vscan is turned on (see below).
6. Tune performance settings for Protection Engine.
a. Open the Protection Engine console (https://localhost:8004). b. Click the Configuration tab. Then click Views|Resources. c. Set the value for Maximum RAM used for in-memory file system to 2048 MB. d. Set the value for Maximum file size stored within the in-memory file system to between 128-256 MB depending on the average file sizes on the NetApp filer. e. By default Protection Engine copies files locally for scanning that are larger than the value set for the in memory file system. This can create a lot more network traffic depending on the files that are being scanned. See the following article for having Protection Engine scan files in place: Improving network performance: Scan Engine 5.2.x for NAS and RPC Filers.
7. Configure NetApp filer timeouts.
Use the vscan options command on the NetApp filer to view the timeouts. The following are the defaults:
Use recommended settings from NetApp. If no recommendations are given, for abort_timeout use a time between 60-120 seconds. For the timeout setting use a time between 5-10 seconds.
Note:abort_timeout is how long the NetApp Filer gives Protection Engine to read the file, scan the file, and send a verdict back to the Filer. The timeout setting is how long the NetApp Filer gives Scan Engine to acknowledge a scan request.
8. Configure Protection Engine timeouts.
a. Open the Scan Engine console (
https://localhost:8004). b. Click the Policies tab. Then click Views|Filtering|Container Handling. c. The value of Time to extract file meets or exceeds should be set to approximately 2/3 of the NetApp Filer abort_timeout setting. For example if the abort_timeout is set to 90 seconds, the Protection Engine container timeout should be set to about 60 seconds. d. Review the remainder of the settings on the page. e. Click the Apply icon to save the changes.
9. The Protection Engine should now be ready for vscan to be set to 'on':