Skip to content

Prerequisites

Make sure your system fits the descriptions below before starting the installation.

Software Requirements

File Access Manager requires the latest ASP.NET Core 6.0.x Hosting Bundle. This bundle consists of .NET Runtime and ASP .NET Core Runtime. You can download the latest 6.0.x Hosting Bundle version from here.

Permission Requirements

File Access Manager requires different permissions, based on the tasks performed.

The following listing describes the required permissions by File Access Manager task, in addition to the permissions described in sections 4.3, 54, or 6.3:

Activity Monitoring

  • Refer to the additional information in the Permissions section of the relevant configuration (Physical 7-Mode/Virtual 7-Mode/Cluster Mode).

CIFS Access Permissions

Crawling

  • Requires a user with Share Read permission to all shares.

Permission Collection

  • Requires a user with Share Read permission to all shares.

  • Enumeration of CIFS Share-Level Permissions - Refer to the additional information in the Permissions section of the relevant configuration (Physical 7-Mode/Virtual 7-Mode/Cluster Mode).

  • Enumeration of local Users and Groups - Refer to the additional information in the Permissions section of the relevant configuration (Physical 7-Mode/Virtual 7-Mode/Cluster Mode).

Data Classification

  • Requires a user with Share Read permission to all shares.

NFS Access Permissions

Crawling

  • Requires a user with permission to mount all NFS exports on the virtual NFS server.

  • Requires a user with (a) read permission for all files, and (b) execute permission for all directories on the virtual NFS server.

Permission Collection

  • Requires a user with permission to mount all NFS exports on the virtual NFS server.

  • Requires a user with (a) read permission for all files, and (b) execute permission for all directories on the virtual NFS server.

Data Classification

  • Requires a user with permission to mount all NFS exports on the virtual NFS server.

  • Requires a user with (a) read permission for all files, and (b) execute permission for all directories on the virtual NFS server.

NetApp Physical Filer 7-Mode Requirements

  1. The monitor server is required to be in the same segment and AD Domain of the NetApp. No firewalls can be in the middle.

  2. The Activity Monitor service must run with the dedicated user described in section Physical Filer 7-Mode Permissions.

Physical Filer 7-Mode Policy Definitions

Note

The configuration below is for CIFS filers.

  1. To configure monitoring for NFS, repeat step 2 and replace whitebox_cifs with whitebox_nfs.

  2. Run the following commands in the NetApp:

    options fpolicy.enable on

    fpolicy create whitebox_cifs screen

    fpolicy options whitebox_cifs required off

    fpolicy options whitebox_cifs cifs_disconnect_check on

    fpolicy options whitebox_cifs serverprogress_timeout 1

    fpolicy options whitebox_cifs reqcancel_timeout 1

    fpolicy options whitebox_cifs cifs_setattr on

    fpolicy enable whitebox_cifs

  3. It is recommended to include only the required volumes to be monitored by fpolicy to reduce load from the NetApp machine.

  4. To include only specific volumes to be monitored, run the following command:

    fpolicy volume include add whitebox_cifs <vol name>

Note

<vol name> must be the short volume name as shown in the volume status command, without the /vol/ prefix.

Physical Filer 7-Mode Permissions

To configure required permission for all File Access Manager tasks:

  1. Create a dedicated domain user for the filer (for example, SIQ_<filername>). This user will be used in the application configuration, and must also be the user running the Activity Monitor service.

  2. This user must be a member of the Backup Operators and Power Users groups on the NetApp and an administrator on the server running the Activity Monitor service.

  3. Run the following commands in the NetApp physical filer to grant the File Access Manager user permissions to access the Ontapi web API.

    Replace <DOMAIN> with the domain name and siq_<filername> with the correct user name:

    useradmin role add siq_netapp_role -a login-http-admin,api-nfs-exportfs-list-rules,api-cifs-share-list-iter-start,api-cifs-share-list-iter-next,api-cifs-share-list-iter-end,api-cifs-share-acl-list-iter-start,api-cifs-share-acl-list-iter-next,api-cifs-share-acl-list-iter-end,api-qtree-list,api-useradmin-group-list,api-useradmin-user-list,security-api-vfiler,api-system*,api-useradmin-domainuser-list, api-fpolicy-list-info,api-fpolicy-get-policy-options,api-volume-list-info,api-fpolicy-volume-list-info

    useradmin group add siq_group -r siq_netapp_role

    useradmin domainuser add <DOMAIN>\siq_<filername> -g siq_group,"Backup Operators","Power Users"

Internal Note
  1. CVE-2016-2183 TLS Protocol 64-bit Cipher Vulnerability in Multiple NetApp Products

  2. Disabling TLS 1.0 on your Windows 2008 R2 server – just because you still have one

Physical Filer 7-Mode Communications Requirements

Requirement Source Destination Port
File Access Manager Message Broker Permissions Collector/Data Classification Collector RabbitMQ 5671
File Access Manager Access Activity Monitor File Access Manager Servers 8000-8008
NetApp CIFS Access Activity Monitor NetApp RPC (135 + Dynamic)
NetApp fpolicy NetApp filer Activity Monitor MSRCP (139)
NetApp fpolicy Activity Monitor NetApp MSRPC (139)
NetApp Web API Activity Monitor/Permissions Collector NetApp 443 (https)
NetAPP NFS Access Permissions Collector/Data Classification NetApp UDP/TCP 111, 2049 (NFSv3)

NetApp Virtual Filer 7-Mode Requirements

  • The activity monitor server is required to be in the same segment and AD Domain of the NetApp. No firewalls can be in the middle.

  • The Activity Monitor service must run with the dedicated user described in section Virtual Filer 7-Mode Permissions.

Ontapi API Configuration Options

When working with 7-mode, there are two configuration options, which affect how the connector communicates with the NetApp ONTAPI API:

  1. A single physical filer: there are no vFilers defined on NetApp, and there’s only one filer.

    In this configuration, communications are made directly with the filer.

  2. vFilers (Multiple logical filers): there is more than one logical filer defined on the NetApp storage, with the original named vFiler0 (vFiler Zero).

    With vFilers, ONTAPI communications pass through vFiler0, and targeted at the correct vFiler using its name.

Virtual Filer 7-mode FPolicy Definitions

  1. The configuration below is for CIFS filers. To configure monitoring for NFS, repeat step 2 and replace whitebox_cifs with whitebox_nfs

  2. Run the following commands in the NetApp vfiler:

    vfiler context vfilername

    options fpolicy.enable on

    fpolicy create whitebox_cifs screen

    fpolicy options whitebox_cifs required off

    fpolicy options whitebox_cifs cifs_disconnect_check on

    fpolicy options whitebox_cifs serverprogress_timeout 1

    fpolicy options whitebox_cifs reqcancel_timeout 1

    fpolicy options whitebox_cifs cifs_setattr on

  3. To start fpolicy, run:

    fpolicy enable whitebox_cifs

  4. It is recommended to include only the required volumes to the monitored by FPolicy to reduce load from the NetApp machine.

    To include only specific volumes to be monitored, run the following command:

    fpolicy volume include add whitebox_cifs <vol name>

    Note

    <vol name> must be the short volume name as shown in the ‘volume status’ command, without the /vol/ prefix

Virtual Filer 7-Mode Permissions

To configure the required permission for all File Access Manager tasks:

  1. When monitoring a vfiler, File Access Manager uses vfiler tunneling for the NetApp Web API.

  2. The tunneling can work if the vfiler and vfiler0 (the physical filer is called vfiler0. "vfiler zero") are in the same domain or vfiler0 can resolve users from the vfiler domain.

  3. If vfiler0 is not in any domain or cannot resolve the domain user, create a local user on vfiler0, and follow the steps described in section Configuring a Local NetApp User for the Ontapi API after the Activity Monitor and Permissions Collector installation.

  4. Create a dedicated domain user for the filer. This user will be used later in the application configuration, and must also be the user running the Activity Monitor service.

    • siq_<filername> must be part of the domain.

    • In the commands below, replace <DOMAIN> with the domain name and siq_<filername> with the correct username.

    • This user must be a member of the Backup Operators and Power Users groups in the NetApp (the command to add the user to the group is part of the sequence below).

    • This user must be an administrator on the server running the Activity Monitor service.

  5. Decide if a local user is required on vfiler0 according to the previous sections. If you are not sure, consult with your File Access Manager technical support.

  6. If a local user is required, name it SIQ_VFILER0.

  7. These commands need to run only once, when the first vfiler is configured. For subsequent vfilers, the role and group will be present and this step can be skipped.

  8. Run the commands below in the NetApp vfiler0 (vfiler zero) to grant the File Access Manager user permissions to access the Ontapi Web API.

    • Replace with the domain name and siq_ with the correct user name:

      useradmin role add siq_netapp_role -a login-http-admin,api-nfs-exportfs-list-rules,api-cifs-share-list-iter-start,api-cifs-share-list-iter-next,api-cifs-share-list-iter-end,api-cifs-share-acl-list-iter-start,api-cifs-share-acl-list-iter-next,api-cifs-share-acl-list-iter-end,api-qtree-list,api-useradmin-group-list,api-useradmin-user-list,security-api-vfiler,api-system*,api-useradmin-domainuser-list, api-fpolicy-list-info,api-fpolicy-get-policy-options,api-volume-list-info,api-fpolicy-volume-list-info

      useradmin group add siq_group -r siq_netapp_role

      vfiler context vfiler0

      useradmin domainuser add <DOMAIN>\siq_<filername> -g siq_group,"Backup Operators","Power Users"

  9. If this is the first vfiler added for monitoring, a local user is needed. Run the following command:

    useradmin user add siq_VFILER0 -g siq_group

    Note

    If this is NOT the first vfiler added for monitoring then the user is present and is associated with the group. This step can be skipped.

  10. After the command is completed, assign a password for the local user.

Configuring a Local NetApp User for the Ontapi API

Note

Make sure you have the password for the NetApp local user created as explained in the Permissions section

  1. Go to the File Access Manager installation folder on one of the File Access Manager central servers.

  2. Open the folder "%SAILPOINT_HOME%\FileAccessManager\Server Installer\Tools\EncryptStringForService".

  3. Copy the content of the folder to the server on which the Activity Monitor service is installed.

  4. Run EncryptStringForService.exe [password to encrypt].

  5. Copy the output of the command.

Activity Monitor

  1. Go to the Activity Monitor installation folder

  2. Edit the Activity BAMFramework.exe.config.

  3. Enter the name of the user in the alternativeUserName key:

    <add key="alternativeUserName" value="local user name"/>

  4. Paste the output of the command copied in Section 5 into the value of the alternativeUserPassword key:

    <add key="alternativeUserPassword" value="encrypted password from step 4"/>

  5. Restart the Activity Monitor service.

Permission Analysis

  1. Go to the Permission Analysis installation folder.

  2. Edit the RoleAnalyticsServiceHost.exe.config.

  3. Enter the name of the user in the netAppApiPassword key:

    <add key="netAppApiUser" value="local user name"/>

  4. Paste the output of the command copied in Section 5 into the value of the netAppApiPassword key:

    <add key="netAppApiPassword" value="encrypted password from step 4"/>

Required Data for Creating a NetApp Application

  • CIFS Server name

  • VFILER IP address

  • VFILER name

    • An internal name, usually the same as the normal vfiler host name
  • Local user name and password

    • If the vfiler0 (vfiler zero) is not in any domain or cannot resolve the user

Physical Filer 7-Mode Communications Requirements

Requirement Source Destination Port
File Access Manager Permissions Collector/Data Classification Collector RabbitMQ 5671
File Access Manager Access Activity Monitor File Access Manager Servers 8000-8008
NetApp Access Activity Monitor / Permissions Collector / Data Classification NetApp VFILER MSRPC (135 + Dynamic)
NetApp fpolicy NetApp VFILER Activity Server MSRCP (139)
NetApp fpolicy Activity Monitor NetApp VFILER MSRPC (139)
NetApp Web API Permissions Collector / Activity Monitor NetApp VFILER ZERO 443 (https)
NetApp NFS Access Permissions Collector NetApp VFILER UDP/TCP 111, 2049 (NFSv3)

NetApp 8.2+ Cluster Mode Requirements

According to the NetApp Architecture and File Access Manager section, each Vserver is represented as a single Application in File Access Manager. If multiple Activity Monitor services are installed on the same server, each Application must be configured with a unique dedicated port, which is the port the Activity Monitor receives the FPolicy communication.

Important

The monitor server is required to be in the same segment. No firewalls can be in the middle.

  1. Create a domain user for the monitor: For example, siq_vservername.

    Small lowercase is recommended.

  2. Verify the case in which the user name is written AD.

    This field is case sensitive.

  3. Each Vserver requires its own monitor installed.

Cluster Mode FPolicy Definitions

In the commands below, replace the parameters with the required values:

  • [vserver_name] - The name of the vserver.

  • [monitors server ip] - The ip address of the server where the Activity Monitor service is installed.

  • [port number] - The port number configured in the Application configuration wizard in section 7.

  • [volume names to include] - Replace with * if all volumes need to be monitored, or enter a list of volumes to monitor.

  • [running number] - A sequential number of the policy in the policy hierarchy. If no FPolicy is defined, this should be 1.

To configure FPolicy for CIFS:

fpolicy policy event create -event-name siq_cifs_events -protocol cifs -file-operations create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr, open -vserver [vserver_name] -filters first-read, first-write, open-with-delete-intent

fpolicy policy external-engine create -vserver [vserver_name] -engine-name siq_cifs_engine -primary-servers [monitors server ip] -port [port_number] -extern-engine-type asynchronous -ssl-option no-auth

fpolicy policy create -vserver [vserver_name] -policy-name wbx_cifs_policy -events siq_cifs_events -engine siq_cifs_engine -is-mandatory false

fpolicy policy scope create -vserver [vserver_name] -policy-name wbx_cifs_policy -volumes-to-include [* or volume names to include]

fpolicy enable -vserver [vserver_name] -policy-name wbx_cifs_policy -sequence-number [running_number]

To configure FPolicy for NFS:

fpolicy policy event create -event-name siq_nfs3_events -protocol nfsv3 -file-operations create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr -vserver [vserver_name]

fpolicy policy event create -event-name siq_nfs4_events -protocol nfsv4 -file-operations create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr -vserver [vserver_name]

fpolicy policy external-engine create -vserver [vserver_name] -engine-name siq_nfs_engine -primary-servers [monitors server ip] -port [port_number] -extern-engine-type asynchronous -ssl-option no-auth

fpolicy policy create -vserver [vserver_name] -policy-name wbx_nfs_policy -events siq_nfs3_events, siq_nfs4_events -engine siq_nfs_engine -is-mandatory false -allow-privileged-access yes -privileged-user-name [domain\user_name]

fpolicy policy scope create -vserver [vserver_name] -policy-name wbx_nfs_policy -volumes-to-include [* or volume names to include]

fpolicy enable -vserver [vserver_name] -policy-name wbx_nfs_policy -sequence-number [running_number]

Note

If multiple activity monitors are installed on the same server, set a unique port per vserver, and replace [port_number] with the value configured in the Application.

Cluster Mode Permissions

  1. Create a new role for File Access Manager.

    security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs share access-control" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs share" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs users-and-groups local-group" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs users-and-groups local-group show-members" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs users-and-groups local-user" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy engine-connect" -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy engine-disconnect" -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy show-engine" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver services name-service unix-group" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver services name-service unix-user" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "volume qtree" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "volume" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy policy scope" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy show" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy policy" -access readonly -vserver <vserver_name>

    security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy policy external-engine" -access readonly -vserver <vserver_name>

    Note

    <vserver_name> = The Vserver name configured in NetApp settings.

    Note

    If the File Access Manager Application is configured to use Vserver Tunneling, run these commands at the cluster level without the -vserver parameter. However, if the File Access Manager Application is configured to use the Vserver directly, run these commands at the Vserver level without the -vserver parameter, or at the cluster level with the -vserver parameter.

  2. Create a new user for File Access Manager, and assign to the newly created role:

    security login create -vserver <vserver_name> -username <domain\user_name> -application ontapi -authmethod domain -role siq_netapp_role_82

    Important

    Domain and user_name must be configured with the same case as configured in the Application configuration.

    Important

    The username must be in the same case as defined in Active Directory. This is a known NetApp issue.

  3. Add the new user to the Backup Operators security group on each virtual CIFS server.

  4. Add the new user to the Power Users security group on each virtual CIFS server.

  5. If no domain-tunnel is configured, run the following command (this command should be run only once, and not for each vserver):

    security login domain-tunnel create –vserver [vserver_name]

    Important

    If the domain-tunnel cannot be configured, authentication to the NetApp Web API will fail with the Active Directory user configured in the Application configuration.

    Note

    It is possible to define an alternative local NetApp user to use instead of the user defined in the application configuration. Refer to Configuring a Local NetApp User for the Ontapi API for detailed instructions.

Communications Requirements

Requirement Source Destination Port
File Access Manager Message Broker Permissions Collector / Data Classification Collector RabbitMQ 5671
File Access Manager Access Activity Monitor File Access Manager Servers 8000-8008
NetApp Access Each NetApp Cluster Nodes Activity Monitor MSRPC +

The port defined in the FPolicy definition (12000, or the specific port defined)
NetApp Web API Activity Monitor / Permissions Collector NetApp Cluster Management IP 443 (https)
NetApp NFS Access Permissions Collector / Data Classification NetApp UDP/TCP 111, 2049 (NFSv3)

NetApp OnTap 9.X Command Template

  1. Create a new role for File Access Manager for the CIFS vserver. For example, fam_netapp_role.

  2. Replace (v_server) with CIFS vserver from cluster.

  3. Replace (cluster) with cluster name.

    security login role create -role fam_netapp_role -cmddirname "vserver cifs share access-control" -vserver (v_server) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver cifs share" -vserver (v_server) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group" -vserver (v_server) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group show-members" -vserver (v_server) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-user" -vserver (v_server) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-connect" -vserver (v_server)

    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-disconnect" -vserver (v_server)

    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show-engine" -vserver (v_server) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-group" -vserver (v_server) -access all

    security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-user" -vserver (v_server) -access readonly

    security login role create -role fam_netapp_role -cmddirname "volume qtree" -vserver (v_server) -access readonly

    security login role create -role fam_netapp_role -cmddirname "volume" -vserver (v_server) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy policy scope" -vserver (v_server) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show" -vserver (v_server) -access readonly

  4. Create a new role for file access manager for the cluster (use cluster name for -vserver switch).

    security login role create -role fam_netapp_role -cmddirname "vserver cifs share access-control" -vserver (cluster) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver cifs share" -vserver (cluster) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group" -vserver (cluster) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group show-members" -vserver (cluster) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-user" -vserver (cluster) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-connect" -vserver (cluster)

    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-disconnect" -vserver (cluster)

    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show-engine" -vserver (cluster) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-group" -vserver (cluster) -access all

    security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-user" -vserver (cluster) -access readonly

    security login role create -role fam_netapp_role -cmddirname "volume qtree" -vserver (cluster) -access readonly

    security login role create -role fam_netapp_role -cmddirname "volume" -vserver (cluster) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy policy scope" -vserver (cluster) -access readonly

    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show" -vserver (cluster) -access readonly

  5. Assign the newly created role to the domain user created for fam (Upper and lower case are important.)

    security login create -vserver (cluster) -username domain\domainAccountFam -application ontapi -authmethod domain -role fam_netapp_role

    security login create -vserver (v_server) -username domain\domainAccountFam -application ontapi -authmethod domain -role fam_netapp_role

  6. Domain user must be a member of the Backup Operators group on the VServer. Execute the below command for the Vserver you intend to on-board.

    vserver cifs users-and-groups local-group add-members -vserver (v_server) -group-name "BUILTIN\Backup Operators" -member-names domain\domainAccountFam

  7. Domain user to be a member of the Power Users group on the Vserver. Execute the below command for the Vserver you intend to on-board

    vserver cifs users-and-groups local-group add-members -vserver (v_server) -group-name "BUILTIN\Power Users" -member-names domain\domainAccountFam

  8. If no domain-tunnel is configured, run the following command (this command should be run only once, and not for each vserver):

    security login domain-tunnel create -vserver (v_server)

  9. CIFS Access:

    • User account should have Share Read permission to all shares.

    • Requires a user with Share Read permission to all shares

    • Should be able to enumerate CIFS Share-Level Permissions

    • Should be able to enumerate local Users and Groups

  10. Domain user must be an administrator (local administrator) on the server running the Activity Monitor service.

  11. Execute the commands to configure a fpolicy for CIFS server.

    fpolicy policy event create -event-name fam_cifs_events -protocol cifs -file-operations create,create_dir,delete,delete_dir,read,write,rename,rename_dir,setattr,open -vserver (v_server) -filters first-read,first-write,open-with-delete-intent

    Note

    IP for the SailPoint Activity Mornitor server should be used in place of x.x.x.x.

    fpolicy policy external-engine create -vserver (v_server) -engine-name fam_cifs_engine -primary-servers x.x.x.x -port 12000 -extern-engine-type asynchronous -ssl-option no-auth

    fpolicy policy create -vserver (v_server) -policy-name wbx_cifs_policy -events fam_cifs_events -engine fam_cifs_engine -is-mandatory false

    fpolicy policy scope create -vserver (v_server) -policy-name wbx_cifs_policy -volumes-to-include *

    fpolicy enable -vserver (v_server) -policy-name wbx_cifs_policy -sequence-number 1