Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SAV for NAS 5.2 Challenges

Created: 06 Feb 2013 • Updated: 12 Feb 2013 | 2 comments
InsentraCameronM's picture
This issue has been solved. See solution.

 

Hello SymTeam!

 

I have a few questions regarding the funtioning or SAV for NAS.

 

Background:

I have have a pair of Scan Engine servers configured to scan a pair of NetApp filers. It is expected that this setup will allow for load balancing and failover for scanning. Currently each Scan Engine server is scanning the same Filer even though both Filers are meant to be scanned. The second Filer is not being scanned at all. When an error is encountered the same error shows up on both Scan Engine servers.

1. I need some more info on how a Scan Engine pair work together.

a. Alerts are logged when a Scan Engine cannot scan a file (cause to be determined). The same error is being logged on both Scan Engine servers. I am GUESSING that when such an error does occur on one Scan Engine then it may ask the another Scan Engine to try to scan the file.  This MAY BE why I am seeing the same errors for the same files across both Scan Engines.  Can I get this functionality confirmed please?

2. I need more info on how the Scan Engines work with multiple NetApp Filers.

a. All the alerts/logs I observe I seem to focus on just ONE Filer IP – never across both Filer IPs. Is this normal?

c. Do the Filers automatically load balance across the two Scan Engine servers or are the Scan Engine servers listed in the NetApp console configured as a "primary" and "secondary"? If so, how do you set the second Scan Engine server to be a "secondary"? Can I get this functionality confirmed please? 

From the NetApp, the current setup can be seen below:

Virus scanners(IP and Name)      P/S Connect time (dd:hh:mm)  Reqs    Fails    Curr. Reqs.

-------------------------------------------------------------------------------------------

203.15.191.118  \\ScanEngineServer1    Pri    06:16:59            391937      273        0

203.15.191.119  \\ScanEngineServer2    Pri    05:21:37            391936      295        0

 

 

3. I need more info on how the Scan Engines work with client PC Network AV scanning.

a. The current architecture implemented has both the Scan Engines and SEP clients setup to scan network files. This means that when a network file is accessed via a client PC, the Scan Engine(s) first scan the file – then, the PC SEP client will also attempt to scan the file. 

This does not seem very efficient & doubles up on scanning that perhaps could be considered overkill. It is suggested in some knowledgebase articles that this could be a possible cause of the scanning errors I am observing, ie. because of a conflict between the Scan Engine & the local PC AV tool both trying to scan the file. Some articles recommend disabling the PC Network file AV scanning capabilities if Scan Engines are employed. Not sure if this can be done on a per share/UNC/Filer basis or not.

4. When can I get an admin guide for NetApp so I can see what commands are available?

Cheers,

 

Comments 2 CommentsJump to latest comment

BenDC's picture

1) The Scan Engine's are not aware of eachother and do not communicate or share/pass any information between them. What is scanned and the Scan Engine it is scanned on is up to the filer. If the filer request a file be scanned by one Scan Engine then later the other Scan Engine, so you may see the same errors and log information between the two Scan Engines.

2) Each Scan Engine must be registered with each filer you wish it to scan files for, and each filer must have vscan configured and enabled.

3) I do not support or have indepth knowledge of the SEP product, however I do not believe you can disable network scanning based on UNC/filer basis.

4) NetApp would provide the command and manual for opperations with the filer software not Symantec.

 

I have attached the integration guide for Scan Engine for Network Attached Storage for your review as well as the Scan Engine Manuall (implemenetation guide).

AttachmentSize
Integration_Guide.pdf 1.08 MB
Implementation_Guide.pdf 2.64 MB
InsentraCameronM's picture

From the NetApp Best Practices Guide

 

2.9 MULTIPLE AV SERVERS AND MULTIPLE NETAPP STORAGE DEVICES
Though it is not necessary, at least two antivirus servers are recommended for redundancy and higher availability. During normal operation, the NetApp storage devices will automatically load balance between multiple AV servers.
 
2.10 AV SERVER FAILURES
If one or more scanning servers (Windows computers that run the antivirus software) fails or is unavailable, the NetApp storage device will time out the connection to the nonresponsive scanning servers and continue using the remaining scanning servers. The default timeout period is 12 seconds. If no scanning servers are available, the administrator may configure the NetApp storage device in one of two ways:
• Resume file access without virus scanning
• Deny all file access
This behavior is configured with the vscan option mandatory_scan. In all cases the antivirus servers will automatically contact and register themselves with their associated NetApp storage devices when they are back online. Once this occurs, the NetApp storage devices will resume normal operation with virus scanning enabled.
 
Best Practices
• Avoid large AV scanning farms with too many NetApp storage devices served by too many AV scanner servers. Instead, choose a pod design, as described in section 5.1. This avoids performance spikes, which might be caused if all NetApp storage devices decide to choose the same AV scanner server at the same time. In this scenario one AV scanner server could become overwhelmed by many NetApp storage devices.
• Use an AV scanner server dedicated to antivirus scanning and not used for other jobs such as backup. The reason is that any application running on the machine will share the CPU cycle and memory on the server. This will increase the CPU latency (cycle) for the AV process and will reduce the number of AV requests being processed in any particular time interval.
• Connect to the AV scanner server using NetApp storage device IP address and not the NetApp storage device's NetBIOS name to control which NetApp storage device interface is used.
• Connect the NetApp storage system and AV scanner using a gigabit network.
• For an environment with multiple NetApp storage devices and multiple scanners, make all AV scanners connected with similar high-performing network connections as primary to all the NetApp storage devices. This will improve the performance by load sharing. 
• If you have two different data centers in two different locations (local and remote), make all the local AV scanners as primary to all local NetApp storage devices and make those as secondary to all remote NetApp storage devices and vice versa. Also, depending on the amount of vscan requests, some NetApp storage devices (FAS960 or higher: NetApp storage system D) might require additional dedicated scanners that aren't to be shared with other NetApp storage devices as secondary scanners. 
• For remote sites/branch offices, it is recommended to use local AV scanners rather than remote AV scanners due to high latency. If cost is a factor, then customers can rely on laptop/PC virus protection for moderate virus protection. They can also schedule periodic complete file system scans by sharing the volumes/qtrees and scanning on them from any system in the remote site.
• Setting up vscan timeout values according to the AV software product will result in smoother operation with fewer scanning errors. See the NOW™ knowledge base article KB3378 for more information on timeout values.

 

Cameron Mottus

SOLUTION