Creating a Protected Group for NAS File Systems

Prerequisites

• At least one Air Gap network isolation area has been created.
• A storage device has been added to the site, and the ProtectManager application has been deployed on the storage device.

• The standby storage arrays at the Air Gap site use Dorado 6.1.6 or later versions.
• Air Gap remote devices support only Fibre Channel and IP links and do not support RoCE links.
• Before creating a protected group, ensure that related local file systems exist on ProtectManager.

Constraints

• The maximum number of ransomware protection groups is 512, and a maximum of 8 objects can be added to a ransomware protection group.
• An SLA named BCManagerNASAirGapSLA whose backup retention type is permanent is created on ProtectManager. All file systems in all NAS Air Gap ransomware protection groups are associated with this SLA. The SLA is maintained by BCManager. Users are not allowed to perform any operations. Otherwise, the normal running of the ransomware protection group will be affected.

Context

Protected objects in a protected group must reside on the same storage device.

Procedure

1. In the menu bar, Choose Protection.
2. Click Create.
3. Select a protected object type.
   1. Select Owning Site and Storage Array.
   2. Enable anti-ransomware detection. After this function is enabled, Air Gap Anti-Ransomware Backup (NAS): Backup protection solution is created.
      

      If ransomware detection is not enabled, Air Gap Backup (NAS): Backup protection solution is created.

   3. Select the file systems that you want to protect.

      Set Available File System to vStore or File system.

      

      • If Available File System is set to vStore, you need to disable synchronization sharing and authentication when creating a remote replication tenant pair.
      • If an anti-ransomism protected group has been created for the selected tenant or file system, ensure that SLA protection has been removed from the file system on ProtectManager before creating an anti-ransomism protected group.

4. Click Next.
5. Set a protection policy.
   1. On the Protection Policy page, the system automatically matches supported protection policies. Select a protection policy based on your data protection solution.
   2. Click Set to set the protection policy for the protected group.
      • For the Air Gap Backup (NAS) protection policy, perform the following operations:
        1. In the Quick Backup area of the Policy page, click Set to set the protection policy for the protected group.
        2. Click Enable Quick Backup and select Backup Type.
           • HyperCDP
           • Common snapshot
             

             If you select Secure Snapshot, the generated snapshot copy is converted to a secure snapshot only when the ransomware detection status of the snapshot copy is Uninfected.

        3. (Optional) Enable Grace Period Mode.
           

           • If a protection plan is not completed within the specified port time window or protected group execution period, the system does not stop the protection task.
           • If Grace Period Mode is enabled for a protected group and a protected group task is being executed at the time when the periodic task of the protected group is triggered, the periodic task will not be executed.
        4. Click the Scheduling Policy tab. In the Time Policy area, set the time policy for the protected group. Table 1 lists related parameters.

           

           Table 1 Time policies

           Time Policy	Description
           On-demand scheduling	Manually starts protection tasks.
           Period-based scheduling	Automatically starts protection tasks based on a period set by the system. NOTE: To ensure data consistency, the execution timetable for a protected group policy template must be set. You are advised to set the execution time to off-peak hours. Tasks can be executed at multiple time points of a day, a week, or a month. Alternatively, at a specific time segment of a day, a week, or a month with a fixed frequency. It is recommended that the starting time of the validate period is set to a time later than the completion of the initial synchronization. If daylight saving time (DST) is enabled on the eReplication management server, a DR protection task whose trigger time point falls within the DST shift period cannot be executed at the scheduled time. Details are as follows: (UTC-08:00) Pacific Time (United States and Canada) is used as an example. The DST starts at 2016-03-12 02:00:00, and ends at 2016-11-06 02:00:00. If the start time of the protection policy falls within the first hour (2016-03-12 02:00:00 to 03:00:00) after the DST starts, for example, 2016-03-12 02:30:00, the protection group will be automatically executed with a delay of one hour, that is 2016-03-12 03:30:00. If the start time of the protection policy falls with the last hour (2016-11-06 01:00:00 to 02:00:00) before the DST ends, for example, 2016-11-06 01:30:00, the protection group will be executed after the DST ends for half an hour. The minimum interval for executing a security snapshot is 15 minutes. In periodic scheduling scenarios, security is preferred by default. If the execution time of a protection task exceeds the port time window and execution time window, storage replication is interrupted. When the execution time window is earlier than the execution time of the protection plan, the protection plan fails to be executed. Secure Execution is optional. After this function is enabled, periodic scheduling of the protected group will be stopped when the snapshot detection status of the protected group is Infected. Rectify the fault based on the actual infection status of the snapshot, and then manually execute the protected group. If the latest snapshot detection status is Uninfected, periodic scheduling will be enabled for the protected group again.

        5. When the Scheduling Policy is set to Period-based scheduling, in the Expected RPO area, if you select Enable PRO Requirement Satisfaction Check, the actual RPO is check against the configured RPO. If the actual RPO exceeds the expected RPO, the system generates an alarm, indicating that the RPO requirement is not satisfied.

           

           Expected RPO can be set to 0-31 days, 0-23 hours, and 5-59 minutes.

           

           If days and hours are not set, the Expected RPO is 15 minutes by default.

        6. Click the Reservation Policy tab and set the copy validity period, latest copy, and copy retention policy. For details about the related parameters, see Table 2.
           Figure 1 Enabling the Security Snapshot Retention Policy
           
           Figure 2 The Security Snapshot retention policy is not enabled.
           

           Table 2 Retention policies

           Retention Policy	Description
           Copy validity period	This parameter is displayed when the backup type is secure snapshot. The value of Daily Copy ranges from 1 to 7300, and the default value is 1. The value of Monthly Copy ranges from 1 to 240, and the default value is 1. The value of Yearly Copy ranges from 1 to 20, and the default value is 1.
           Latest duplicate	The number of duplicates cannot exceed the maximum number of snapshots that can be taken for a storage resource.
           Duplicate retention	The duplicate retention policy defines the retention policy of duplicates generated during the protected group protection. When the system starts duplicate maintenance, expired and invalid duplicates will be deleted based on the duplicate retention policy. By default, the time to maintain duplicates is the 39th minute of every hour. You can set the minimum number of duplicates to be retained. The system will not delete valid duplicates until the number of invalid duplicates exceeds the minimum number of duplicates you set. The value range for a daily policy is 0–365. The default value is 0, meaning to retain no duplicates. The value range for a weekly policy is 0–52. The default value is 0, meaning to retain no duplicates. The value range for a monthly policy is 0–60. The default value is 0, meaning to retain no duplicates. When determining the number of retained duplicates, consider the following: Data importance and DR requirements. If data of the latest five months must be retained, you are advised to set the retention period by month. Available storage space of a storage device. If the available space of a storage device is sufficient, you are advised to retain more duplicates that are more important. NOTE: For example, if the current time is 2017/4/11 08:40:00, configure the protected group as following: Set the execution policy to be performed at every hour exactly. Set the retention policy to keep five latest duplicates, three daily duplicates, two weekly duplicates, and one monthly duplicate. If the protected group is under the automatically scheduled protection for a long time, the duplicates retained are as follows after the duplicate maintenance is complete at the current time: Latest duplicates were generated at: 2017-04-11 08:00, 2017-04-11 07:00, 2017-04-11 06:00, 2017-04-11 05:00, and 2017-04-11 04:00. Daily duplicates are generated at: 2017-04-10 23:00, 2017-04-09 23:00, and 2017-04-08 23:00. Weekly duplicates were generated at: 2017-04-09 23:00 and 2017-04-02 23:00. The monthly duplicate was generated at: 2017-03-31 23:00. NOTE: If the duplicate maintenance is not triggered, or daily, weekly, or monthly duplicate retention is configured, the number of retained duplicates may exceed the number of latest duplicates being retained. If the scheduling time period is second, the copy retention policy is automatically executed by the storage device.

        7. Click Replication Policy tab to set the remote replicate rate between storage arrays. Table 3 lists related parameters.

           

           Table 3 Replication policies

           Replication Policy	Description
           Default configuration	The remote replication rate is the default one set on the storage array.
           Manual configuration	Users can set the remote replication rate for each time segment. Configure the automatic remote replication rate of the storage based on the pre-set replication rate of time period. Select Manual configuration. Click a time color block to modify the replication rate during a time segment.

        8. Click OK.

6. Click Next.
7. Set Name and Description of the protected group.
   • Name: contains 4 to 32 characters, including letters, digits, underscores (_), and hyphens (-), but cannot start with a hyphen (-).
   • Description: contains 0 to 255 characters.

8. When the Backup (NAS) DR technology is used, if you do not want to manually create a recovery plan for the protected group, select Automatically create a recovery plan after creating protected groups at the lower left corner.
9. Click Finish.
10. Click OK.

Related Operations

• If the protected objects of a protected group or their used storage devices change. On the menu bar, select Resources. And refresh resources or storage devices where the protected objects reside. Then go to the protected group page and refresh protected objects of the protected group by clicking More > Refresh. After the command for refreshing information is sent, you can view details about the command execution in Background Task.
  

  If a recovery plan has been created for a protected group, you can refresh protected objects only when the recovery plan status is Ready or Rollback completed.

• To ensure that information about protected groups is refreshed successfully, you must refresh information about storage devices and hosts at both the production site and DR site.
  

  If a protected group uses backup (SAN), a snapshot copy being used by a recovery plan cannot be deleted. To delete such a snapshot copy, wait until the recovery plan finishes clearing.