Creating a Protected Group for NAS File Systems

When the objects to be protected are NAS file systems on Huawei storage arrays. After the protected group is created, the system automatically matches suitable protection policies for the protected group.

Prerequisites

At least one Air Gap network isolation area has been created.
A storage device has been added to the site, and the ProtectManager application has been deployed on the storage device.
The standby storage arrays at the Air Gap site use Dorado 6.1.6 or later versions.
Air Gap remote devices support only Fibre Channel and iSCSI links and do not support RoCE links.
Before creating a protected group, ensure that related local file systems exist on ProtectManager.

Constraints

The maximum number of anti-ransomware protected groups is 512, and a maximum of 8 objects can be added to an anti-ransomware protected group.
An SLA named BCManagerNASAirGapSLA whose backup retention type is permanent is created on ProtectManager. All file systems in all NAS Air Gap anti-ransomware protected groups are associated with this SLA. The SLA is maintained by BCManager. Users are not allowed to perform any operations. Otherwise, the normal running of the anti-ransomware protected group will be affected.

Context

Protected objects in a protected group must reside on the same storage device.

Procedure

In the menu bar, Choose Protection.
Click Create.
Select a protected object type.
1. Select Owning Site and Storage Array.
2. Enable ransomware detection. After this function is enabled, Air Gap Anti-Ransomware Backup (NAS): Backup protection solution is created.
  
  If ransomware detection is not enabled, Air Gap Backup (NAS): Backup protection solution is created.
3. Select the file systems that you want to protect.
  Set Available File System to vStore or File system.
  - If Available File System is set to vStore, you need to disable synchronization sharing and authentication when creating a remote replication tenant pair.
  - If an anti-ransomware protected group has been created for the selected tenant or file system, ensure that SLA protection has been removed from the file system on ProtectManager before creating an anti-ransomware protected group.
Click Next.

Set a protection policy.

The system automatically matches supported protection policies. Select a policy based on your data protection solution.

Click Settings. In the Set Protection Policy dialog box, set the protection policy.

For the Air Gap Backup (NAS) protection policy, perform the following operations:

In the Quick Backup area of the Policy page, click Set to set the protection policy for the protected group.
Click Enable Quick Backup and select Backup Type.
- Secure snapshot
- Common snapshot
  
  If you select Secure Snapshot, the generated snapshot copy is converted to a secure snapshot only when the ransomware detection status of the snapshot copy is Uninfected.

(Optional) Enable Grace Period Mode.
- If a protection plan is not completed within the specified port time window or protected group execution period, the system does not stop the protection task.
- If Grace Period Mode is enabled for a protected group and a protected group task is being executed at the time when the periodic task of the protected group is triggered, the periodic task will not be executed.
- If the grace period mode is enabled for a protected group, the current protected group task is still restricted by the timeout period. By default, the timeout period of a protected group task is 12 hours, you can modify the array.sync.monitor.timeout configuration item in the /opt/BCManager/Runtime/LegoRuntime/conf/lego.properties configuration file to change the timeout period of a protected group task. For example, if the timeout period of a protected group task is set to 1 hour, the corresponding configuration item is array.sync.monitor.timeout=3600. Restart eReplication for the modification to take effect.

Click the Scheduling Policy tab. In the Time Policy area, set the time policy for the protected group. Table 1 lists related parameters.

**Table 1** Time policies
Time Policy	Description
On-demand scheduling	Manually starts protection tasks.
Period-based scheduling	Automatically starts protection tasks based on a period set by the system. NOTE: To ensure data consistency, the execution timetable for a protected group policy template must be set. You are advised to set the execution time to off-peak hours. Tasks can be executed at multiple time points of a day, a week, or a month. Alternatively, at a specific time segment of a day, a week, or a month with a fixed frequency. It is recommended that the starting time of the validate period is set to a time later than the completion of the initial synchronization. If daylight saving time (DST) is enabled on the eReplication management server, a DR protection task whose trigger time point falls within the DST shift period cannot be executed at the scheduled time. Details are as follows: (UTC-08:00) Pacific Time (United States and Canada) is used as an example. The DST starts at 2016-03-12 02:00:00, and ends at 2016-11-06 02:00:00. If the start time of the protection policy falls within the first hour (2016-03-12 02:00:00 to 03:00:00) after the DST starts, for example, 2016-03-12 02:30:00, the protected group will be automatically executed with a delay of one hour, that is 2016-03-12 03:30:00. If the start time of the protection policy falls within the last hour (2016-11-06 01:00:00 to 02:00:00) before the DST ends, for example, 2016-11-06 01:30:00, the clock will be rolled back to 01:00:00 after the DST ends at 02:00:00, and the protected group will be executed when the clock goes to 01:30:00. The minimum interval for executing a security snapshot is 15 minutes. In periodic scheduling scenarios, security is preferred by default. If the execution time of a protection task exceeds the port time window and execution time window, storage replication is interrupted. When the execution time window is earlier than the execution time of the protection plan, the protection plan fails to be executed. Secure Execution is optional. After this function is enabled, periodic scheduling of the protected group will be stopped when the snapshot detection status of the protected group is Infected. Rectify the fault based on the actual infection status of the snapshot, and then manually execute the protected group. If the latest snapshot detection status is Uninfected, periodic scheduling will be enabled for the protected group again.

When the Scheduling Policy is set to Period-based scheduling, in the Expected RPO area, if you select Enable RPO Requirement Satisfaction Check, the actual RPO will be checked against the configured RPO. If the actual RPO exceeds the expected RPO, the system generates an alarm, indicating that the RPO requirement is not satisfied.

Expected RPO can be set to 0 to 31 days, 0 to 23 hours, and 5 to 59 minutes.

If days and hours are not set, the Expected RPO is 15 minutes by default.

Click the Reservation Policy tab and set the copy validity period, latest copy, and copy retention policy. For details about the related parameters, see Table 2.

Figure 1 Security snapshot retention policy

Figure 2 Common snapshot retention policy

**Table 2** Retention policies
Retention Policy	Description
Copy validity period	This parameter is displayed when the backup type is secure snapshot. The value of Daily Copy ranges from 1 to 7300, and the default value is 1. The value of Monthly Copy ranges from 1 to 240, and the default value is 1. The value of Yearly Copy ranges from 1 to 20, and the default value is 1.
Latest duplicate	The number of duplicates cannot exceed the maximum number of snapshots that can be taken for a storage resource.
Duplicate retention	The duplicate retention policy defines the retention policy of duplicates generated during the protected group protection. When the system starts duplicate maintenance, expired and invalid duplicates will be deleted based on the duplicate retention policy. By default, the time to maintain duplicates is the 39th minute of every hour. You can set the minimum number of retained copies. If the number of valid copies does not exceed the minimum number, the system does not delete valid copies. The value range for a daily policy is 0–365. The default value is 0, meaning to retain no duplicates. The value range for a weekly policy is 0–52. The default value is 0, meaning to retain no duplicates. The value range for a monthly policy is 0–60. The default value is 0, meaning to retain no duplicates. When determining the number of retained duplicates, consider the following: Data importance and DR requirements. If data of the latest five months must be retained, you are advised to set the retention period by month. Available storage space of a storage device. If the available space of a storage device is sufficient, you are advised to retain more duplicates that are more important. NOTE: For example, if the current time is 2017/4/11 08:40:00, configure the protected group as following: Set the execution policy to be performed at every hour exactly. Set the retention policy to keep five latest duplicates, three daily duplicates, two weekly duplicates, and one monthly duplicate. If the protected group is under the automatically scheduled protection for a long time, the duplicates retained are as follows after the duplicate maintenance is complete at the current time: Latest duplicates were generated at: 2017-04-11 08:00, 2017-04-11 07:00, 2017-04-11 06:00, 2017-04-11 05:00, and 2017-04-11 04:00. Daily duplicates are generated at: 2017-04-10 23:00, 2017-04-09 23:00, and 2017-04-08 23:00. Weekly duplicates were generated at: 2017-04-09 23:00 and 2017-04-02 23:00. The monthly duplicate was generated at: 2017-03-31 23:00. NOTE: If the duplicate maintenance is not triggered, or daily, weekly, or monthly duplicate retention is configured, the number of retained duplicates may exceed the number of latest duplicates being retained. If the scheduling time period is second, the copy retention policy is automatically executed by the storage device.

Choose Replication Policy tab to set the remote replication rate between storage arrays. Table 3 lists the related parameters.

**Table 3** Replication policies
Replication Policy	Description
Default configuration	The remote replication rate is the default one set on the storage array.
Manual configuration	Users can set the remote replication rate for each time segment. Configure the automatic remote replication rate of the storage based on the pre-set replication rate of time period. Select Manual configuration. Click a time color block to modify the replication rate during a time segment.

Click OK.

Click Next.
Specify Name and Description of the protected group.
- Name: contains 4 to 32 characters, including letters, digits, hyphens (-), and underscores (_), but cannot start with a hyphen (-).
- Description: contains 0 to 255 characters.
When the Backup (NAS) DR technology is used, if you do not want to manually create a recovery plan for the protected group, select Automatically create a recovery plan after creating protected groups at the lower left corner.
Click Finish.
Click OK.

Related Operations

If the protected objects of a protected group or their used storage devices change, on the menu bar, select Resources. Refresh resources or storage devices where the protected objects reside. Then go to the protected group page and refresh protected objects of the protected group by clicking More > Refresh. After the command for refreshing information is sent, you can view details about the command execution in Background Task.

If a recovery plan has been created for a protected group, you can refresh protected objects only when the recovery plan status is Ready or Rollback completed.

To ensure that information about protected groups is refreshed successfully, you must refresh information about storage devices and hosts at both the production site and DR site.

If a snapshot copy is being used by a recovery plan, the snapshot copy cannot be deleted. To delete such a snapshot copy, wait until the recovery plan finishes clearing.