RansomStop Installation for NetApp

RansomStop Installation for NetApp


NetApp + RansomStop Deployment Runbook

Part 1 - Pre-Call Validation

Complete these checks before the installation call. If all checks pass, the deployment will proceed smoothly.

1. Confirm NetApp Details

Have the following ready:

Item

Example

NetApp Management IP

172.31.75.148

SVM Name

svm01

Admin Username

fsxadmin

Admin Password

(provided separately)


2. Validate SSH Access to NetApp

From the Windows machine that will run the analyzer:

ssh <username>@<netapp_management_ip>

Expected: Successful login to the ONTAP CLI.



3. Confirm Port 22 Is Open

Test-NetConnection -ComputerName <netapp_management_ip> -Port 22

Expected: TcpTestSucceeded = True



4. Ensure Network/Cloud Firewalls Allow Required Ports

The analyzer automatically creates Windows Firewall rules on startup. However, AWS Security Groups (or other network firewalls) must be configured manually:

Direction

Protocol

Port

Purpose

NetApp → Windows

TCP

6789

FPolicy events

Windows → NetApp

TCP

22

SSH management




5. Prepare the Windows Machine

  • Administrator access is available
  • Machine can reach the NetApp management IP

 

Part 2 - Guided Installation

Step 1: Install the RansomStop Analyzer

  1. Log in to the RansomStop management portal
  2. Navigate to the Versions page
  3. Download the latest Windows analyzer installer
  4. Run the installer as Administrator

The installer registers the analyzer as a Windows service and starts it automatically.


Step 2: Verify the Analyzer Is Running


netstat -an | findstr 6789

Expected: 0.0.0.0:6789 ... LISTENING

If not listening, check that the service is running:

sc query RSAnalyzer

Step 3: Configure the Analyzer in the Portal

  1. In the RansomStop portal, navigate to Analyzers
  2. Create or edit the analyzer for this deployment
  3. Set the following:
  • Name: A descriptive name (e.g., netapp-analyzer)
  • Platform: Linux
  • Site: Standalone
  • Policy: Detect Only
  1. Expand the Inputs section and click the + button
  2. Configure the ONTAP listener:
  • Type: ONTAP
  • Port: 6789
  • Admin IP: The NetApp management IP
  • Admin User: The NetApp admin username
  • Admin Password: The NetApp admin password
  1. Click SAVE



Step 4: Configure FPolicy on NetApp


SSH into the NetApp management interface and run the following commands.

Note the analyzer’s private IP - you’ll need it below:

ipconfig | findstr IPv4

If FPolicy was previously configured (cleanup first):

vserver fpolicy disable -vserver <SVM_NAME> -policy-name file_monitor
vserver fpolicy policy scope delete -vserver <SVM_NAME> -policy-name file_monitor
vserver fpolicy policy delete -vserver <SVM_NAME> -policy-name file_monitor
vserver fpolicy policy external-engine delete -vserver <SVM_NAME> -engine-name monitoring-name

Create FPolicy configuration:

vserver fpolicy policy external-engine create \
  -vserver <SVM_NAME> \
  -engine-name monitoring-name \
  -primary-servers <ANALYZER_IP> \
  -port 6789 \
  -extern-engine-type asynchronous \
  -ssl-option no-auth

Check which FPolicy events are available:

vserver fpolicy policy event show -vserver <SVM_NAME>

Create the policy using an existing event name from the output above:

vserver fpolicy policy create \
  -vserver <SVM_NAME> \
  -policy-name file_monitor \
  -events <EVENT_NAME> \
  -engine monitoring-name

Create the scope to monitor all volumes:

vserver fpolicy policy scope create \
  -vserver <SVM_NAME> \
  -policy-name file_monitor \
  -volumes-to-include "*"

Enable the policy:

vserver fpolicy enable \
  -vserver <SVM_NAME> \
  -policy-name file_monitor \
  -sequence-number 10

Step 5: Validate the Connection

vserver fpolicy show-engine -vserver <SVM_NAME>

Expected: The analyzer IP shows with status connected. There will be one entry per NetApp node (typically 2).

If it shows disconnected, see Troubleshooting below.

Step 6: Functional Test

  1. From a client machine, open a CIFS/SMB mapped drive on the NetApp share
  2. Create, rename, or modify a file
  3. In the RansomStop portal, navigate to Alerts or Logs
  4. Confirm the file operation event appears

 Troubleshooting

FPolicy shows “disconnected”

Check

Command

Fix

Analyzer running?

netstat -an \| findstr 6789

Restart the RSAnalyzer service

Firewall blocking?

netsh advfirewall firewall show rule name=all dir=in \| findstr 6789

Add inbound rule for TCP 6789

Analyzer IP in engine?

vserver fpolicy policy external-engine show -vserver <SVM_NAME>

Modify engine to add the correct IP

Stale connection?

Status stays “disconnected” after all above checks pass

Toggle the policy (disable then enable)

Toggle FPolicy to force reconnection

vserver fpolicy disable -vserver <SVM_NAME> -policy-name file_monitor
vserver fpolicy enable -vserver <SVM_NAME> -policy-name file_monitor -sequence-number 10

Cannot delete FPolicy engine

FPolicy objects must be deleted in order:

1. Disable the policy
2. Delete the scope
3. Delete the policy
4. Delete the engine


Engine create fails with “ssl-option is required”

Add -ssl-option no-auth to the external-engine create command.

 Final Outcome

  • RansomStop Analyzer installed and running as a Windows service
  • NetApp FPolicy connected to the analyzer
  • File operation events flowing to RansomStop
  • Detection validated with a test file operation



    • Related Articles

    • Installing RansomStop for Google Drive

      Overview RansomStop can monitor Google Drive and automatically suspend compromised user account which exhibit ransomware activity, i.e. malicious encryption events. To do this RansomStop has to be installed in your Google Cloud Platform (GCP) ...

    • Installing RansomStop for Windows

      Overview Before installation, you will receive a custom URL, a username, and a password. This guide walks you through logging in to the RansomStop dashboard and installing the Windows analyzer. Login to the Dashboard 1. Navigate to Your Custom URL ...

    • Getting Started with the RansomStop Dashboard

      Overview Welcome to the RansomStop Dashboard walkthrough. This guide covers the main features and navigation of the dashboard. Dashboard 1. Alerts The dashboard is the default log on screen. It gives you a quick overview of alerts and file activity. ...

    • Integrating Active Directory

      Overview For RansomStop to be able to suspend users in Active Directory, there is an integration that needs to be configured to allow RansomStop permissions to make those changes in real-time. In a nutshell, an AD service account is created with the ...

    • Configure a Windows Active Directory Site

      Overview Steps Configure A Windows Active Directory Site Deploy A Windows Active Directory Site Overview A site is a logical definition of a cloud account or an on-prem location. A site needs to be configured and deployed before you can deploy an ...