Using IBM Storage Defender CDM for FC based ransomware scanning in VMware environment
Anyone using IBM Storage Defender CDM is no stranger to its orchestration capabilities. Earlier this year, CDM added support for VMware scanning using IBM Storage Defender Sentinel. This feature requires IE host to be identified as a physical host.
Sound little oxymoronic .. Scanning the virtual environment requires physical infra?
Right .. fret not .. CDM solves this in a unique way. When you map the storage directly to a VM, CDM treats the VM as physical host. This mapping can be iSCSI based or FC based.
That said, when deviating from iSCSI based default option to FC based scanning raises queries about how to use the FC effectively.
How the infrastructure is setup is beyond the control of CDM, meaning, how the FC adapters are configured / zonned are entirely controlled by administrators. While we do not want to overstep any authority, with this blog, we attempt to provide the conceptual understanding on the requirements.
Figure 1 explains how the setup can be visualized.
How CDM will perform scanning of VMware volumes ?
At this point it is assumed you've defined VMware vCenter provider in CDM and are able to discover the VMs and datastores. Alongside, IBM Storage Virtualize provider needs to be registered and the volumes are seen by CDM. For scanning we'll also need to register Sentinel scan server.
It's important to understand, Sentinel by default provides iSCSI package and relies on storage mapping using iSCSI initiator. iSCSI configuration is extremely lightweight and hence favoured for mapping the storage LUNs to sentinel host.
So when the requirement is to use FC for scanning following pre-requisites must be met.
- Unused FC adapter
- Downtime as a reboot of ESXi host is required post configuring passthrough.
- Downtime as VM configuration needs to be edited to add the PCI device.
Here are the configuration steps.
- Enable the passthrough on a fibre channel PCI device (datacenter >> ESXi host >> configure >> hardware >> PCI devices >> toggle passthrough) **ESXi hosts requires a reboot after toggling the passthrough**
- Add the PCI device to IE VM (VM >> edit >> add new device >> PCI device, choose PCI device) **The VM must be powered off to add the PCI device**
- Identify the WWPN of the adapter recognised as PCI FC device. Sample commands are shown here to identify the WWPN on RHEL 9 OS.
[root@VM-RHEL9 ]# lspci | grep Fibre
13:00.0 Fibre Channel: Emulex Corporation LPe31000/LPe32000 Series 16Gb/32Gb Fibre Channel Adapter (rev 01)
[root@VM-RHEL9 ]# ls -l /sys/class/fc_host
total 0
lrwxrwxrwx. 1 root root 0 Nov 25 13:05 host33 -> ../../devices/pci0000:00/0000:00:17.0/0000:13:00.0/host33/fc_host/host33
[root@VM-RHEL9 ]# cat /sys/class/fc_host/host33/port_name
0x100000109bd452ba
- Define SAN zoning with WWPN of IE VM FC adapter and FC adapter on FlashSystem.
- Define the VM as FC host in Flashsystem.
At this point the IE VM is ready to receive the LUNs from FlashSystem over FC connectivity.
Running the CDM job, will perform a restore of the snapshot and also map the restored LUNs to IE host using FC configuration and trigger the scanning. All these actions can be seen in the Job log window.
That's all folks.
Happy FC scanning with CDM.
Disclaimer: The instructions provided here are for informational purpose only. Before making any specific changes in your environment contact IBM support and get your configuration / use case validated.
Authors:
Akash Kushwah (Software engineer - IBM Defender Copy Data Management)
Shashank Shingornikar (Solution engineer)