Using EV 11 and FSA/SB against OnTap 8 7-mode. All the documentation for file system blocking talks about adding volumes and configuring blocking against volumes. In actual fact, it appears that you do not add volumes at all, you add shares in realtion to file system blocking. My query is how the logic works when you define different policies against different shares that reside on the same volume. For example, consider this:
- Volume hosting shares is /vol/vol1
- Share 1: share_1 and resides on /vol/vol1/ and policy blocks *.pst with no folder exceptions
- Share 2: share_2 and resides on /vol/vol1/subfolder1/ *.mp3 with no folder exceptions
So, essentially I can reach the folder subfolder1 via two UNC paths. Now, see the results of some basic testing:
- Copy a .pst to \\myfiler\share_1 - blocked
- Copy a .mp3 to \\myfiler\share_1 - allowed
- Copy a .pst to \\myfiler\share_2 - allowed
- Copy a .mp3 to \\myfiler\share_2 - blocked
This is expected. Now this:
- Copy a .pst to \\myfiler\share_1\subfolder1 - blocked
So, it seems like in the case of a nested share, the more specific path and the policy attached to it applies. My question though is where is this documented? We have many nested shares residing on the same volume so things could get messy. I would have assumed that the policy/volume was matched based on the UNC accessed but that appears to not be the case. Is this the way NetApp passes the file screening request i.e. it passes the absolute volume path to the screening server rather than the share path and hence the more specific policy applies?