Skip to main content
Skip table of contents

Amazon FSx for NetApp ONTAP Prerequisites

Last Updated08 May 2025
  1. ONTAP Version Requirements:
    1. For SMB workloads, the minimum required version of Amazon FSx for NetApp ONTAP (FSxN) is v9.11.
    2. For NFS and multi-protocol workloads, the minimum required version of Amazon FSx for NetApp ONTAP (FSxN) is v9.11.  PeerSync is not supported for NFS or multi-protocol workloads.

  2. Any server that will be interfacing with an FSxN Storage Virtual Machine (SVM) with the Peer Agent or PeerSync must reside within the same domain, same network segment, and same subnet as the SVM.  Additionally, the network connection between the SVM and the Agent or PeerSync must operate at speeds of at least 1 Gbit/sec with sub-millisecond latency.

  3. Time Synchronization:  The server hosting the Peer Agent or PeerSync as well as the FSxN SVM must synchronize their system clocks with the same private or public Network Time Protocol (NTP) service.  If you are using virtual machines, ensure that time synchronization between the VM and the hypervisor host is disabled to ensure that the VMs rely solely on NTP for timekeeping.

  4. Server OS Version Requirements:
    1. For SMB workloads, the minimum version of Windows required for FPolicy support with the Peer Agent or PeerSync is Windows Server 2016.
    2. For NFS and multi-protocol workloads, the Peer Agent must be installed on Ubuntu Server 22.04 operating system or later, Red Hat Enterprise Linux v9.x or later or Rocky Linux v9.x or later.  PeerSync is not supported for NFS or multi-protocol workloads.

  5. SMB Multichannel Requirement for SMB and multi-protocol workloads: SMB Multichannel support must be disabled on the SVM.

    CODE 
    set -priv diag
cifs options modify -vserver <SVM Name> -is-multichannel-enabled false

    All SMB client connections to the SVM must be reset once this change is made on the SVM.

  6. NFS Protocol Version Requirements:  If using ONTAP v9.14 or earlier, clients must exclusively use NFSv3.0 or NFSv4.0 for accessing data.  If running ONTAP v9.15 or newer, clients may also use NFSv4.1.  NFSv4.2, and pNFS are not supported by FPolicy.

  7. The FPolicy Server hosting the Peer Agent or PeerSync can only work with a single SVM at a time.

  8. No other FPolicy or VSCAN products from Peer Software or any other vendor can be run on the FPolicy Server hosting the Peer Agent or PeerSync.  In addition, no other Peer Software products can be run on this server (such as Peer Management Center or Peer Management Broker).

  9. Privileges and Permissions for SMB Workloads:

    1. CIFS Permissions:  The service account for the Peer Agent or PeerSync must be a member of the Local Admin Group on the SVM.  To add the service account <Domain User Name> (in the format "DOMAIN\USERNAME") to the Local Admin Group of SVM <SVM Name>, run the following ONTAP command from the cluster context: 

      CODE 
      vserver cifs users-and-groups local-group add-members -vserver <SVM Name> -group-name BUILTIN\Administrators -member-names <Domain User Name>

    2. CIFS Privileges:  To properly query and set DACLs, SACLs, owner and/or group configurations on files and folders, the service account for the Peer Agent or PeerSync must be granted special privileges.  To grant these privileges to the account <Domain User Name> (in the format "DOMAIN\USERNAME") on SVM <SVM Name>, use the following ONTAP command from the cluster context:

      CODE 
      vserver cifs users-and-groups privilege add-privilege -vserver <SVM Name> -user-or-group-name <Domain User Name> -privileges SeBackupPrivilege,SeRestorePrivilege,SeSecurityPrivilege,SeTakeOwnershipPrivilege,SeTcbPrivilege
  10. Privileges and Permissions for NFS Workloads:  The Peer Agent server IP needs to be granted superuser access in the export policies for any volumes that this Agent will be monitoring, as well as the parents of these volumes in the SVM's namespace.

  11. Privileges and Permissions for Multi-Protocol Workloads:

    1. CIFS Permissions:  When replicating Windows-style permissions, the domain account used by the Samba connection of the Peer Agent must be a member of the Local Admin Group on the SVM.  To add the service account <Domain User Name> (in the format "DOMAIN\USERNAME") to the Local Admin Group of SVM <SVM Name>, run the following ONTAP command from the cluster context: 

      CODE 
      vserver cifs users-and-groups local-group add-members -vserver <SVM Name> -group-name BUILTIN\Administrators -member-names <Domain User Name>

    2. CIFS Privileges:  When replicating Windows-style permissions, the domain account used by the Samba connection of the Peer Agent must be granted special privileges.  These privileges allow the Agent to properly query and set DACLs, owner and/or group configurations on files and folders.  To grant these privileges to the account <Domain User Name> (in the format "DOMAIN\USERNAME") on SVM <SVM Name>, use the following ONTAP command from the cluster context:

      CODE 
      vserver cifs users-and-groups privilege add-privilege -vserver <SVM Name> -user-or-group-name <Domain User Name> -privileges SeBackupPrivilege,SeRestorePrivilege,SeSecurityPrivilege,SeTakeOwnershipPrivilege,SeTcbPrivilege
    3. Export Privileges:  The Peer Agent server IP needs to be granted superuser access in the export policies for any volumes that this Agent will be monitoring, as well as the parents of these volumes in the SVM's namespace.

  12. API Permissions:  Peer Agent and PeerSync must both be configured with an account on the SVM that has been granted ONTAPI access.  It is recommended that this be a dedicated local account on the associated SVM just for the use of Peer products.  The following ONTAP commands can be executed from the cluster context to create a local account <User Name> with appropriate ONTAP API access on SVM <SVM Name>.

    If you are running PeerGFS v5.2 and above, a new REST-based API model is in place. HTTP support is required for the user account.  You can create this account using the following command:

    CODE 
    security login create -vserver <SVM Name> -username <User Name> -application http -authmethod password -role vsadmin

    If you need to use a domain account with the NetApp API, use the following command:

    CODE 
    security login create -vserver <SVM Name> -username <Domain>\<User Name> -application http -authmethod domain -role vsadmin

    Note:  The username and password of this account must be entered into each Peer product as part of the configuration process.

  13. No active firewalls (software or hardware) should be enabled between the server hosting Peer Agent or PeerSync and the SVM.



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close