Home NAS Protect NAS

Protect NAS
4 January 2024 21 min read

NAS Protection Group captures snapshots and these snapshots are required for the following tasks:

Recover volumes

Replicate snapshots

Archive snapshots

Files and folders recovery (CloudArchive Direct)

Note:

Cohesity recommends a first full and incremental forever backup approach to back up your NAS sources.

NAS backup and restore do not support Junction points and ADS (Alternate Data Stream).

Before you begin

When you create a Protection Group, you can select an existing source, policy, or storage domain. You can also create them while creating
the Protection Group. However, you might find it easier to create them prior to creating the Protection Group, as described in the following
topics.

Register or Edit NAS

Create or Edit a Standard Policy

Create or Edit Storage Domains

Create a Protection Group for NAS Volumes

1. Navigate to Data Protection > Protection and do one of the following:

To create a Protection Group—Click Protect on the top-right of the page and then select the type of Protection Group.

To edit a Protection Group—Click the action icon ( ) next to the Protection Group and select Edit.

2. If creating a new Protection Group, select Protect > NAS.

3. In the New Protection pop-up, do one of the following:

Protect the NAS volumes database by specifying a subset of options such as objects, protection group and policy by clicking the edit
icon corresponding to the following options:

i. Add Objects: Select the registered NAS source or click Register Source to register a NAS source. From the Objects list, select the
volumes you want to back up.

ii. Protection Group: Specify a name for the Protection Group.

iii. Policy: Select an existing policy or click Create Policy to create a new protection policy.

iv. Storage Domain: Select the appropriate storage domain.

Note:

This option is visible on the New Protection pop-up only if there are more than one storage domain.

v. Click Protect.

To protect NAS volumes by specifying all the options, click More Options.

4. Click Add Objects and from the Registered Source drop-down list, select the NAS source that contains the volumes you want to back up.
You can also register a new source with the Cohesity cluster so you can protect it
 You can also register a new source with the Cohesity cluster so you can protect it.

5. From the Objects list, select the volumes to back up. You can select volumes that are of NFS exports, SMB shares or the volumes that are
exposed to both NFS and SMB protocols (mixed volumes). By default, all volumes in the source are excluded as indicated by the
unselected check box. Select the volumes you want to include in the Protection Group. A selected check box ( ) indicates the volume is
selected to be backed up.

If appropriate for your organization, enable Auto Protect.

You can optionally filter the volumes displayed.

The graphical representations are described below.

6. Select the backup preference mode of the volume you want to backup.

7. Click Continue to save and go back to New Protection page.

8. Protection Group: Enter a name for the Protection Group. The name can contain alphanumeric characters, underscores, dashes and
periods. This field is required.

9. Policy: Select an existing protection policy or create a new one by selecting New Policy.

10. Storage Domain: Select an existing storage domain or create a new one by selecting New Storage Domain.

11. If you want to change or configure any of the additional settings , then select More Options and perform the below steps or else, Click
Protect.

12. Optionally, from the Protection Group field, you can select an existing Protection Group settings for this Protection Group by enabling
Existing Group, and then by selecting an existing Protection Group from the Group drop-down list.

13. Start Time: Indicates when the Protection Group should run. The current time is displayed by default but you can change it. Enter the hour
and minutes or use the up and down arrows on your keyboard. Verify the AM or PM setting.
The default time zone is the browser's time zone. You can change the time zone by selecting a different time zone.

14. End Date: Optional. Toggle on and select the date when the Protection Group stops capturing snapshots. A protection run that starts prior
to this date runs until completion even if it completes after this date.

15. QoS Policy: Select an appropriate quality of service (QoS) policy.

Note:

Cohesity recommends specifying Backup HDD, which is the default.

Backup HDD: The Cohesity cluster writes the data directly to an HDD drive for this Protection Group.

Backup SSD: The Cohesity cluster writes the data directly to an SSD drive for this Protection Group. Only specify this policy if you
need fast ingest speed for a small number of Protection Groups.

Backup Auto: (Applicable only for Cohesity C6000 series) The Cohesity cluster writes the data to both SSDs and HDDs. The
distribution of data will be based on the current usage of SSD and HDD. This policy tries to achieve similar backup performance as the
Backup SSD policy and reduces the SSD wear-out compared to the Backup SSD policy.

TestAndDev High: The Cohesity cluster writes the data to an SSD drive for this Protection Group. The I/Os with this QoS policy are
given higher priority compared to other QoS policies. Use this policy for workloads that require lower I/O latency.

16. Pre & Post Scripts: Toggle Enable to run scripts on a Unix server before and/or after a Protection Group runs. If configured, scripts are run
every time an object (or entity) is backed by a protection run. For example if there are five mount/shares that are backed up as part of the
NAS Protection Group and the Pre Script is configured, then five instances of the Pre Script is executed in parallel. You can distinguish
between the scripts that are run on the different objects (entities) using the COHESITY_BACKUP_ENTITY environment variable. The Cohesity
cluster populates this environment variable with the name of the backed object (or entity).

Note:

The specified Unix server does not need to be attached to the NAS target, it just needs to be a Linux VM or machine that can
either invoke APIs on or ssh in to a NAS target.

Configure the settings for running the Pre and Post scripts.

17. Skip Files on Errors: Toggled on by default. The Protection Group continues to run even if it encounters errors on files, such as
permissions errors. If files are skipped, the protection run details page indicates a warning status and provides additional information. If
toggled off, the Protection Group stops when it encounters an error.
18. Encryption: Toggle on this option to enable in-flight encryption of data traffic between the Cohesity cluster and external NAS source while
backing up NFS AND SMB Volumes. This option is disabled by default.

Note:

Encrypting in-flight data will have a minor impact on the performance. To use the encryption functionality for NFS volumes,
you must join the Cohesity cluster to the active directory as the Kerberos server or add the Kerberos provider in the Cohesity
cluster Access Management section.

19. File DataLock: Toggle on this option to preserve the AccessTime of the files and folders of the selected volumes. The AccessTime provides
the lock period of the files and folders that are applied when these files and folders are recovered to the Cohesity View. For more
information on File DataLock, see NAS File DataLock.
Select one of the following DataLock modes:

Compliance: In this mode, files and folders cannot be deleted or modified during the retntion period. After the lock expires, no user
can modify the files folder. However, a root user can delete the files and folders. Only a user with Data Security role can edit the File
DataLock settings in the Compliance mode.

Enterprise: In this mode, files and folders cannot be modified by any user before or after the lock retention period expiration.
However, a root user can delete the files and folders before or after the lock retention period. An admin user or a user with a Data
Security role can edit the File DataLock settings in the Enterprise mode. This mode is useful for giving storage administrators
additional control over the file.

You can further configure the File DataLock settings to:

Set the lock period for the new files and folders created on the recovered Cohesity View

Override the locking period of the existing files and folders recovered on the Cohesity View:

Note:

You cannot enable or disable File DataLock once the Protection Group is created.

If you have disabled File DataLock while creating a Protection Group, then when you edit this Protection Group, the File
DataLock option will not be displayed.

You can delete Protection Groups and snapshots having File DataLock enabled.
File DataLock also preserves the ATimes of the hardlinks and symlinks.

20. Filter IPs: Enable this option to filter the IP addresses of the NAS source. By filtering IP addresses, you can restrict the communication of
Cohesity cluster to specific IP addresses or subnets of the NAS source.
To filter the IP addresses of the NAS source, select one of the following options:

Allow IPs: Select this option and specify the IP addresses of the NAS source through which the communication to Cohesity cluster
must happen. You can provide the IP addresses in a comma-separated list or in a CIDR format.

Deny IPs: Select this option and specify the IP addresses of the NAS source through which the communication to Cohesity cluster
must not happen. You can provide the IP addresses in a comma-separated list or in a CIDR format.

Note:

This option does not apply to the NAS Generic Mount Point Protection Group creation.

If you have specified the IP filtering at the source-level also, then the IP filtering specified at the Protection Group-level
will take precedence over the IP filtering specified at the source-level.

21. Exclusions and Inclusions: Everything is included by default. Toggle on Exclusions and Inclusions if you want to exclude or include
locations. By creating exclusion and inclusion rules, you can limit the Protection Group to a specific set of files and directories and
therefore minimize the disk space used to store the data.

Note:

To add an exclusion or inclusion, you must prefix a forward slash (‘/’) or suffix an asterisk (‘*’) to the path or to a particular file
within the protected object. For example, ‘/test’ or ‘*.txt’.

Add Inclusion: Click to include a particular path or a particular file within the protected object.
For example, consider four directories - test, test1, test2, and test3 under the protected object with path /ifs/TestShare1/Folder1. The
table below lists the input types for an inclusion list of folders and their respective outcome:

Input Outcome

/ Everything inside the protection path is backed up, if exclusions are not defined.

/test When inclusion path is not suffixed by '/', Protection Group will include all folders starting from protection path.

In this example, /test will behave as /test* and Protection Group will include 'test', 'test1', 'test2’, and 'test3' from protection path
for backup.

/test/ When inclusion path is suffixed by '/' , it will only include specific folder.

In this example, /test/ behaves as /test/* and Protection Group will only include 'test' from protection path for backup.

Note:

Do not provide the folder name along with the backup path while including files and folders for a Protection Group. The
backup path is considered by default. For example, /ifs/TestShare1/Folder1/test does not include any folder.

If exclusions are defined, they will take precedence over inclusions.

Add Exclusion: Click to exclude a particular path or a particular file within the protected object. You can also specify regular expressions
for excluding files in the format regex:<regex pattern>
For example, consider there are three directories-Test, Test1, and Folder1 and a file, TestFile.tmp under the protected object with path
/ifs/TestShare1.

Test1 folder has TestFile1.tmp, TestFile2.tmp files.

Folder1 folder has TestFile3.tmp, TestFile4.tmp files, and SubFolder1 which further has a Test folder with File.txt, File1.txt files in it.

The following figure illustrates the directory structure under the protected object with path /ifs/TestShare1.

The table below lists the input types for an exclusion list of folders and their respective outcome:

Input Description Outcome

/Test When the exclusion path is not suffixed by a '/', the Protection Excludes Test and Test1 folders, and
Group will exclude all files and folders with Test as the prefix . For TestFile1.tmp file from the protection path.
exclusions, /Test behaves as /Test*.
TestFile3.tmp and TestFile4.tmp files in the
Note: Folder1 folder will not be excluded.

Exclusion will not be effective on the sub-directory level.

/Test/ When the exclusion path is suffixed by '/' , the Protection Group Excludes the Test folder of the parent directory.
excludes only the files and folders with the name Test. For
exclusions, /Test/ behaves as /Test/*. The Test sub-folder in /Folder1/SubFolder1 will
not be excluded.
Note:

Exclusion will not be effective on the sub-directory level.

*/Test Excludes all the files and directories with the name 'Test'. Excludes the Test folder of the parent directory
and the Test sub-folder in /Folder1/SubFolder1.
Note:

Exclusion will be effective on all levels of sub-

directories.
 *.tmp Excludes all the files that with ‘.tmp’. Excludes TestFile.tmp, TestFile1.tmp,
TestFile2.tmp, TestFile3.tmp, TestFile4.tmp files.
Note:

Exclusion will be effective on all levels of sub-

directories.

regex:.*\.tmp Excludes the files and folders with ‘.tmp’. Excludes TestFile.tmp, TestFile1.tmp,
TestFile2.tmp, TestFile3.tmp, TestFile4.tmp files.
Note:

Exclusion will be effective on all levels of sub-

directories.

regex:/Folder1/.*/Test/.*\.txt$ Excludes all files with .txt extension from all the Test folders Excludes File.txt and File1.txt files in the
directory in /Folder1/. /Folder1/SubFolder/Test folder.

Note:

Do not provide the folder name along with the backup path while excluding files and folders for a Protection Group. The
backup path is considered by default. For example, /ifs/TestShare1/Folder1/test does not exclude any folder.

Cohesity automatically excludes the following NetApp system files:

.vtoc_internal and .bplusvtoc_internal files

.copy-offload directory and .tokens file

22. Indexing: Toggle on this option to index the data of the Protection Group. Indexing improves files and folders search.
Cohesity performs incremental indexing where only the data that has changed since the previous snapshot is scanned and indexed.

You can add custom indexing rules.

23. Quiet Time: This option is available only if the selected policy has at least one quiet time period. Toggle the Stop in-progress runs when
quiet time starts option to pause or abort the runs during quiet time. If this option is toggled off, after a protection run starts, execution
continues even when the quiet time period specified for this Protection Group starts. However, a new protection run will not start during a
quiet time period.

Pause Runs - Select this option to pause the currently executing protection runs and resume the runs when quiet time ends.

Abort Runs - Select this option to abort the currently executing protection runs when the quiet time period specified for the
Protection Group starts.

Note:

If the quiet time window for multiple protection runs is scheduled at the same time, then when the protection run is
resumed, prioritization of the protection run does not work

24. Alerts: Optional. Select one or more of the following settings if you want alerts to be created for the following triggers:

Success: Create an informational alert when a Protection Group completes successfully. Emails are not sent when informational alerts
are created.

Failure: Create a critical alert if the Protection Group fails to complete. Emails are sent when critical alerts are created.

SLA Violation: Create a warning alert if the Protection Group takes longer than the time period specified in the SLA field. Emails are
sent when warning alerts are created.

For more information, see Alerts.

25. Priority: Select a priority for the Protection Group execution. Cohesity supports concurrent backups, but if the number of Protection
Groups exceeds the ability to process them, those with High priority are given the highest priority to execute, Medium the second-highest
priority, and Low the lowest priority.

26. Email Recipients: You can add email addresses to a Protection Group to notify the email recipients when alerts are triggered for the
Protection Group.

Note:
 The connection to the SMTP Server must be enabled to send email notification. You can enable the SMTP Server connection in
the configuration settings page ( Cohesity UI > Settings > Summary > Configure > Enable SMTP Server).

27. SLA: The service-level agreement (SLA) defines the expected time to complete either a full backup or incremental backup. The backup
completion time depends on the Windows volume size on AD, objects changed between incremental backups, network speed, and other
Protection Groups running on the Cohesity cluster.

Incremental: Enter the number of minutes you expect an incremental protection run to complete. An incremental backup captures
only the differences (changed blocks) since the last protection run.

Full: Enter the number of minutes you expect a full backup protection run to complete. A full backup captures the entire object (all
blocks).

28. Description: Optional. Click the plus sign and enter a description for the Protection Group.

29. Click Protect.

The Protection page is displayed and includes the new Protection Group.