Veritas Flex Appliance Getting Started and Administration Guide
- Product overview
- Release notes
- Flex Appliance 4.0 new features, enhancements, and changes
- Flex Appliance 4.1 new features, enhancements, and changes
- Flex Appliance 4.2 new features, enhancements, and changes
- Supported update paths to this release
- Operational notes
- Flex Appliance 4.0 release content
- Flex Appliance 4.1 release content
- Flex Appliance 4.2 release content
- Getting started
- Managing network settings for instances
- Managing users
- Overview of the Flex Appliance default users
- Managing Flex Appliance Console users and tenants
- Adding a tenant
- Editing a tenant
- Removing a tenant
- Adding a local user to the Flex Appliance Console
- Connecting a remote user domain to the Flex Appliance Console
- Editing a remote user domain in the Flex Appliance Console
- Importing a remote user or user group to the Flex Appliance Console
- Managing single sign-on (SSO)
- Managing identity providers (IDPs)
- Importing a single sign-on user or user group to the Flex Appliance Console
- Managing user authentication with smart cards or digital certificates
- Changing a local user password in the Flex Appliance Console
- Expiring local user passwords in the Flex Appliance Console
- Unlocking a user account in the Flex Appliance Console
- Removing users from the Flex Appliance Console
- Changing the password policy
- Changing the hostadmin user password in the Flex Appliance Shell
- Changing the sysadmin user password in the Veritas Remote Management Interface
- Managing multifactor authentication
- Using Flex Appliance
- Managing the repository
- Creating application instances
- Managing application instances from Flex Appliance and NetBackup
- Managing application instances from Flex Appliance
- Resizing instance storage
- Editing instance network settings
- Assigning Fibre Channel ports to an instance
- Unassigning Fibre Channel ports from an instance
- Managing application add-ons on instances
- Viewing instance performance metrics
- Clearing a configuration error status on an application instance
- Deleting an application instance
- Upgrading application instances
- Updating an application instance to a newer revision
- About Flex Appliance updates
- Remote replication
- About remote replication
- Pairing appliances for remote replication
- Creating a replica
- Managing remote replication
- Remote replication best practices
- Monitoring remote replication
- Editing the replication network
- Repairing a lost connection between paired appliances
- Pausing and resuming replication
- Resolving discrepancies between an active and a replica instance
- Changing the replication role of an instance
- Unlinking active and replica instances
- Forgetting a paired appliance
- Appliance security
- Monitoring the appliance
- Registering an appliance
- Configuring alerts
- Monitoring the appliance from the System Health Insights portal
- Viewing the hardware status
- Viewing hardware faults
- Viewing system data
- Clearing the hardware status
- Forwarding logs
- Providing access for external monitoring
- Revoking access for external monitoring
- Reconfiguring the appliance
- Reconfiguring the appliance network
- Changing DNS or Hosts file settings
- Shutting down the appliance
- Performing a factory reset
- Performing a reimage
- Recovering storage data after a factory reset or a reimage
- Performing a storage reset
- Removing a node
- Viewing or resetting the storage shelf order on a Veritas 52xx Appliance
- Troubleshooting guidelines
About lockdown mode
Flex Appliance lockdown mode offers additional security levels to protect your appliance and data, in addition to the hardened, secure operating environment that comes out of the box.
Lockdown mode provides the following benefits:
It prevents unauthorized access or modification to the underlying operating system (OS). Once lockdown mode is enabled, administrators cannot make changes to the OS or the internal components.
If you need access to the OS for emergency operations, an access key is required to temporarily unlock the appliance. This functionality prevents unauthorized changes even if a malicious actor gained access to stolen credentials.
It includes the option to create WORM storage instances that prevent your data from being encrypted, modified, or deleted. WORM is the acronym for Write Once Read Many. Any data that is saved on these instances is protected with the following security measures:
Immutability
This protection ensures that the backup image is read-only and cannot be modified, corrupted, or encrypted after backup.
Indelibility
This property protects the backup image from being deleted before it expires. The data is protected from malicious deletion.
Flex Appliance includes the following lockdown modes:
Normal mode
This mode is the default mode of the appliance. Normal mode does not support WORM storage.
Enterprise mode
This mode adds additional access restrictions but retains a level of flexibility. In this mode:
You can create WORM storage instances.
If needed, the application administrator can disable the retention lock on backup images so that they can be expired before the specified retention date.
Users with the administrator role can delete the instances only if no data is present. If the instance is on WORM storage server version 19.0 or later, the application administrator must approve the deletion beforehand.
If the instance is on WORM storage server version 19.0.1 or later, security administrators can delete the instances only if no data is present. The application administrator must approve the deletion beforehand.
If the instance is on WORM storage server version 19.0 or earlier, security administrators can delete the instance if data is present. The application administrator does not need to approve the deletion beforehand.
To change from enterprise mode to normal mode, you must first delete all WORM storage instances.
Compliance mode
This mode adds the highest level of access restrictions. In this mode:
You can create WORM storage instances.
The retention lock on backup images cannot be disabled before the specified retention date.
You can delete the instances only if no data is present. If the instance is on WORM storage server version 19.0 or later, the application administrator must approve the deletion beforehand.
To change from compliance mode to enterprise mode or normal mode, you must first wait for all data on the WORM storage instances to expire and then delete the instances.
In both enterprise mode and compliance mode, storage reset is disabled.
Veritas strongly recommends that you enable enterprise lockdown mode to prevent unauthorized access to the OS, even if you do not plan to create WORM storage instances.
Warning:
Lockdown mode does not block access to the remote management (IPMI) port. Veritas recommends that you set up your network to restrict access and only allow security administrators or the users that manage the physical hardware to use the port.
The appliance must be in lockdown mode before you can create WORM storage instances. See Changing the lockdown mode.
For more information on creating and managing WORM storage instances, see the NetBackup Application Guide for Flex Appliance.