Panzura Admin Guidedocs.panzura.com/6.3/AdminHelp/baggage/PanzuraAdminGuide.pdf · Tivoli TSM support for multi‐site backup, recovery and archive SNMPv3 ... Opportunistic caching

TM

Panzura Storage ControllerAdministration GuideRelease 6.3July 2017

Copyright© 2017 Panzura, Inc.

All rights reserved. The information in this manual is subject to change without notice.

Originated in the USA. Any other trademarks appearing in this guide are the property of their respective companies.

8/15/2017

695 Campbell Technology ParkwaySuite 225Campbell, CA [email protected]‐855‐PANZURA (1‐855‐726‐9872)+1 (408) 578‐8888

www.panzura.com

Panzura Storage Controller | Administration Guide 2

Panzur

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Panzura Storage Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Panzura Storage Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Controller Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Description of Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Panzura Unified Namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10File Locking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Data Locality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Extended File System ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Scale‐out Global Deduplication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Intelligent Read/Write Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Enhanced Cloud Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Intelligent Symantec NetBackup Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12DR Cloud Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1210GbE and 1GbE NIC Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Enterprise AntiVirus Plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Configuring the Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Accessing the Web UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Navigating the Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2 Deployment — The First 72 Hours . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Panzura Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Master and Subordinate Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Local and Remote Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Understanding CloudFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Deploying Panzura CloudFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Basic Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

System (Basic). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Encryption and Certificates (Basic) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41CloudFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Active Directory (Basic) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

a Storage Controller | Administration Guide 3

Contents

Dynamic Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50SMB (Basic) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55License Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58File Access Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Enterprise AntiVirus Plugin Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65System (Advanced) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65NIC Teaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67KMIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Encryption and Certificates (Advanced). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Active Directory (Advanced) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78SMB (Advanced). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Snapshot Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Data Locality Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Bandwidth Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

4 CloudFS Map View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Using the CloudFS UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

CloudFS UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Google map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Determining the location of a controller on the map. . . . . . . . . . . . . . . . . . . . . . . . . . . . 102History bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Information windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Heat maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Site to site connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Monitoring details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108


Contents

5 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118SMB Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122SMB Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Secure Erase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124CIoudFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125CloudFS File Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Cloud Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Master Snapshot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132ICAP Un‐Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Cloud Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Image Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Advanced. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Decommission a Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

6 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144About Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Events in Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Creating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

A Configuring Service Provider Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

B Windows Users and Files that Are Slow to Open . . . . . . . . . . . . . . . . . . . . . . . . . . 153

C Creating A Microsoft Azure Storage Container . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

D Creating an IBM Cloud Object Storage Container . . . . . . . . . . . . . . . . . . . . . . . . . 158

E Disk Expansion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

F File Access Auditing Support for SMB and NFS Clients . . . . . . . . . . . . . . . . . . . . . 163

G Best Practices when Configuring ICAP for Virus Scanning . . . . . . . . . . . . . . . . . . . 166Scanning Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166SMB / CIFS Client Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166File Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166


Preface
Welcome to the Panzura Storage Controller (controller). The preface contains the following information:
“About this Guide” on page 6

“Document Conventions” on page 6

“Related Documents and Resources” on page 6

About this GuideThis guide describes how to deploy and manage the controller. It is designed for experienced storage administrators who are responsible for configuration and maintenance. It assumes that you are familiar with NFS and SMB/CIFS network storage operations.

For installation information, see the Panzura Storage Controller Installation Guide.

Document ConventionsThis document uses the following conventions.

Related Documents and ResourcesFor related documentation and other information, go to the Panzura web site at http://www.panzura.com. The documentation may be accessed on the Support page (Support > Docs & Information). Access requires a user login and password.

Convention Description

Bold font Actions, command names.Example:Choose One Arm (default) or Inline.Example:Use the show‐interface command.

Fixed width font

Command examples and output.Example (sample output):Running test on Cloud License: CSP-Google, 44454C4C-4600-1047-8051-C6C04F4C4D31.1330968255.954850Running connectivity testResolve DNS commondatastorage.googleapis.com : 74.125.224.106 74.125.224.107 74.125.224.108...


1 Overview
This chapter provides an overview of the Panzura architecture and the Panzura Storage Controller (controller) features.
“Panzura Storage Architecture” on page 7

“Panzura Storage Controller” on page 8

“Controller Features” on page 9

“Description of Key Features” on page 10

“Configuring the Controller” on page 13

Panzura Storage ArchitectureThe Panzura OS (PZOS) provides a highly scalable, high performance global file system called CloudFS that is natively integrated with object‐based cloud storage systems. CloudFS allows clients from multi‐site locations to interact with and lock files within a single global file system address space, known as the unified namespace. Within the Panzura architecture, global shared file read operations are serviced locally at LAN speeds. File write permissions are managed by the Panzura's Global Read Write file locking technology.

Within the Panzura network architecture (Figure 1), all controllers share access to a common storage cloud. The cloud is the authoritative source of data for all controllers. Because cloud storage is effectively infinite in capacity and elastic in scale, cloud storage is always larger than the local physical storage that is available in any particular controller (at any particular site). The Panzura architecture includes technologies to leverage this difference in capacity and manage the aspects of deploying a NAS storage system that operates under this paradigm. Each Panzura controller provides LAN speed access to CloudFS. Locally, each controller caches data while presenting a complete metadata view of the entire CloudFS that spans all connected sites.


Chapter 1 | Overview

Figure 1 Panzura Network Topology

Panzura Storage ControllerThe Panzura Storage Controller (controller) is the core of the Panzura storage architecture. The controller is a reliable, high performance, optimized cloud storage appliance that can manage massive data densities within its scalable file system. The resilient storage subsystem protects data using military grade encryption, multiple RAID parity protection schemes, efficient user managed snapshots, and cloud storage.

The controller provides local and cloud storage for widely‐used file storage protocols, file management technologies, and directory services integration.

Network File System (NFS), used by Unix/Linux clients and servers

Server Message Block (SMB) / Common Internet File System (CIFS), used by Microsoft Windows clients and servers

Microsoft Active Directory (AD)



The controller can virtualize multiple disk media types within the same file system. Supported media include spinning hard disk drives (HDDs), solid state drives (SSD), networked WAN‐addressable cloud storage, and LAN‐addressable NAS filer volumes. PZOS serves data to clients with SMB/CIFS and NFS protocols.

Controller FeaturesThe Panzura Storage Controller provides the following features:

Highly scalable 128‐bit transactional object file system

Intelligent read & write caching

In‐band file system Policy Engine

User managed snapshots

Extended file system ACLs

RAID data protection

Globally distributed file sharing and locking for SMB/CIFS

High availability

Microsoft Active Directory integration

Kerberos authentication

Key Management Interoperability Protocol (KMIP) support

Global namespace

Scalable live global deduplication

Multi‐protocol SMBv1, SMBv2, and NFSv3 file services

SMB/CIFS load balancing

Military grade encryption

Unified SSD, HDD, and cloud storage

Intelligent LAN and WAN bandwidth management

Intelligent NetBackup support for multi‐site backup, recovery, and archive

Tivoli TSM support for multi‐site backup, recovery and archive

SNMPv3 monitoring, traps, and alerting

Online remote monitoring and support

High speed parallelized WAN‐optimized cloud I/O

Multiple cloud topologies (public, hybrid, private)

Real‐time cloud storage diagnostics

Full system recovery from the cloud

1GbE and 10GbE NIC support (optical and copper)

Bandwidth shaping and connection tuning



Description of Key FeaturesThe next sections describe key features in detail.

Panzura Unified Namespace The Panzura unified namespace is an in‐band file system fabric that consists of multiple physical file system instances converged into a single file system metaspace and mounted locally on each node with the root label “CloudFS.”

The Panzura unified namespace does not rely on underlying distributed databases and thereby avoids common global namespace limitations that can affect speed, transactional data coherence, write order fidelity, open files, atomic precision, in‐band operation, and global snapshots. By contrast, other global namespace architectures require a database process on each storage system and changes to file metadata require complex out‐of‐band operations.

File LockingPZOS and CloudFS support several file locking mechanisms. A traditional file lock is a lock issued against a file by a file system, a server or an application. The lock can consist of extensive application specific meta‐information and be written into parts of the file payload and/or its file system metadata.

File coherency locks are file system locks that are issued by applications to arbitrate guaranteed consistency between applications writing/reading to a single file, for example, MSFT Office Application locks.

Opportunistic caching locks are delegated rights that are issued by a file server protocol engine for a remote client to cache a file locally to increase client‐side performance. This is not necessarily a guaranteed write lock, because the delegation can be revoked by a file server at anytime. Example: Microsoft SMB/CIFS OPLOCKS.

SnapshotsPanzura uses snapshots to capture the state of the file system at a given point in time. In PZOS there are two types of snapshots: system managed and user managed.

User managed snapshots provide point‐in‐time copies to protect data with no performance impact and minimal consumption of storage space. You can take user‐managed snapshots while applications are running to create copies quickly, regardless of size of your file system, the data set, or the level of activity on the system. You can schedule automatic snapshot creation or take snapshots on demand.

Panzura recommends creating a user snapshot schedule that meets your business needs while maintaining a reasonable number of snapshots per controller when using a multi‐controller CloudFS configuration. See “Snapshot” on page 67 for recommendations.

Data LocalityData locality (caching and pinning) governs what data is cached locally on the controller. PZOS provides fine‐grained configuration control over caching through the use of policies, rules and actions that result in improved performance and enhanced cloud storage availability for users.



When configuring data locality, Panzura recommends using the auto cache action with prepopulate enabled. This ensures that files are available in disk cache for end users. Prepopulating makes the data available without forcing a reduction in cache.

Pinning allows an administrator to forcefully localize (pin) data in the cache within a controller to provide guaranteed LAN speed performance. Because pinning consumes cache space, it should be considered only if needed for performance, with the trade‐off between performance and cache space kept in mind.

Note that data is always protected in the cloud, irrespective of polices rules and pinning. See “Data Locality Settings” on page 95.

Extended File System ACLsThe Panzura file system supports extended file system access control lists (ACLs) with full POSIX semantic compliance. For NFSv3, the system supports read and write ACL operations through an SSH shell or application layer. Clients can dynamically use any supported ACL mode for setting and getting ACLs.

For SMB/CIFS, clients use a native Microsoft method with the Server Message Block (SMB) protocol for reading and writing extended ACLs. PZOS provides the ability to turn SMB signing on or off. See “SMB (Basic)” on page 66.

Scale‐out Global DeduplicationThe controller supports enhanced data deduplication within the global file system with high performance, scalability, and system‐wide efficiency. The deduplication data architecture and physical layout on disk is optimized for local and global write performance and data addressability. See “System (Advanced)” on page 76.

Intelligent Read/Write CachePZOS supports an intelligent read/write disk‐based cache (IRC) that reserves a percentage of local storage to intelligently track hot, warm, and cold file block structures as they are accessed. The cache dramatically increases data availability and I/O performance, because file data‐blocks reads have a higher probability of being serviced from local disk than directly from external cloud storage. The cache also increases overall data availability by masking variations in cloud availability. This allows the file system to continue serving I/O and cache‐resident data‐block reads even when the WAN link to the cloud storage slows or is unavailable, or if the cloud itself is down.

Enhanced Cloud DiagnosticsThe controller provides a robust set of diagnostic and measurement tools for monitoring and understanding the health, status, and performance of the Panzura cloud storage infrastructure and interactions. The cloud diagnostics features include tools to analyze the cloud, while the cloud metrics features present a detailed set of trended graphs to visually display metrics about cloud reads and writes. The system also generates alerts if the cloud becomes unavailable. See “Diagnostics” on page 107.



Intelligent Symantec NetBackup Integration PZOS supports intelligent integration with Symantec NetBackup, including awareness of the NetBackup data format stream. The system efficiently deduplicates the data stream inline with high optimization ratios. Tivoli TSM, Microsoft Robocopy and Symantec Backup Exec are also supported as cloud backup and cloud archive applications.

High AvailabilityThe Panzura High Availability (HA) solution consists of two configuration options, HA‐Local and HA‐Global. HA‐Local is similar to the methods used by legacy enterprise storage products. In this configuration, an active controller is protected by a dedicated, passive standby. When the active controller fails, the passive standby takes over ownership of the filesystem and the controller operations. The standby hostname does not change during the takeover process.

To streamline the process in the event of takeover, you can specify a shared hostname and IP address for the active and passive controllers.

The innovative HA‐Global configuration provides a more cost effective and flexible solution. This implementation makes it possible to protect many controllers with a single passive standby that can significantly reduce the cost of HA. When a failure occurs, the standby takes over ownership of the filesystem and the controller operations. The standby hostname does not change during the takeover process.

If a greater level of protection is required, multiple standby controllers can be deployed to protect against multiple controller failures. And the standby controllers can be geographically distributed from the controllers they protect to provide greater flexibility. See “High Availability” on page 82.

DR Cloud RecoveryFull cloud disaster recovery (DR) allows rebuilding and recovery of an entire controller from the cloud after a disaster has occurred. In this highly optimized and efficient process, the file system is brought online and established as active from its cloud metadata instances as soon as possible following the disaster. A minimal set of data blocks are recovered from the cloud to bring the system to a state where clients can start using the controller, with remaining data downloaded in priority order.

10GbE and 1GbE NIC SupportPZOS supports both 1GbE and 10GbE networking options. 10GbE NICs are available for all hardware platforms with either CAT6/RJ45 or SFP+.

Enterprise AntiVirus PluginProtecting file servers from viruses is an important part of an overall security strategy, and products such as McAfee VirusScan Enterprise and Symantec Protection Engine address this need well. You can install licenses to use these products to automatically scan files with the latest virus definitions.



Configuring the ControllerThe controller installation process includes initial configuration steps. See the Panzura Storage Controller Installation Guide for instructions.

After the controller is installed, use the web UI for all additional configuration and management.

Accessing the Web UITo access the controller Web UI, enter the controller’s IP address into your web browser and log in using the following default credentials:

Account = admin

Password = admin

Navigating the Web UI The web UI contains the following areas (see Figure 2):

Top information area — Displays the hostname of the controller, software version, user name, and link to log out.

Tabs — Allows you to access the Dashboard, Configuration, Maintenance, or Reports pages. The Dashboard is selected when you first open the web UI.

Left side menu — Allows you to navigate to individual configuration and maintenance pages. Visible only when you click the Configuration or Maintenance tab.

The contents of the side menu depends on what license are active and can also depend on configuration settings. For example, the SMB Settings page is visible on the side menu only if a SMB/CIFS license is active and SMB is selected as an option on the CloudFS page.

Alert area—Presents current alert information. Shown only if there is are current alerts.



Figure 2 Web UI

Tabs Top information area

Left side menu

Alert area



DashboardThe Dashboard page opens when you log in to the controller and is accessible at any time by clicking the Dashboard tab.

Beginning with Release 6.1, a new Dashboard is available with a new look and feel and information. To see the new Dashboard, click Try the new Dashboard. To change back from the new to the legacy Dashboard, click the Dashboard tab again.

See “New Dashboard” on page 15 and “Legacy Dashboard” on page 20.

Figure 3 Selecting the New Dashboard

New DashboardThe new Dashboard gives an at‐a‐glance visual picture of controller status and statistics, as described in this section.

Figure 4 New Dashboard



Events

The Events box shows the most severe outstanding event (severity and count). Hover over the box to display a list all the events with that severity. The count in the box matches the number of event displayed. This example shows that there is one minor event, which is currently the most severe. Hover over the box to display the event name.

Systems

The System box shows the status of system resources.CPU load. Hover over the box to show the current CPU load value. The green box turns red if the CPU load reaches 90% or greater.

Memory. Hover over the box to show the current percent of memory used. If swap space is being used, the swap space value is also presented. The green box turns red if memory usage reaches 90% or greater or if swap space used is greater than 1 GB.

Disk. If the box is green, all disks are online. If any disks are offline, the box is red. Hover over to list the offline disks.



Network

Bandwidth. Shows the egress and ingress value in a bar chart, with the actual value (in Mbps) displayed at the bottom. If a bandwidth limit is configured, it is shown as a blue line. The bar color turns from green to red if the actual value reaches 80% or more of the bandwidth limit. If a bandwidth limit is not configured, the bar turns red if the value reaches the interface limit (1GB for GE and 10GB for XGE).

In one‐arm mode, title of the box is Bandwidth and the statistics are incoming and outgoing octets, which are converted into Mbps at 5 minute intervals.

Cloud

The Cloud box shows upload and download status (failures vs success). The color turns yellow if there are both failures and successes, and red if there are only failures. Hover over to see the success and failure counts.



Latency

The Latency box show shows latency values between the local controller and other configured controllers. The green color changes to yellow if latency is between 175 ms and 250 ms and red when latency exceeds 250 ms.

File System

The File System box shows the following information:Local Synchronization. When a controller’s file system is synchronized, its box is green and labeled “Synced.” When the file system is in the process of syncing, its box is green and the estimated time is displayed. If the time to synchronize cannot be estimated because the snapshots behind are increasing, the box displays “Sync Error" and becomes red. The box is also red if the controller is down.

Cache. Shows how the cache is being used by data:

— Pinned— Cached — Dirty— Free

The number inside the circle represents the percent of cache with used data (pinned + cached + dirty). The number inside the circle is green unless the value reaches 80% of the total cache, in which case it turns red.



Hover over the chart area to display the labels for specific parts of the pie and to show the actual values.

Metadata. Shows how much metadata space is being used. The number inside the circle is green unless the value reaches 80% of the total cache, in which case it turns red. Hover over the chart area to display the labels for specific parts of the pie and to show the actual values.

Storage

the Storage box shows the amount of cloud and disk storage used. The used value is shown in blue and the available value is shown in grey. The number inside the circle is green unless the value reaches 80% of the available storage, in which case it turns red. Hover over the chart to see the data label and over a segment to see the actual value.



Legacy DashboardThe legacy dashboard displays the following information:

Network Throughput – Ingress and egress bytes (bytes per second) for the selected time period. (See “Data Interval and Refresh Rate” on page 22.)

Platform Details– Details on the physical controller platform.

Storage Capacity – Available storage capacity.

SMC Statistics – User activity.

Bandwidth Summary (Last Week) – Summary of bandwidth use over the last week, in 3‐hour increments. Bandwidth is shown for traffic from the controller to clients.

Disk and RAID – Status of the local storage disks on this controller. Data storage availability counters are provided for all local disks plus cloud storage.

NoteIn Unified Management deployments, this counter does not include storage for disks on other controllers in the group.

On a new controller, the storage statistics are for the local device only. When you install a license for cloud storage, the storage statistics are immediately updated to include the storage available in the cloud.

Active Controller Sync Status – Status information for each controller (see “Active Controller Sync Status” on page 21).

Figure 5 Dashboard



Active Controller Sync Status

The Active Controller Sync Status section of the Dashboard includes detailed information about the synchronization state of all controllers. This information can help a Panzura administrator identify when the controllers within a CloudFS are not in sync. In some cases, controllers not being in sync can cause end users to report not being able to see recently created files or folders.

NoteThe controller name and filesystem name in the table are normally the same. However, there are scenarios following HA takeover where the filesystem name could be different.

Panzura controllers use system level snapshots behind the scenes to communicate local filesystem changes to all other controllers. These are unrelated to the user snapshots that can be scheduled within the Web UI.

When a controller takes a system level snapshot, it is sent to the cloud. All other controllers download and apply this snapshot. This makes it possible for the users accessing the other controllers to have a view of the non‐local portion of the filesystem.

In some cases, a controller might fall behind in uploading its latest system level snapshots, or a controller might fall behind in downloading its peers' latest system level snapshots from the cloud. If either of these occurs, the CloudFS becomes out of sync. This can lead to end users reporting that they cannot see newly created files or folders.

The Snapshot Sync Status column indicates whether the controller is synchronized or behind in synchronization. If a controller is behind, you can hover the entry to view the details.

The Generated number refers to the most current system level snapshot the controller has created.

The Uploaded number refers to the latest system level snapshot uploaded to the cloud.

The Received number refers to the latest system level snapshot from the controller that has been downloaded and applied to the controller from which the admin is currently viewing the Dashboard. The difference between the Received number and the other numbers indicates how out of date the information about the listed controller is.

In general, all controllers should be within several snapshots of each other. When controllers are out of sync by five or more or more snapshots, end users will begin to notice problems.

Example

In the following figure, the most current system level snapshot generated by cc145 has a generated number of 27235. The latest snapshot cc145 has uploaded to the cloud is also 27235. Because these match, the controller is not falling behind with uploading system level snapshots.

Had the Generated reference number were 27245 or higher and the Uploaded reference number were 27235, that would indicate that the 10 most recent system level snapshots had not yet been uploaded to the cloud. If this were to occur, the network connection from cc145 to the cloud should be checked.



Space Controller Information

On a master controller, this section lists the controllers in the cluster that are configured for high availability.

Data Interval and Refresh Rate

By default, statistics are shown for the most recent 1‐hour period, and are refreshed once a minute. You can change the data interval and refresh rate.

Data interval – The data interval can be one of the following:

— 5 minutes— 30 minutes— 1 hour— 24 hours— 7 days— 30 daysRefresh interval – The refresh interval can be one of the following:

— Off (no automatic refresh)— 30 seconds— 1 minute— 5 minutes

You also can refresh the data at any time by clicking Update Now.

Redisplaying the Dashboard

If you navigate away from the Dashboard, you can easily display it again by clicking the Dashboard tab.

Configuration PagesThe Configuration pages are divided into Basic Settings and Advanced Settings. The Basic Settings pages are listed when you click the Configuration tab. To list the Advanced Settings pages, click Advanced Settings. For information on configuration tasks, see Chapter 2, “Configuration.”

Click the Maintenance tab to display the Maintenance pages. For information on maintenance tasks, see Chapter 3, “Maintenance.”


2 Deployment — The First 72 Hours
This chapter explains how to navigate the first few days of your Panzura Storage Controller deployment, including how to scope the rollout of a Panzura global cluster and anticipate end‐user expectations so that disruption is minimized during the rollout.
“Panzura Controllers” on page 23

“Understanding CloudFS” on page 24

“Deploying Panzura CloudFS” on page 25

Panzura ControllersPanzura controllers, physical or virtual, create the foundation for the CloudFS file system. Users mount the Panzura controller using SMB or NFS protocols and experience the performance of a high‐speed LAN connected file server. In addition to providing local file services, the controller also shares file data and metadata with a cluster of controllers that can span the globe. Each controller has a complete global view of the CloudFS and provides LAN speed performance by locally caching the files that are being accessed at that site.

Master and Subordinate ControllersThe terms master/subordinate and local/remote refer to the roles of individual controllers in a CloudFS deployment. The master/subordinate configuration applies to the management relationship between controllers. The configuration details of a master controller are automatically replicated and distributed to all subordinate controllers. This simplifies the management of the CloudFS deployment. The replicated information includes:

Licenses

CloudFS operation mode

Controllers that are permitted to participate in the shared CloudFS topology

Encryption certification for accessing data in the cloud between controllers

CIFs shares

Drive file size

Schedule filesystem snapshots

Deduplication setting

Data compression setting

Cloud upload order

SMB signing mode


Chapter 2 | Deployment — The First 72 Hours

Local and Remote ControllersThe local controller is the controller nearest the user on a local LAN. A remote controller is one that is physically located in another office, somewhere around the globe. These terms are used when describing the flow of files and metadata within CloudFS, from one controller to another controller.

The following figure a Panzura deployment that includes three sites—Paris, New York, and London. A Panzura controller is physically deployed at each site. Users connect to their local controller, have a complete view of the shared file system, and experience LAN access speeds to the data in the global file system.

Figure 6 Panzura Network Topology

Understanding CloudFSCloudFS is a global file system that runs on Panzura controllers. Geographically dispersed controllers allow users who connect to CloudFS to experience a high‐speed file system, regardless of location.



Updates to the file system are shared in the background, in near real time, with all the other controllers in the cluster. Integrated with CloudFS is a global file locking technology, called Global Read Write (GRW), which controls read and write file locking. This technology allows many users and work sharing applications to leverage the global CloudFS without suffering file locking or performance issues.

When deploying Panzura controllers at multiple sites, users connect to their local controller but share the resources of the entire global file system. The practical aspect of a CloudFS deployment is best described through a real world example.

Consider a company, AEC Corporation, with three sites, Paris, New York, and London, as shown in the previous figure. Paris is the primary site, and the domain name for AEC Corporation is aec‐example.com.

The three Panzura controllers are deployed as follows.

1. The controller in Paris, paris.aec‐example.com, is configured as a master controller.

— A project directory is created: /cloudfs/paris/aec‐project‐01— An SMB share is created for the new directory: /aec‐project‐01

Users at this site connect to the SMB share \\paris.aec.com\aec‐project‐01

2. The controller in New York office, new‐york.aec‐example.com, is configured as a subordinate to the Paris master controller.

Users at this site connect to the SMB share\\new‐york.aec.com\aec‐project‐01

3. The controller in London, london.aec‐example.com, is configured as a subordinate to the Paris master controller.

Users at this site connect to the SMB share\\london.aec.com\aec‐project‐01

Deploying Panzura CloudFSThe next sections describe the high‐level steps to deploy Panzura CloudFS. For details, see the the Panzura Storage Controller Installation Guide and “Configuration” on page 43.

Step 1: Install and Configure Panzura Controllers

Step 2: Seed CloudFS with Files and Directories

Step 3: Connect Users with CloudFS

Step 4: Observe CloudFS Performance

Step 5: Tune CloudFS Performance

Step 1: Install and Configure the Panzura ControllersA CloudFS deployment runs on a cluster of globally distributed Panzura controllers, physical or virtual. The controllers are configured on their local networks, attached to DNS, and connected to the cloud back‐end. Before deploying controllers, decide which controller will be the designated master controller, and which controllers are to be subordinates of the master.

Install and configure Panzura controllers 1. Deploy the physical Panzura controllers.

2. Configure network access.

3. Set unique hostnames for each controller.



4. Identify the master and subordinate controllers and set the Configuration Mode.

5. Enter license information on the master and subordinate controllers.

6. Configure the cloud connector on the master and subordinate controllers.

7. From the master controller, add each subordinate to the CloudFS.

8. Join the Active Directory domain.

9. Reboot the subordinate controllers.

NoteWhen a subordinate controller reboots, the CloudFS configuration details are replicated from the master controller to the subordinate controller.

Step 2: Seed CloudFS with Files and DirectoriesIt is important to seed CloudFS with project data before users access their local Panzura controller for the first time. In preparation for seeding data, create a directory structure that supports both current and future projects. Then upload project data and confirm that each controller in the cluster has the same view of the global file system and directory structure.

Seed CloudFS with File Data1. Mount your local Panzura controller to your desktop via a SMB/CIFS share.

2. Create a directory structure that supports current and future project files.

3. Upload project files to the appropriate directories on the controller.

4. Wait for the data to synchronize.

5. Mount each of the remote controllers.

6. Confirm that the entire file system can be viewed from each controller.

7. Observe CloudFS performance using the ingress and egress rate counters in the Panzura Web UI.

Windows Tools for Seeding Data

Microsoft Windows offers GUI and command line tools for migrating data:The Windows Explorer GUI can be used to drag and drop files to the CloudFS SMB/CIFS share. However, this method of copying files does not preserve file or folder permissions (ACLs).

Robocopy (Robust File Copy) is a command‐line utility—included with Windows Server 2012 and 2008—used to copy files and preserve file and folder permissions. Robocopy is scriptable, logs the copy process, features retry capabilities, and works around locked files.

Linux Tools for Seeding Data

Linux OS distributions include the rsync tool that can be used to copy files and directories from one server to another over an SSH connection. It is scriptable, preserves file permissions, and copies only new or changed files to the destination folder.

Understanding Snapshots

Panzura uses snapshots to capture the state of the file system at a given point in time. In PZOS there are two types of snapshots; system managed and user managed. The system managed snapshots are used to



provide file system consistency between controllers. In a process called syncing, PZOS takes the changes (deltas) that occur to files and to the file system metadata, captures the delta information in a snapshot, and sends them to the cloud. The metadata portion of these changes is retrieved from the cloud by all other Panzura controllers in the cluster where they are used to update the state of the file system and maintain currency. This system updating occurs continuously across all controllers, with each controller sending and receiving extremely small metadata snapshot deltas and using them to update the file system.

User managed snapshots are controlled by the administrator to provide file system backups in the shared cloud storage back‐end. You can schedule automatic snapshot creation or take snapshots on demand. They are visible to the end user so they can be used to retrieve old versions of files without involving IT administration. Panzura guarantees that each controller will support more than 10,000 user‐managed snapshots.

How long will it take to seed CloudFS with data?

When files are uploaded to a SMB/CIFS share on the local Panzura controller, the files and metadata are immediately uploaded to the shared cloud storage back‐end. The files and metadata become available to all the other controllers in the cluster, which immediately download the metadata and synchronize their file systems. When working with normal amounts of data, the cycle of uploads and downloads is nearly instantaneous and invisible to the end user.

However, when seeding large amounts of data to a controller, be aware that it takes time to upload files and file system metadata to the shared cloud storage back‐end. The time to complete this upload and download cycle is governed by the speed of the network links connecting the clients to the controllers and the controllers to the shared cloud storage back‐end.

When data is uploaded to a share on the local controller, the PZOS operating system creates a system snapshot to capture the state of the file system and to identify the files that have been created or changed. Before uploading files to the cloud, the data in the files is broken down into smaller chunks of data, called drive files, which are uploaded sequentially to the shared cloud storage back‐end. The file data is uploaded first followed by the file system metadata snapshot.

Remote controllers constantly poll the shared cloud storage back‐end looking for new metadata snapshots. When new metadata snapshots are found, they are downloaded one by one and applied to the local file system. After the last metadata snapshot is downloaded and applied, the global file system is fully synchronized among all the controllers.

The time required move data to CloudFS and share the updated file system metadata with all the controllers in the cluster is a function of the following values:

T1 = time to transfer files on a LAN from the local file server to the local Panzura controller.

T2 = time to upload the files (drive files) and the metadata snapshot from the Panzura controller to the shared cloud storage back‐end.

T3 = time to download the metadata snapshot from shared cloud storage to the remote Panzura controllers. The remote controllers poll the cloud every 30 seconds, so the time to find and begin to download the metadata snapshot is no more than 30 seconds.

The time required to move files between a file server and the Panzura controller is governed by the speed of the local area network. Actual network speed is determined by the available bandwidth on the network. With that in mind, the following formula calculates the minimum amount of time to move data to the Panzura controller, and between controllers and the cloud.

time (sec) = amount of data (GB) * 8



network speed (Gb/s)

For example, with 100GB of data and a 1Gb/s LAN, the calculations are as follows:

T1 = 100*8/1 = 800 seconds

T2 = 100*8/1 = 800 seconds

T3 = 30

Thus, the minimum time to upload and share 10GB of data with a 1Gb/s LAN is:

T1+T2+T3 = 800+800+30 = 1630 seconds = 27.2 minutes.

Note that network connections to the cloud are frequently a lot less than 1Gb/sec

Step 3: Connect Users to CloudFSWhen CloudFS is running efficiently, it provides fast access to files that are distributed in the global file system. However, it takes time to distribute files to the appropriate controllers. Until files are cached in the local controllers, it appears that the system is running slowly. By design, the decision to cache data is an automated process that is triggered when a user accesses the data. Therefore, users will experience slow system performance as the system becomes balanced and data is cached at the appropriate controller.

Also, when a large amount of data is uploaded to CloudFS, users who want to access that data will experience slow access times until the files are downloaded and cached to their local controller. Subsequent file access will be fast, and updates to cached files will be shared quickly among all the controllers in the cluster.

Windows Explorer users will experience a delay when viewing a directory with a large number of new files for the first time. Windows Explorer must open every file in the directory before it can display the directory listing. If these files are not yet cached locally, Windows Explorer becomes unresponsive and appears to hang. Once the Panzura controller downloads all of the files from that directory to the CloudFS cache, Windows Explorer performs normally.

In all cases, data locality rules can be used to prepopulate the cache and improve performance for a particular folder. Even crawling the file folders (reading the files) can be used to populate the cache with data before users connect to the controller. It is a common practice for a knowledgeable system administrator to “walk” particular project directories in specific locations ahead of time to improve the local user’s first experience by ensuring the files they’re likely to use are already cached in the local controller.

Connect Users to CloudFS1. Users mount their local controller via SMB/CIFS.

2. Users browse file directories, then access and update files.

3. Files become cached locally and I/O performance increases.

4. Observe CloudFS performance using the ingress and egress rate counters in the Panzura Web UI.

Step 4: Observe CloudFS PerformancePZOS provides tools for monitoring CloudFS. Three counters are used to observe the flow of data through CloudFS: rate of data ingress, rate of data egress, and the synchronization of system snapshots. The



ingress and egress counters are viewed from the dashboard in the Web UI. The synchronization counters are viewed from the Diagnostic Tools menu in the Web UI.

The following discussion of data flow within CloudFS uses a two‐controller deployment, with controllers named LOCAL and REMOTE.

Figure 7 Network Throughput Graph

Observe uploads on the LOCAL Panzura controller1. Open the Dashboard page in the Web interface.

2. Configure the Network Throughput graph to use a refresh rate of 30 seconds, and view data for last 5 minutes.

3. Copy files to a SMB/CIFS share on the local controller.

— The ingress rate increases as data is copied to the controller.— The egress rate increases as drive files and snapshots are copied to the cloud back‐end.

Only after the drive file uploads are completed will the file system metadata snapshot be uploaded. The egress rate returns to zero after all drive files and snapshots are successfully uploaded.

Observe downloads on the REMOTE Panzura controller1. Open the Dashboard page in the Web interface.

2. Configure the Network Throughput graph to use a refresh rate of 30 seconds, and view data for last 5 minutes.

— The remote controller polls the shared cloud back‐end storage every 30 seconds for the latest snapshots.

— The snapshot sequence number of the latest snapshot is compared with the snapshot sequence number of the local metadata snapshot.

— If the sequence numbers don’t match, the controller will proceed to download metadata snapshots, one by one, until the sequence numbers match again.

— The ingress rate increases as the metadata snapshots are downloaded.— The ingress rate returns to zero after all the file system metadata snapshots are successfully

downloaded.— When completed, the LOCAL and REMOTE file system are synchronized.

Confirm that the file system is synchronized across all controllers

To confirm the file system is synchronized, check the Active Controller Sync Status on the dashboard.



Step 5: Tune CloudFS PerformancePZOS provides an automated, intelligent read cache (IRC) that increases file I/O performance. Over time and through general usage, the system dynamically populates the IRC with hot data from files being read by users. The caching algorithm monitors the frequency of file access, and how recently files were accessed, to determine what data to cache and what data to eject from the cache.

CloudFS performance can be tuned to increase the performance of specific files and directories with the use of data locality rules. Data locality rules govern what files are cached locally on the controller. These rules are also used to pre‐populate the cache in to guarantee LAN speed access to files before users access them for the first time.


3 Configuration

This chapter describes the settings on the Configuration pages for the Panzura Storage Controller (controller). See the Panzura Storage Controller Installation Guide for instructions on installation and initial setup.

Basic Settings“System (Basic)” on page 32

“Network” on page 34

“Time” on page 40

“Encryption and Certificates (Basic)” on page 41

“CloudFS” on page 46

“Active Directory (Basic)” on page 48

“Dynamic Sites” on page 50

“NFS” on page 50

“SMB (Basic)” on page 54

“Snapshot” on page 55

“License Manager” on page 58

Advanced Settings“System (Advanced)” on page 65

“NIC Teaming” on page 67

“KMIP” on page 69

“High Availability” on page 72

“Encryption and Certificates (Advanced)” on page 76

“Active Directory (Advanced)” on page 78

“SMB (Advanced)” on page 80

“Snapshot Manager” on page 84

“Cache” on page 85

“Data Locality Settings” on page 86

“Bandwidth Limit” on page 93

“SNMP” on page 95

“Logging” on page 98


Chapter 3 | Configuration

Basic SettingsThe following sections describe how to configure basic settings.

System (Basic)Configuration > Basic Settings > System

Use this page to set the controller hostname, enter location and contact information, and assign a configuration mode.

Configuration modes:Master – This controller is the master for a group of distributed controllers. The other controllers are subordinates. All licenses and configuration settings are added to the master controller and automatically propagate to the subordinate controllers.

Subordinate – This controller is a subordinate that is managed by a master. By default, all controllers are set as subordinates.

Each deployment must have at least one master. By default, all controllers are masters and maintain their own security and configuration. When you add a subordinate, you must specify the master that will manage it.

All configuration settings on the master are automatically propagated to the subordinates. After setting up the hostname and IP address information during installation, you do not need to configure any additional settings on the subordinates.

If you have two masters in the same CloudFS list, ensure that their encryption certificates are the same at all times, as all systems in the same CloudFS list must have same encryption certificates.

CautionEvery time a subordinate is rebooted or the master configuration changes, the configuration of the subordinate is updated. If you change a controller from a master to a subordinate, the current configuration is overwritten with the configuration from the master. This can cause loss of user access to SMB/CIFS shares.



Figure 8 System Settings (Basic)

After setting values, click Save.

Table 1 System Settings (Basic)

Item Description

Hostname Set the controller hostname (maximum 15 characters). The name must be unique within the CloudFS. No other controllers within the same CloudFS can have the same name.This simplifies administration and access to the managed controllers. Use the local DNS server at each site to return the IP address of the local controller.

Changing the HostnameIt is possible to change the hostname of a controller after it has been deployed. Enter the new hostname in the field and click Save. After renaming you must rejoin the Active Directory domain.Note that the names of SMB/CIFS shares and NFS exports do not change. This is because the filesystem name does not change.

Location Location of the controller. Allows you to identify the location of the con‐troller in the support emails and for the CloudFS UI (see “Determining the location of a controller on the map” on page 35).

Contact Enter the contact email for the person responsible for controller administration.

Configuration Mode Select whether the controller is a master or subordinate. Default is Master. When you select Subordinate, a field appears for you to add the hostname of the associated master.

This field is visible only ifSubordinate mode is selected



NetworkConfiguration > Basic Settings > Network

Use this page to set the network parameters.

To verify that your network environment is properly set up, see “Network Environment” on page 39.

Network ports on the controller are defined as follows:Client side = LAN = GB1 = ix0: This port is used by SMB/CIFS or NFS clients to access data on the controller. For controllers configured with a single network connection, also referred to as a One‐ARM deployment, cloud traffic will also use this interface.

Cloud side = WAN = GB2 = ix1: This port is used for cloud network traffic. Controllers with two network connections, also referred to as an In‐Line deployment.

See the Panzura Storage Controller Installation Guide for locations of the controller ports.

NoteIf you use the Command Line Interface (CLI) to perform initial configuration, some IP settings are already configured. You can use this page to change them if necessary.

The controller can be deployed in the network in either of the following modes:One‐Arm – The controller is connected to the network through a single interface, GB1. The controller is not directly in the traffic path between the internal and external networks.

Figure 9 One‐Arm Deployment

Figure 11 shows the page and Table 2 describes the settings. After setting values, click Save.

NoteIf you change the IP address of the interface through which you logged onto the Web UI, your management session is terminated as soon as you click Save.



Inline – The controller is connected to the network by separate LAN (GB1) and WAN (GB2) interfaces. When using inline mode, make sure that the two networks, GB1 and GB2, are on different subnets and that the DNS server is not on the GB2 (WAN network). Because GB2 is intended only for cloud traffic, if the DNS server is on the WAN network, the internal firewall blocks the DNS traffic. This is the preferred method.

Figure 10 Inline Deployment



Figure 11 Network Settings (One‐Arm)

Table 2 Network Settings

Item Description

Network Deployment Mode

Choose One Arm (default) or Inline. If you choose Inline, the page displays additional settings for the GB2 interface and static route table. See the description at the beginning of this section for details.



Network Hosts Click Add a Host to add a host to the local hostname file for address resolution without the use of an external DNS server.A host can be another controller, a Windows domain controller, or another system on the network.Specify the following for each host, and click Add: • Host name (fully qualified domain name [FQDN])• IP AddressAdd or remove additional entries as needed. To remove an entry, select its checkbox and click Delete Selected. If you need to modify an entry, delete the existing entry and then add a new one.

Note: The capitalization used when first configuring the controller host name persists for all CloudFS configuration operations. You cannot change the capitalization at a later time; however, you can change to a different host name.

Cloud Controller GB1 Inter‐face Configuration

Set the configuration for the GB1 interface. One‐arm deployments use GB1 for both client access and connecting to the object storage. GB1 is the only interface that needs to be configured for LAN traffic.

Inline deployments use both the GB1 and GB2 interfaces. In this case, GB1 will be dedicated to client access to the controller.

• Use DHCP—Select this checkbox to have addresses assigned automati‐cally by an external Dynamic Host Configuration Protocol (DHCP) server. If you select this checkbox, other settings in this section are disabled.

• Use Static IP Address—Assign the following settings for static IP addressing:— IP Address—IP address assigned to the interface.— Subnet Mask—Subnet mask assigned to the interface (format

x.x.x.x). —Gateway IP—IP address of the network gateway.— Primary DNS Server IP—IP address of a the preferred server to pro‐

vide DNS.— Secondary DNS Server IP—Optional IP address of a the preferred

server to provide Domain Name Service (DNS).—DNS Domain Name—Name of the domain where the controller is

installed.— Jumbo Frame—Disable or enable jumbo frames. Enabling jumbo

frames can improve performance in high‐speed (gigabit Ethernet or higher speed) networks; however, they only work if fully supported on network devices and they increase CPU and memory load on the controller. Make sure that you understand the use of jumbo frames before enabling this feature.

Table 2 Network Settings (continued)

Item Description



Cloud bandwidth limit Set bandwidth limits for WAN traffic:• Enable bandwidth limit—Enable or disable bandwidth limits.• Max. Upload (Mbps)—Maximum bandwidth for file upload (Mbps).

Default is 8.• Max. Download (Mbps)—Maximum bandwidth for file download

(Mbps). Default is 8.

Note: If your site is provisioned with less WAN bandwidth than these limits, the controller will fully consume the capacity. Panzura recommends that you set these limits under your upload and download bandwidths.

On the Bandwidth Limit Settings page (see “Bandwidth Limit” on page 93), it is possible to configure bandwidth limits to conform to a schedule. If bandwidth limits that are set on the Network Settings page conflict with scheduled bandwidth limits, the schedule bandwidth limits take prece‐dence.

GB2 Interface Configura‐tion

(Inline configurations only) Inline deployments use the GB2 interface to connect to object storage in the cloud.• IP Address—IP address assigned to the interface.• Subnet Mask—Subnet mask assigned to the interface (format x.x.x.x). • Gateway IP—IP address of the network gateway.• Jumbo Frame—Disabled or enabled jumbo frames.

Static Route Table This menu item is visible only when you select the Inline network configu‐ration. Enter static routes for the GB2 interface.To add a route, click Add Static Route and enter the following information:• IP Address—IP address for the route table entry. To configure a default

route, enter 0.0.0.0.• Netmask—Subnet mask assigned to the interface (format x.x.x.x). To

configure a default route, enter 0.0.0.0.• Gateway IP—IP address of the network gateway.

Then click Add to add the entry to the static routes table displayed on the page. To remove an entry, select its checkbox and click Delete Selected. Add or remove additional entries as needed.

Table 2 Network Settings (continued)

Item Description



Network EnvironmentMake sure your network environment is set up properly.

Network ports

The following ports must be open for full network support for the controller. DNS must resolve both domains: support[1,2,3,4,26].panzura.com & support[1,2,3,4,26].pixel8networks.com

WAN Accelerators

All WAN accelerators, such as the Riverbed Steelhead and Cisco WAAS, must bypass all Panzura network traffic. This includes all of the following.

WAN accelerators must not be in the network path between Panzura controllers.

WAN accelerators must not be in the network path between Panzura controllers and the cloud.

WAN accelerators are allowed in the network path between Panzura controllers and clients.

Table 3 Required Network Ports

ICMP Protocol Purpose

13935 ICMP Ping Echo requests

22 SSH (between controllers) Communication between controllers

80,443 HTTP, HTTPS Connection to cloud service providers

22,80,443 Connection to support3.panzura.com

123 UDP NTP server

53 TCP/UDP DNS

88 TCP/UDP Kerberos

135 TCP RPC

137,138 UDP NetBIOS

139 TCP NetBIOS

389 TCP/UDP LDAP

445 TCP/UDP SMB/CIFS/SMB2

161,162 UDP SNMP

514 TCP/UDP Syslog



TimeConfiguration > Basic Settings > Time

Use this page to set the date and time on the controller. CloudFS deployments require that all controllers and Active Directory servers have their clocks synchronized. For the most accurate time synchronization, use the Network Time Protocol (NTP) option and specify the same NTP server for all controllers and the Active Directory server.

NoteFor multi‐site deployments, it is a requirement to have all controllers and Active Directory servers synchronize their time from the same NTP source (for example, pool.ntg.org). If the times are not synchronized, SMB/CIFS users will not be able to log in and obtain access to their SMB/CIFS shares.

Table 4 describes the settings on the page.

Figure 12 Time Settings


Table 4 Time Settings

Item Description

Use NTP Select to obtain time settings from a Network Time Protocol (NTP) server. Enter the fully‐qualified hostname or IP address of the NTP server.

Set Time Manually Select to enter the time directly. This option is not recommended, because accurate time synchronization is critical for SMB/CIFS users and it is diffi‐cult to maintain accurate time synchronization manually.If you must specify manual time entries, enter the date in dd/mm/yyyy format and the time in hh:mm:ss format using a 24‐hour clock.



Encryption and Certificates (Basic)Configuration > Basic Settings > Encryption & Certs

Use this page (Figure 13) to upload pre‐created data encryption and web HTTPS certificates. Data encryption certificates are created, and KMIP certificates are retrieved, using the Advanced Settings > Encryption & Certs page. See “Encryption and Certificates (Advanced)” on page 76.

Encryption certificate: The encryption certificate is used to encrypt data that is sent to the cloud and decrypt data that is received from the cloud. You can use the default certificate provided by Panzura (not recommended) or use a custom certificate. When a custom certificate is loaded, it is visible in the list of encryption certificates. You can activate the custom certificate by clicking Activate in the Action column.

Web certificate: The web certificate is presented when an administrator accesses the controller web interface. You can upload a custom certificate to replace the default x509 PEM web authentication certificate.

The next subsections provide additional information about how certificates are used.

System Management

Web certificates are used when the administrator manages the controller via a Web browser. This is a normal HTTPS security mechanism for guaranteeing the authenticity of a remote system, in this case the controller. The controller ships with a default X509 PEM web certificate issued and signed by Panzura, Inc. You can install a new replacement certificate through the Web UI.

Data Encryption

The encryption certificate is used to encrypt data sent to the cloud and decrypt data that is read from the cloud. Each controller ships with a default data encryption certificate (P12 formatted) that is issued and signed by Panzura, Inc.

The security Web UI provides administrators with the ability to manage encryption certificates with flexibility, but care must be taken when doing this because controllers are fundamentally designed to share cloud data across multiple controllers, geographies, locations, and groups of users.

After a customer‐issued certificate is loaded, it is displayed in the certificate list. You can select and activate any certificate, as described in this section. The following restrictions apply:

All cloud controllers operating in a common single CloudFS must use the same encryption certificate for global read‐write collaboration to operate successfully. Unpredictable data access and client I/O experiences can occur if this certificate topology is not implemented.

Although multiple encryption certificates can be loaded, each Panzura controller uses one active certificate for all data operations. Multiple certificates cannot be active.

When a different certificate is activated, the system uses the new active certificate to encrypt all new data while using older certificates, no longer active, to decrypt data that was encrypted with those certificates.

Time Zone Select the time zone from the dropdown list.

Table 4 Time Settings (continued)

Item Description



You can delete a certificate only if it has never been activated. If the certificate has ever been used it must remain on the controller.

Figure 13 Security (Basic)



Controller‐to‐Controller Communication

During normal operation a controller will communicate securely with other active controllers within a CloudFS. For security reasons this communication takes place using an SSH key pair. To change this key pair from the default shipped with the controller, follow these steps.

Notes:Perform this procedure during a maintenance window across all controllers, including HA standby.

If you use this procedure to change the key, then you must perform step 3 on any new controller you add to the CloudFS.

To perform this procedure, port 443 must be open between controllers.

Procedure

1. Note the IP address of the master controller. In a multi‐master configuration, select a specific master controller to be the designated key master for the purposes of this change. For the purposes of this procedure all other master controllers are treated the same as subordinate controllers.

2. Change the pairing key on the master controller.

a. Use SSH to log in to the master controller as admin. The cloudfs> prompt appears.cloudfs>

b. Type enable and enter enable as the password, as prompted. The prompt changes to cloudfs#.cloudfs> enablepassword: enablecloudfs#

c. Use the show key‐signature command to display the current key signature and then use the regenerate‐pairing‐key command to create the new key. The second show key‐signature command shows that the regenerated key is different from the original key. The value of the key signature can range from 2‐43 characters, depending on the version of software that the controller is running.cloudfs# show key-signaturevalue:zBCD8MyYegWr+vf9eFge6vExk+pfIPHkCTzXYZO9hp0cloudfs# regenerate-pairing-keycloudfs# show key-signaturevalue:fGHEIK6MyEmRiGkDr+vf9eFge6vExk+pIEMsstO9qr4cloudfs#

3. Change the pairing key on all other controllers, including and HA standby controllers.

a. Use SSH to log in to the master controller as admin. The cloudfs> prompt appears.cloudfs>

b. Type enable and enter enable as the password, as prompted. The prompt changes to cloudfs#.cloudfs> enablepassword: enablecloudfs#

c. Enter the resync‐pairing‐key command to specify the pairing key. Include the IP address of the master controller and the admin password. If your controllers are using valid signed web certificates, use the secure option. If your controllers are using the default unsigned web certificate, use the insecure option. cloudfs# resync-pairing-key master-ip-address password securecloudfs#



orcloudfs# resync-pairing-key master-ip-address password insecurecloudfs#

d. Run the check‐master‐key‐pair‐sync command to verify that the key on the master and subordinate controllers are the same.

If the prompt returns with no output, the command is successful and the keys are identical.cloudfs# check-master-key-pair-sync cloudfs#

If the following error occurs, the sync was unsuccessful and you must rerun the resync‐master‐pairing‐key command and then the check‐master‐key‐pair‐sync command.ERROR:keysync not done.

e. Repeat for all remaining subordinate controllers.

Actions

The next table describes the actions on the page. Use the following procedures if you need to generate a self‐signed web and/or encryption certificate:

“To generate a self‐signed web certificate” on page 44

“To generate a self‐signed encryption certificate” on page 45

To generate a self‐signed web certificate

1. You can download openssl binaries from http://www.openssl.org/ and install them on Windows or Linux. For Linux, check the distribution for the install package.

2. Open a command prompt (or terminal if you are using Linux) and issue the following command.# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cc1.pem -out cc1.pem

This will create a certificate named cc1.pem that will be used to upload from the Web UI.

Table 5 Web Certificates Settings

Item Description

Change Active Certificate Select the radio button for the certificate to activate, and click Apply. To remove a previously uploaded certificate, click Delete. You cannot delete the temporary web certificate that is shipped with the controller.

Upload New Web Certificate

To use a new x509 PEM certificate, enter a name to identify the certificate in the certificate list and click Browse to find and select the certificate file. Click Upload Certificate to make the certificate available for selection. Fol‐lowing upload, the name of the new certificate is shown.

Upload New Encryption Certificate

Enter a name to identify the certificate, and click Browse to find and select the certificate file. Enter and confirm a passphrase. This is the export password that is assigned when creating the encryption certificate from OpenSSL.Click Upload Certificate to make the certificate available for selection.

Click Reset to clear any settings entered in this section but not yet saved.



When the certificate is uploaded and activated, the Web UI will refresh with the self‐signed certificate.

3. Click Apply to activate the certificate and deactivate the previously active certificate.

If you already have a third party signed certificate to convert to x509 PEM, open a text editor and paste the keys from the certificates for the certificate chain in the following order and save as a PEM file.

1. Private.key

2. Domain.crt: For domain certificate

3. Intermediate.crt: For the Intermediate certificate

4. Root.crt: For the Root certificate

To generate a self‐signed encryption certificate

1. You can download openssl binaries from http://www.openssl.org/ and install them on Windows or Linux. For Linux, check the distribution for the install package.

2. Use the following command to generate a private key if one doesn’t exist.# openssl genrsa -des3 -out cloudfs.key 2048

Because keys are sensitive information, make sure you store them carefully and encrypt them using a strong passphrase and cipher. You can use the DES, Triple DES, IDEA, or 128, 192, or 256‐bit AES symmetric ciphers by adding des, des3, idea, aes128, aes192, or aes256 flag to the command line. The default is triple DES (des3).

3. To create a self‐signed certificate using the private key that you generated, use the following command: # openssl req -new -x509 -out cloudfs.crt -key cloudfs.key

4. The process prompts you for details to create a Distinguished Name (DN). Some fields have a default value, which you can change as needed. If you enter a period (.), the field is left blank. The default values are read from the openssl.cfg file. For Common Name, specify the fully qualified domain name (FQDN) of the controller, for example, cc.panzura.com. You can leave the email address, optional company name and challenge password fields blank.Country Name (2 letter code) [US]: USState or Province Name (full name) []: CaliforniaLocality Name (eg, city) []: San JoseOrganization Name (eg, company) []: Panzura IncOrganizational Unit Name (eg, section) []: SupportCommon Name (eg, YOUR name) []: cc.panzura.comEmail Address []:

5. Issue the next command to bundle the p12. The command reads the encoded certificate and key and exports to a single PKCS#12 file. By default, the key will be encrypted with triple DES and you will be prompted for an export password (which may be blank).# openssl pkcs12 -export -in cloudfs.crt -inkey cloudfs.key -out cloudfs.p12 -name "Friendly Name"

NoteYou can concatenate the root certificate and any other certificates in the chain into a single file (for example, root.crt) and included in the PKCS#12 file as follows:# openssl pkcs12 -export -in cloudfs.crt -inkey cloudfs.key -certfile root.crt -out cloudfs.p12



6. In the controller web UI, click Browse under Encryption Certificates to upload the CC1.p12 file, and then select it. Click Apply to activate the certificate and deactivate the previously active certificate.

CloudFSConfiguration > Basic Settings > CloudFS

Use this page (Figure 14) to configure settings for file storage into the cloud, provided that you have installed a cloud storage license. For information on adding a cloud storage license, see “License Manager” on page 58.


Figure 14 CloudFS Settings




Table 6 CloudFS Settings

Item Description

Operation ModeNote: You can select the SMB/CIFS and NFS options only if those licenses are installed. You must activate the SMB/CIFS and/or NFS options for them to be displayed on the side menu,

Choose the file sharing protocols supported by the controller:SMB‐only—Supports storage of files accessed using SMB/CIFS. SMB/CIFS is commonly used within Microsoft Windows network domains to access files.

NFS‐only—Supports storage of files accessed using NFS. NFS is used by Unix/Linux‐based systems.

SMB‐NFS‐mix—Supports storage of files accessed by either SMB/CIFS or NFS. This option is not recommended because it may make it difficult to determine which protocol the specific files belong to and could result in access or permissions issues. If you must include SMB/CIFS and NFS, make sure that the two types of files are stored in separate directories.

Configured Cloud Control‐lers in CloudFS

Specify the list of controllers that are subordinate to this controller. This option is configurable only on an controller that is a master.

Click Add a Cloud Controller to add a subordinate controller to the distrib‐uted controller group. • Enter the hostname of the subordinate controller. The hostname must

be an FQDN.• Enter the domain name. The domain name must be a valid DNS

domain.• If you are configuring HA‐Global, indicate whether this controller will

be an active or standby system. Set the mode to Active, unless you are configuring an HA standby controller. See “High Availability” on page 72 for instructions on configuring a standby controller.

• Click Add.

CAUTION: Deletion or modification of a controller could result in loss of data. For this reason, deletion and editing are not supported in the Web UI. Be careful when adding a controller. If you enter incorrect information (or need to delete a controller), you must work with Panzura Support to correct the information or perform the delete operation.



Active Directory (Basic)Configuration > Basic Settings > Active Directory

Use this page to specify Active Directory settings for user access to the controller. For security reasons, the controller does not store admin name and password. When the controller joins the Active Directory domain, it uses the shared secret password provided by the Active Directory for future connections.

NoteAll controllers within a CloudFS must be joined to Active Directory. This includes HA‐Local Standby controllers and HA‐Global Standby controllers.

SMB/CIFS File system security

CloudFS file system security is compatible with and adheres to the Microsoft SMB/CIFS architecture. Files and directories can have user permissions or group permissions known as Active Directory security ACLs. The security ACL information is made available via Microsoft Active Directory network queries between the client, the Active Directory forest, and the controller. This relationship is established and initiated during the client login to the controller.

Joining a Microsoft Active Directory domain

The controller is designed to participate in Microsoft Active Directory Enterprise Forest topologies and therefore does not support a SMB/CIFS workgroup‐only authentication model (a SMB/CIFS network with no Active Directory Domain controller).

An internal DNS server should be accessible to the controller during the Active Directory join process. The controller will try to understand the Active Directory topology during the join process and locate many Active Directory servers within the domain. These servers will be used as potential candidates during the join process.

The process of joining a controller to an Active Directory domain will populate key domain security ACLs within the default BUILTIN groups. This facilitates global read‐write SMB/CIFS file sharing access throughout the Panzura unified namespace for each node in CloudFS (such as ..\cloudfs\cc1, ..\cloudfs\cc2, ..\cloudfs\cc3).

By default the Active Directory groups 'Domain Admins' and 'Domain Users' are members of the Active Directory BUILTIN groups. If additional domain ACL security is needed, these can be modified after successfully joining the Active Directory domain.

Web UI Authentication Using Active Directory

If the controller has joined an Active Directory domain, you can set up your AD domain controller to allow authentication to the Panzura controller using Active Directory credentials without additional setup in the Panzura controller. To use this feature, add the following two groups to the AD domain controller:

priv_panzura_admins , priv_panzura_users

Set the group scope to Global and group type to Security.

Users assigned to either of these groups can then log in to the Panzura controller using their AD credentials. Both of the following user name formats are accepted: username@domainname and domainname\username.



Figure 15 Active Directory Settings (Basic)

To join the Active Directory domain that you configured, specify the information in Table 7 and click Join Domain. The page displays the name of the domain controller (if configured) and the current Active Directory domain status.

NoteIf you are joining an Active Directory Read Only Domain Controller, refer to “Joining an Active Directory Read Only Domain Controller” on page 80

To remove the controller from an Active Directory Domain, click Detach from Domain. Domain Administrator credentials are required to perform this operation.

Table 7 Active Directory Settings

Item Description

Active Directory Domain Name

Enter the Active Directory domain name and click Save.

Active Directory Domain Administrator

Enter the user name of the Active Directory administrator.

Active Directory Adminis‐trator Domain Password

Enter the password for the Active Directory administrator.



Dynamic SitesConfiguration > Basic Settings > Dynamic Sites

The entries on the Dynamic sites page simplify management of CloudFS configurations that include both physical and AMI controllers. On a master controller, use the page to view the list of AMI controllers that are paired to the physical master controller and to accept selected AMI controllers into the CloudFS.

Select the controllers you want to add, and click Accept a Dynamic Site.

Click Reject a Dynamic Site to remove selected controllers.

Click Save to save and implement the settings.

NoteFor cloud controllers running within a public cloud to be added to a CloudFS configuration requires the installation of the AMI Interoperability license on all other controllers. Contact Panzura to obtain the licenses.

Figure 16 Dynamic Sites Settings

NFSConfiguration > Basic Settings > NFS

Use this page (Figure 17) to select which clients or subnets can access the data stored on the controller. Clients use NFS to mount storage on the controller. In addition to the host access control settings, the file system on the client is used to determine which users have permission to access individual files and directories in CloudFS. Table 8 describes the settings on this page. After setting values, click Save.

NoteThe NFS Settings page is displayed on the side menu only if NFS is licensed and one of the NFS options is selected on the CloudFS page. See “CloudFS” on page 46.



Figure 17 NFS Settings

These fields are displayed forAdd Host or Add Subnet

Host(s) or subnet(s)

Host(s) or group(s)

These fields are displayed forAdd Group of Hosts or Add Group of Groups

The Directory field is displayedonly if a local or remote (not global)file system is selected



Table 8 NFS Settings

Item Description

Add host Click Add Host to include hosts for which the controller will provide data storage. Specify the following: • File system—Select a file system from the dropdown list.• Directory(s)—This field is displayed only if specific local or remote (not

CloudFS) file system is selected. You can optionally select one or more directories within the file system to be mount points.

• Host(s)—Specify one or more host IP addresses, machine names, net‐group names, or combination of group names (separated by a space).

• Permission—Read‐only—Allows read‐only access to files. —Read‐Write—Allows the read‐write access to files.—No‐root‐Squash—Allows root users on the NFS clients to access all

files that are available on the NFS server.• Alldirs Mount

— Yes—The client is allowed to mount any directory under the selected directory.

—No—The client can mount only at the specified directory level.• Root Access

— Yes—Root access is provided to the specified directory.—No—Root access is not provided to the specified directory.

• Description—Enter a text description (optional).

To delete a host, select it and click Delete Selected. If you need to modify a host entry, you must remove it, save, and then add the host again with the changes.

Example (one host, one directory)Filesystem: /cloudfs/cc1‐caDirectory: NFS1

The path /cloudfs/cc1‐ca/NFS1 will be exported.Host(s): 10.11.12.12Permission: Read‐writeAlldirs Mount: No Root Access: No

Example (multiple directories, multiple hosts, Alldirs, and root access in one entry)Filesystem: /cloudfs/cc1‐caDirectory: NFS1/dir1/dirA NFS1/dir1/dirB

The paths /cloudfs/cc1‐ca/NFS1/dir1/dirA and /cloudfs/cc1‐ca/NFS1/dir1/dirB will be exported.

Host(s): 10.11.12.12 10.11.12.13Permission: Read‐writeAlldirs Mount: YesRoot Access: Yes



Add subnet Click Add Subnet to include all hosts on a specified subnet. Enter the sub‐net address and netmask, choose a permission option, and click Add. Repeat to add additional subnets.Permission options include:• Read‐only—Allows read‐only access to files. • Read‐Write—Allows the read‐write access to files.• No‐root‐Squash—Allows root users on the NFS clients to access all files

that are available on the NFS server.To delete a subnet, select it and click Delete Selected.

Add group of hosts Click Add Group of Hosts to add a set of hosts as a netgroup. The hosts in the netgroup must be local (not synchronized throughout CloudFS).Specify a name for the group and enter a set of hosts using hostnames or IP addresses or a combination of both. Use a space to separate the entries.

Examples:10.1.1.1 10.1.1.2 10.1.1.3host1 host2.example.com10.1.1.1 host1 host2.example.com

A netgroup functions as a unit when checking permissions for operations such as remote mounts, remote logins, and remote shell sessions. For remote mounts, the netgroup identifies and classifies machines. For remote login and remote shell sessions, the netgroup identifies users.

Add group of groups Click Add Group of Groups to create a netgroup that consists of a set of netgroups. Specify a name for the group and enter a set of groups. Use a space to separate the entries.Example:

NETGRP1 NETGRP2

Manually restart NFS ser‐vice

Click Manually Restart NFS Service to restart services after changing the NFS configuration.

Table 8 NFS Settings (continued)

Item Description



SMB (Basic)Configuration > Basic Settings > SMB

NoteThe SMB Settings page is displayed on the side menu only if SMB is licensed and one of the SMB options is selected on the CloudFS page (see “CloudFS” on page 46). For additional SMB/CIFS settings, see “SMB (Advanced)” on page 80.

Follow these steps to create an SMB share:

1. Log in to a client computer using an Active Directory administrator account.

2. Connect to the share \\<cc‐name>\cloudfs, where <cc‐name> is the hostname of your controller. Refer to the documentation for the client operating system if you need the specific steps to accomplish this step. As an example, on Windows 7 select Start > Run and type the path to the share in the entry field.

The \\<cc‐name>\cloudfs share represents the top level of the filesystem and is for administrative purposes only. In environments where both SMB/CIFS and NFS are used, Panzura recommends creating separate paths for SMB/CIFS and NFS. Example: \\<cc‐name>\cloudfs\smb and \\<cc‐name>\cloudfs\nfs

Network shares for end users must be created below this point, as follows.

While connected to the cloudfs share:

a. Create a folder with the same name as the controller.

b. Within the newly created folder, create a new folder. This folder will serve as the mount point for the share being created. For this example, the folder is named projects.

3. Navigate to Configuration > Basic Settings > SMB on the controller and perform the following steps.

a. Click Add an SMB Share.

b. Specify the share name and path (Table 9).

c. Click Add and then click Save.

The SMB/CIFS share is now created. Verify that the permissions of the share provide the appropriate user level access.

Table 9 SMB Settings

Item Description

Controller Name (cc‐name) Name of the cloud controller where the share is being created. Example: star‐01

Share Name Enter the name of the share into the Web UI. Example: projects



Figure 18 SMB Settings

SnapshotConfiguration > Basic Settings > Snapshot

Use this page to configure the timing of snapshots.

Panzura recommends using the default snapshot schedule. If your environment requires a different schedule, read this section prior to making changes. Table 10 describes the settings on the page.

To determine an optimum snapshot schedule, it is necessary to consider the needs of your environment. All snapshots consume a small amount of storage space. It is important to balance the need for snapshots with the total amount of storage consumed by snapshots to ensure proper operation for end users. In extreme cases when these two factors are not balanced, end users will experience reduced system performance.

Panzura snapshots are among the most space efficient available and consume a minimal amount of space. The size of a snapshot is a function of two factors: the rate at which end users create or change files, and the total size of all file changes.

Path to enter in the Web UI Path to the share, in the form/cloudfs/<cc‐name>/<folder name>Example: /cloudfs/star‐01/projectswhere star‐01 is the hostname of the controller.

Note: The cloud controller uses "/" in the path name. Windows uses "\" instead.

Table 9 SMB Settings (continued)

Item Description



Panzura cloud controllers can be deployed in a wide range of use cases and configurations. For the cross‐site collaboration use case, the snapshot schedule of a controller can affect other controllers within the same CloudFS. This is due to the metadata associated with each snapshot being shared across all controllers.

If the total space of the snapshot metadata on a controller is large, it can affect the amount of available disk cache on other controllers, the result being an increase in the eviction rate of cached user data on the other controllers. To guard against this, some storage space was set aside for this purpose when the size of the controllers was assessed.

Panzura recommends starting with the default snapshot schedule provided below. It is defined to accommodate a wide range of file recovery needs and reflects common best practices. Modify this schedule to meet the unique needs of your environment if needed.

NoteTo be able to use the Windows Previous Version capability, Panzura suggests a snapshot schedule with 1,000 ‐ 2,000 snapshots. If you have business reasons for needing to maintain hourly snapshots over an extended period of time, Panzura recommends that you use the ~snapshot directory to recover files instead. Contact Panzura to confirm that your controller has sufficient PRC for end‐user data and the large number of snapshots.

The snapshot schedule provides the ability to define the number of snapshots to retain. For example, the schedule below specifies the most current 24 hourly snapshots be retained. When a new hourly snapshot is taken, the oldest hourly snapshot is removed.

When a new snapshot schedule is enabled, periodically check the disk cache utilization of all controllers within the same CloudFS to ensure there are no negative effects. Should any occur, modify the schedule or contact Panzura.

Default settings:

Number of Yearly snapshots to keep: 1

Number of Monthly snapshots to keep: 11

Number of Weekly snapshots to keep: 3

Number of Daily snapshots to keep: 6

Number of Hourly snapshots to keep: 24

Panzura cloud controllers are capable of 10K snapshots when deployed with the cross‐site collaboration feature disabled. The controller must be properly sized to ensure sufficient space is available for both snapshots and end‐user activity.



Figure 19 Snapshot Settings


Table 10 Snapshot Settings

Item Description

Enabled User Managed Scheduled Snapshots

Select to enable the snapshot feature.

Number of Yearly Snapshots to Keep

Enter the number of yearly snapshots to keep (default 1).

Number of Monthly Snapshots to Keep

Enter the number of monthly snapshots to keep (default 11).

Number of Weekly Snapshots to Keep

Enter the number of weekly snapshots to keep (default 3).

Number of Nightly Snapshots to Keep

Enter the number of nightly snapshots to keep (default 6).



License ManagerConfiguration > Basic Settings > License Manager

Use this page to add, activate, or deactivate other licenses on the controller. The system identifier shown near the top of the page is unique to each controller and is used to generate and request licenses. Table 11 shows the actions on this page.

This page allows you to configure the connection between the controller and object storage in the cloud. The cloud license plays a critical role in establishing the connection with the common storage for the CloudFS file system. See “Configuring Service Provider Information” on page 148 for information that needs to be obtained from the cloud storage provider. The configurations are vendor specific, therefore all can be obtained from the cloud account administration Web portal provided by your cloud storage provider.

You can also specify settings for file access auditing, as described in “File Access Auditing” on page 60, and Enterprise AntiVirus Plugin (EAP), as described in “Enterprise AntiVirus Plugin Settings” on page 62.

NoteFor cloud controllers running within a public cloud to be added to a CloudFS configuration requires the installation of the AMI Interoperability license on all other controllers. Contact Panzura to obtain the licenses.

Number of Hourly Snapshots to Keep

Enter the total number of hourly snapshots to keep (default 24) and use the hourly checkboxes to specify a schedule. The system saves snapshots according to the schedule up to the total specified num‐ber of snapshots.

For example, if you specify 20 for the number of hourly snapshots to keep and select 4 times from the hourly snapshot schedule, then the system saves 5 snapshots taken at each time, for a total of 4 x 5 = 20.

Table 10 Snapshot Settings (continued)

Item Description



Figure 20 License Manager



File Access AuditingThe license manager options include file access auditing, which allows you to audit changes to file access across your organization. To set up file access auditing, configure the following settings under AS‐Audit on the License Manager page.

The level of support for file access auditing differs for SMB and NFS clients. See “File Access Auditing Support for SMB and NFS Clients” on page 169 for a list of supported audit operations.

Table 11 License Manager Tasks and Settings

Item Description

Add a license Uploads a license to the controller. Click Browse to locate the license file and then click Add License to make the license available for activation.See “Configuring Service Provider Information” on page 148 for details on configuring information for specific services providers.

NOTE: All licenses are keyed to the system identifier of a specific controller and cannot be used for any other controller. If the credentials you enter for a cloud license are not correct, the controller cannot connect to the cloud, and multiple retires could lockout the cloud account.

Activate selected Activates the licenses that have checkboxes selected.

Deactivate selected Deactivates the licenses that have checkboxes selected.

Delete selected Removes the licenses that have checkboxes selected from the License Manager list.

Table 12 File Access Auditing Settings on the License Manager Page

Item Description

Sysloghost IP address or FQDN of the host to receive the file audit event information. The controller sends this information on the standard syslog port 514 using TCP. To specify a different port, append it to the IP address. For example, if the host receiving the file audit event information is at 102.168.10.10 and its syslog service is listening to a non‐standard syslog port such as 1046, you can direct the controller to send information to this port by specifying the syslog host as 192.168.10.10:1046.

Note: UDP is not supported for sending file audit event information because it is not a reliable transport protocol and could cause some cap‐tured events to be lost.

Include Files Files to include in the audit, specified as a comma‐separated list of glob matches (such as *.exe).

Exclude Files Files to exclude from the audit, specified as a comma‐separated list of glob matches (such as *temp*).



The following is a sample of an audit log as it appears in the syslog server.

In the output, the [host] column is the Panzura controller, [uid/sid] is the user identifier, and [err] is one of the following error codes.

Access Operations to include in the audit.• General operations. open, close, write, read, create, remove, rename,

mkdir, rmdir, readdir, access, fsync, link, symlink, readlink• Attributes. setattr, getattr • Extended attributes. getxattr, setxattr, delxattr, listxattr,• ACLs: aclset, aclget, aclcheck• SMB/CIFS: sendfile, recvfile, chmod, chown, trunc, lock, unlock,

search, chflags, mknod, streaminfo, connect, disconnect

Code Description

0 No error.

1 Operation permission/capability issue

2 Item does not exist

5 I/O error

6 Device not available

13 Access permissions issue

16 Resource busy

17 File already exists

28 No space left on device

30 Read‐only file system

35 Try again ‐ cloud likely not available

Table 12 File Access Auditing Settings on the License Manager Page (continued)

Item Description



Enterprise AntiVirus Plugin Settings The Panzura Enterprise AntiVirus Plugin (EAP) license allows you to use McAfee VSE to automatically scan files with the latest virus definitions based on Internet Content Adaptation Protocol (ICAP). EAP actions include the ability to block the file from being accessed, logging the detection event, and quarantining the file. If a file was previously scanned, it is not rescanned unless the virus signature information has changed, the cloud controller has rebooted, or the filename, contents or path have changed.

To view the logs associated with EAP, select Maintenance > Diagnostics, and use the show‐log‐tail command, as described on page 115.

Table 13 shows the Application Services ‐ ICAP settings on the License Manager page. For more information, see “Best Practices when Configuring ICAP for Virus Scanning” on page 166.

Antivirus and Malware ScanningThis section describes how to configure McAfee VirusScan Enterprise and Symantec Protection Engine for antivirus and malware scanning.

Table 13 Application Services ‐ ICAP Settings on License Manager Page

Item Description

Hostname Specify the IP address of the anti‐virus scanner, using commas to separate multiple scanners. The controller load balances across the scanners in a round‐robin fashion. All scanners must be synchronized with identical virus definitions and configured identically.

Port Specify the port number used by the antivirus scanners. All scanners must use the same port. The industry standard port assignment for ICAP assigned by IANA is 1344 (default).

Service Specify the antivirus scanner ICAP service name. Most scanners ignore this parameter. avscan is the recommended default.

Include Files Specify patterns to identify the files to be scanned. The default is '*' which indicates that all files are scanned. Example: Enter *.exe, *.docx to scan only files with the exe or docx suffix.

Exclude Files Specify patterns to explicitly identify files not to be scanned. Example: Enter *.pdf to exclude files with the pdf suffix from the scans.

scan‐on‐read Specify whether to scan files when they are open for reading (default no).

scan‐on‐write Specify whether to scan files when they are saved or closed (default no).

Deny on Error Specify whether to assume content is suspicious and deny read access if the av scanner is non‐responsive for any reason and no other scanners are available (default yes).

Applies only to scans done on read operations. Deny on Error will not pre‐vent a write to a disk if the file was not scanned.

allow206 Not currently supported.



McAfee VirusScan Enterprise 8.8 with VirusScan Enterprise for Storage

You can configure a controller to use McAfee VirusScan Enterprise (VSE) 8.8 for antivirus and malware scanning. When installing the ICAP license on the controller, you are prompted for configuration information, as shown in the following figure.

Figure 21 Panzura ICAP Settings for McAfee VSE 8.8 with VirusScan Enterprise for Storage 1.1

Enter the IP address of the McAfee scanner into the Hostname setting of the ICAP license. No other setting changes are required. If you have multiple scanners and want to load balance between them, enter the IP addresses in the Hostname setting as a comma‐separated list.

By default, the ICAP license scans files when a read or write occurs. If you do not want to scan on writes, enter no for Scan on Write.

After the settings are configured, select the checkbox for the ICAP license and then activate the license at the top of the License Manager page. This will enable virus scanning immediately. If you need to change the settings later, enter new values and click Activate Selected at the top of the License Manager page. It is not necessary to deactivate the license to make configuration changes.

Symantec Protection Engine for Network Attached Storage 7.5

You can configure a controller to use Symantec Protection Engine for antivirus and malware scanning. When installing the ICAP license on the controller, you are prompted for configuration information, as shown in the following figure.



Figure 22 Panzura ICAP Settings for Symantec Protection Engine for Network Attached Storage 7.5

Enter the IP address of the Symantec scanner into the Hostname setting of the ICAP license and verify that Deny on Error is set to no. If you have multiple scanners and want to load balance between them, enter the IP addresses in the Hostname setting as a comma‐separated list.

By default, the ICAP license scans files when a read or write occurs. If you do not want to scan on writes, enter no for Scan on Write.

After the settings are configured, select the checkbox for the ICAP license and then activate the license at the top of the License Manager page. This will enable virus scanning immediately. If you need to change the settings later, enter new values and click Activate Selected at the top of the License Manager page. It is not necessary to deactivate the license to make configuration changes.



Advanced SettingsThe following sections describe how to configure advanced settings.

System (Advanced)Configuration > Advanced Settings > System

Use this page (Figure 23) to set the consistency schedule, data compression, deduplication, and SSD cache.


Figure 23 System Settings (Advanced)


Table 14 System Settings (Advanced)

Item Description

Consistency interval Specify the interval at which all controllers within the CloudFS attempt to synchronize changes. Do not change this setting unless requested to do so by Panzura Support.



Data Compression Select whether to enable or disable data compression for files that are moved to the cloud for storage. Default is enabled.

Data compression can provide more efficient use of local and cloud stor‐age and more efficient data transfers; however, if data compression is dis‐abled, performance might increase slightly and the system might use slightly less memory. The trade‐off is between efficient use of resources and performance.

We recommend that you enable data compression globally on this page. If you have some specific data files that you do not want to compress (because they are already compressed). You can override data compres‐sion for specific data sets on the Data Locality page. See “Data Locality Set‐tings” on page 86.

Data DeduplicationNote: This field is visible only if the data deduplication license is installed.

Select whether to enable or disable data deduplication for files that are moved into the cloud for storage. Data deduplication provides improved use of local disk storage (cache) and long term (cloud storage). Default is enabled.

Enabling data deduplication on a controller benefits other controllers as well because the results of data deduplication are shared across all the systems.

Results of data deduplication are data‐specific and require the use of CPU, memory, and disk I/O. It is not recommended for data sets that are already optimized and for those where appropriate duplication patterns cannot be detected (mpg, audio files, encrypted files, or files that are already dedu‐plicated).

You can override data deduplication for specific data sets on the Data Locality page. See “Data Locality Settings” on page 86.

Drive File Size Specify the drive file size from the dropdown list. Modifying the drive file size provides the ability to accommodate sites that may have less than the recommended 10Mbps network connection. This setting should be changed only with guidance from Panzura Support.

SDD Cache Show Settings Do not change this setting unless directed to by Panzura Support.

Table 14 System Settings (Advanced) (continued)

Item Description



NIC TeamingConfiguration > Advanced Settings > NIC Teaming

On physical (not virtual) controllers, NIC teaming allows you to aggregate multiple network interfaces into one virtual interface for link aggregation and failover.

LACP‐Switch Dependent mode combines multiple interfaces for increased throughput. It works best on switches that support Link Aggregation Control Protocol (LACP), because LACP distributes traffic bi‐directionally while also responding to the failure of individual links. LACP balances outgoing traffic across the active ports based on protocol header information and accepts incoming traffic from any active port. It does not load balance on a per packet basis.

Failover‐Switch Independent mode allows traffic to continue to flow in the event of a link failure, provided that one member of the aggregated network interface has an operational link. When the second member becomes available again, the link team is automatically reconstituted. Failover and recovery are transparent to the end user, but the failure and recovery information is written to the appropriate log.

The following rules apply to NIC teaming:NIC teaming is supported only on physical controllers (not virtual controllers). Configured NIC teams persist and do not need to be reconfigured when the controller reboots or is upgraded. However, if the controller is downgraded to a release prior to 6.3, it loses all information about teamed interfaces.

You can use NIC teaming with high availability active/standby configurations.

The interfaces for a NIC team must have the same maximum speed (10Gb or 1Gb). They can be on the same NIC or different NICs. For reliability, it is a best practice to team across different NICs if possible.

NIC teaming is supported in inline or one‐arm mode. In one‐arm the following are supported:

— 2ea 1GbE ports, OR— 2ea 10GbE ports

In inline mode, the following are supported:

— 2ea 1GbE ports for the client (LAN) or cloud (WAN) side— 2ea 10GbE ports for the client or cloud sideYou can configure the specific Ethernet interfaces to team using the Web UI or CLI.

You can create a NIC team on the client side, cloud side, or both.

It is possible to change the assignment of an interface from cloud side to client side or vice versa. To do this, first remove the interface from its current assignment by changing its Teaming Mode to None ‐ Single Interface. This makes the interface available for selection on the other side.

If your configuration uses the Dell IDRAC Express for out of band management, note that it shares the network interface with the controller and that IDRAC does not support NIC Teaming. It is possible to upgrade the IDRAC to IDRAC Enterprise, which uses a dedicated network port. This upgrade can be purchased directly from Dell.

Open the NIC Teaming page to configure interfaces for NIC teaming.



Figure 24 NIC Teaming

The page lists the NICs installed in the controller. The interfaces that are available for NIC teaming are identified with icons illustrating the RJ45 ports.

Teaming can be done across PCI and on‐board NICs.

Hover over a colored icon to display details about the current configuration.

The following table describes the icon color codes. When you configure a team, the icon colors are updated after the configuration is saved.

Table 15 Icon Color Codes for NIC Teaming

Color Description

White Available for teaming, but not currently configured.

Blue Configured as the client interface (standalone or part of a team).

Red Configured as the cloud interface (standalone or part of a team).



Configure NIC teaming

1. On the NIC Teaming page, select the teaming mode for the client side, cloud side, or both.

2. Select a port for Interface 1. When you make your selection, the available ports for Interface 2 are presented.

3. Select the Interface 2 port. If possible, select team members on different cards to improve reliability.

4. When you have finished configuring the client side, cloud side, or both, click Save to save the configuration.

NIC teaming is now operational, and icon colors on the page are updated to represent the team configuration. To view the current status of configured NIC teams, open the Maintenance > Diagnostics page and run the show interface command.

KMIPConfiguration > Advanced Settings > KMIP

Use this page (Figure 25) to configure connection to a Key Management Interoperability Protocol (KMIP) server and to manage KMIP certificates. Table 16 describes the actions on the page.

Communication with the KMIP server requires a mutually authenticated SSL session. You must upload the certificate authority (CA) certificate (the one that signed the KMIP server's server certificate) and client certificate for a KMIP server. Only one certificate of each type can be uploaded. To upload another certificate, you must delete the certificate of that type that was previously uploaded. After uploading the KMIP related certificates, you can register encryption certificates. See “Encryption and Certificates (Advanced)” on page 76.

NoteOnly master controllers can interact with a KMIP server.



Figure 25 KMIP Settings



Table 16 KMIP Settings

Item Description

KMIP Server Specify the following for connection to a KMIP server, and click Save:• KMIP Server Host Name—Specify the IP address or hostname of the

KMIP server.• KMIP Server Port—Specify the port for communication with the KMIP

server. IANA.org has assigned port 5696 for use by KMIP servers and clients. Your KMIP server documentation will state if it uses a different port number. The EMC RSA Data Protection Manager uses port 443 for KMIP communication.

• KMIP Protocol Type—Select one of the following:— binary TTLV (standard KMIP).—HTTP TTLV (RSA DPM). If you select this option, a Security Class field

is displayed. Enter the appropriate security class.• Security Class—Copy the security class specified in the EMC RSA Data

Protection Manager product and paste it into this field.

Note: If you change to a new KMIP server, you need to register all certificates with the new server.

KMIP Certificates The Delete button becomes active after a KMIP Client or KMIP Server CA Certificate has been uploaded. If necessary, click Delete to remove the appropriate certificate. If a certificate is not currently uploaded, the KMIP Certificates area shows "No KMIP Server CA Certificate" or "No KMIP Client Certificate."

Upload new KMIP certifi‐cates

Use this section to upload CA and client certificates (X.509 PEM format). Select the certificate type (CA or Client) and click Browse to specify the file. Click Upload Certificate. Following upload, the certificate is listed in the KMIP Certificates area as "KMIP Server CA Certificate" or "KMIP Client Certificate."



High AvailabilityConfiguration > Advanced Settings > High Availability

You can protect your cloud file system in the event of a controller failure by setting up either of these high availability (HA) options:

HA‐Global—Multiple controllers are protected by one or more shared standbys, which can be separated geographically from the controllers they protect.

HA‐Local—An active controller is protected by a dedicated, passive standby. When the active controller fails, the passive standby assumes its identity and takes over operations. The following HA‐Local options are supported:

Local—The active and standby controllers have different hostnames and IP addresses.

Local with shared address

— The active controller and passive standby have an additional shared hostname and IP address, which simplifies the takeover process. (Maximum length of the shared hostname is 15 characters.)

— When using HA‐Local with shared address, only the shared hostname should be joined to Active Directory. The individual controllers in the pair should be configured with the domain (and NetBIOS group) information, but not joined.

— The controllers to be used as standby (HA‐Local or HA‐Global) must NOT previously have been members of the CloudFS, and must not re‐use any prior controller hostname. A repurposed controller must have a new hostname and a new Cloud Controller ID (CCID) number, which is embedded in the License to Operate (LTO).

— If you configure a master filer for HA with shared address, all the subordinates in the CloudFS must point to that address/hostname. If you change the HA configuration with shared address following the initial setup, the AD connections are lost for the subordinates, and they must rejoin the AD domain.

See the following sections for more information about high availability:For a general overview of the high availability feature, see “High Availability” on page 12.

For instructions on setting up HA‐Global or HA‐Local, see “Set Up for High Availability” on page 73.

For instructions on initiating a high availability takeover, see “High Availability” on page 118.

For recommended best practices, see “Best Practices for High Availability takeover” on page 75.



Set Up for High AvailabilityRefer to the following subsections for high availability setup.

Configure HA‐Global

For HA‐Global, do the following as part of the controller initialization process:

1. On the CloudFS page for the master, add the designated standby or standby controllers, specifying Standby as the mode.

2. When you have finished configuring the master, verify that all standby controllers are set as subordinates of the master, and reboot them.

The standby controllers come online, synchronize with the master controller, and configure themselves automatically. As part of the configuration process, the high availability configuration and maintenance pages are added to the Web UI for the standby controllers.

3. Log in to each standby controller and select Configuration > Advanced Settings > High Availability. Click the drop‐down menu for Pre‐cache Target. Select the active controller from which the standby will clone locality rules and click Save.

Setup is now complete. For instructions on initiating a high availability takeover in the event of a controller failure, see “High Availability” on page 118.



Configure HA‐Local

The flow depends on whether shared hostname/IP is used.

Note the following before beginning the configuration: If you have existing HA‐Local pairs that were set up prior to Release 6.3, they won’t show as available for configuration on the High Availability page. You’ll need to continue managing them as in the previous releases.

For HA‐Local with shared hostname/IP, arrange a brief downtime and start with these steps before following the configuration procedure:

— In advance of this procedure, have the shared hostname and IP address for the HA configuration set up up in your DNS server.

— Before creating the HA‐Local pair with shared address, detach the primary controller from the AD domain. When the procedure is complete, you will need to rejoin the active controller, which will be using the shared hostname. (Users will need to reconnect to the shared hostname, or DFS will need to be reconfigured for the new destination.) Do this for the primary controller of every HA‐Local pair with shared address that you are creating.

Configure HA‐Local

1. On the High Availability page for the master, click Add.

2. Select Local or Local with shared addresses as the mode.

3. Select the primary controller from the dropdown list. The primary controller is any controller in the cloudFS that you want to protect.

4. Enter the hostname or IP address of the secondary controller. The secondary controller is the new standby controller designated for takeover if the primary controller is unavailable.

5. By default, the filesystem is set to the selected controller. You can modify this setting if needed.

6. For Local with shared address mode, enter the shared hostname and IP address.

7. Click Add. Repeat this procedure to set up HA‐Local configurations for any other controllers in the CloudFS.

8. Click Save.

9. Go to the Active Directory page of each primary controller of the HA‐Local pairs with shared address, and rejoin the AD domain using the shared hostname. See “Active Directory (Basic)” on page 48.

10. If the master controller of the CloudFS was protected by creating an HA‐Local pair with shared address, update all of the subordinate controllers and standby controllers to use the shared hostname as their master controller. When the master controller fails over, the name that moves is the shared name. Even the standby controller for the master must have the shared name as its master host.



Best Practices for High Availability takeover

SMB/CIFS Environments

The following best practices apply to high availability takeover and restoration:HA‐Local is supported when needing to fail over a system to perform maintenance.

When bringing a repaired controller back online in an HA‐Global environment, use a new hostname and CCID. This requires that you request a replacement license from Panzura. Allow at least ten minutes after the repaired controller boots into standby mode before attempting to shut down the current active unit (approximately 30 minutes from first power on). This is to ensure that the new standby has received any configuration updates and the list of encryption certificates from the active controller.

When bringing a repaired controller back online in an HA‐Local configuration, it will automatically become the standby for the current active controller.

Use Microsoft DFS namespace. This will handle the redirection of clients as part of the takeover.

NFS Environments

The following notes apply specifically to NFS environments:Specify the intr option each time an NFS export is mounted.

Allow NFS requests to be interrupted if the server goes down.

After performing a takeover, go to the client machines and manually unmount the exports from the failed controller and mount the same exports for the now active controller.



Encryption and Certificates (Advanced)Configuration > Advanced Settings > Encryption & Certs

Use this page (Figure 26) to create and register data encryption certificates, and to retrieve encryption certificates from a KMIP server. For information on uploading pre‐created data encryption and web HTTPS certificates, see “Encryption and Certificates (Basic)” on page 41.

If you are using a KMIP server, you can also use this page to register a certificate with the KMIP server, retrieve a certificate from the KMIP server, and create an encryption certificate. For instructions on configuring connection to a KMIP server, see “KMIP” on page 69.



Figure 26 Security (Advanced)

Table 17 Encryption and Certificate Actions (Advanced)

Item Description

Delete a certificate Click the Delete button for the certificate in the Encryption Certificates list.

Register a certificate with the KMIP server

Click the Register button for the certificate in the Encryption Certificates list.The registration process copies the certificates to the KMIP server. PZOS stores both the certificate and private key in one file. When a certificate is copied to the KMIP server, it is split into two parts: a certificate and a private key. These are stored as KMIP secret data objects. For example, if you register a certificate, mycert, the KMIP server stores the registered certificate as: mycert‐cert and mycert‐key.

Create a self‐signed encryption certificate

Specify a name for the certificate and click Create & Register. This creates a self‐signed certificate that lasts for five years (RSA 2048‐bit encryption). The full certificate name is hostname of the cloud controller with the cre‐ation date appended. The created certificate will be registered on the KMIP server.

To view the full certificate name, select Basic Settings > Encryption and Certs, and click View for the certificate.



Active Directory (Advanced)Configuration > Advanced Settings > Active Directory

Use this page (Figure 27) to specify the Active Directory NETBIOS domain and domain controller.

Figure 27 Active Directory Settings (Advanced)

To set the Active Directory configuration, specify the following settings and click Save.

Retrieve a certificate from the KMIP server

Specify the certificate and private key name, and click Retrieve Certificate to retrieve the certificate from the KMIP server. The certificate is added to the Encryption Certificates list on this page.For example, if you previous registered the certificate mycert, enter mycert‐cert and my‐cert‐key and click Retrieve Certificate.

NOTE: If you have a master‐master configuration, any retrieve operation should be done to all masters.

Table 17 Encryption and Certificate Actions (Advanced) (continued)

Item Description

Table 18 Active Directory Settings

Item Description

NETBIOS Domain Enter the short Active Directory (NetBIOS) name used when logging in with Active Directory credentials. The NetBIOS name is most often used when deploying the Panzura controller on a LAN. The NetBIOS name is limited to 15 characters.

Example: NIMBUS‐9 is the NetBIOS name of the Active Directory domain.



Domain Controller (optional)

Enter the name of the preferred domain controller on your network. Example: ad2.panzura.com

To see a list of available controllers, click the magnifying glass icon. As a best practice, leave this field blank.

This optional setting allows you to choose a preferred domain controller. However, configuring this optional field pins the Active Directory server selection. This can result in a scenario where an alternate Active Directory server will not be used when the pinned Active Directory server goes offline.

Table 18 Active Directory Settings (continued)

Item Description



Joining an Active Directory Read Only Domain ControllerThe Active Directory Read Only Domain Controller (RODC) deployment mode is a common approach for providing remote site AD services. As the name suggests, the controller is read only and provides a level of security and protection against unauthorized changes.

Adding any device, such as a cloud controller, to an RODC requires the use of a Read Write Domain Controller (RWDC). The following steps add the cloud controller to the RODC.

1. From the cloud controller, join the RWDC. See “Active Directory (Basic)” on page 48.

2. From the RWDC:

— Use the following command to obtain the fully qualified domain name (FQDN) of the controller.dsquery computer -name <cloud controller hostname>

— Use the following command to force replication of the cloud controllers account credentials to the RODC.REPADMIN /RODCPWDREPL <RODC-HOSTNAME> <FQDN of controller from previous command>

3. Verify that the machine name appears in the AD User and Computers list on both the RWDC and RODC.

4. On the RWDC, use the following command to allow the RODC to authenticate the cloud controller.net localgroup "Allowed RODC Password Replication Group" <cloud controller NetBios name>$ /add

This completes the process of adding a cloud controller to an Active DIrectory RODC. Select Configuration > Basic > Active Directory page in the Web UI to display the name of the RODC the controller has joined.

NoteSometimes samba (winbindd) keeps the connection to RWDC (used for domain join) for a brief period. Eventually at the next winbindd discovery, the Cloud Controller will establish connection with its site local RODC.

SMB (Advanced)Configuration > Advanced Settings > SMB

NoteFor additional information on SMB/CIFS settings, see “SMB (Basic)” on page 54. This page is visible only if the CIFS license is installed.

Use this page to do the following:Specify the SMB signing setting.

Enable Access‐Based Enumeration (ABE).

Configure global real‐time collaboration. If a new application is introduced into a cross‐site collaborative environment and there are issues when users attempt to open the file soon after someone has closed it, you can enable this feature, which may take care of the problem. You add file



extensions to the real‐time collaboration list. If a file extension is in the list, the controller ensures that users who open files with that extension always open the latest version.

Use this feature sparingly because it adds additional operations for the controller. With many cross‐site collaborative users opening numerous files, the network traffic to handle read consistency and additional load on the controllers CPU should be closely monitored.

Figure 28 SMB Settings (Advanced)


Table 19 SMB Settings (Advanced)

Item Description

SMBv1 Environments that no longer require SMBv1 can disable it with this set‐ting. Microsoft originally made SMBv1 available in the mid‐1990s as an IP capable network communications protocol for use between Windows cli‐ents and file servers. In 2013 Microsoft announced its intent to remove SMBv1 from future products, as it has been replaced by SMBv2.



SMB Signing Select an option for SMB signing. SMB signing is a security signature mechanism that can improve the security of the SMB protocol for Win‐dows systems. The SMB options are:• Off—SMB signing is not supported between the client and controller.

The controller will reject signed session requests from clients.• Auto—By default, the controller expects clients to use signed SMB ses‐

sions. If the client does not support SMB signing, the client responds with a message to that effect and the controller allows a non‐signed SMB session for that client.

If your company enforces SMB signing at the client, and you are having connectivity issues, consider setting SMB signing to Auto.

Access‐based enumera‐tion

Select whether to enable Access‐Based Enumeration (ABE). ABE is an administrative capability available to environments using Microsoft clients with shared files and folders. When enabled, users see only the files and folders they have permission to access. If a user does not have read per‐mission for a specific folder, Windows hides the folder from the user's view.

For example, ABE allows you to limit users to see only their personal home directory when they access the home directories shared folder.

Hide CloudFS Share When this option is set to Yes, the root shares are no longer visible. The following options are available for creating a new share in this scenario.• The CloudFS share can be made visible temporarily while the new

share is added. Change this setting to No and then create the new share. After the new share is created, you can hide the CloudFS share.

• While the /cloudfs share is hidden it remains possible to perform administrative tasks. To do this, replace /cloudfs with /ADMIN$. The following example illustrates how to create a folder in /cloudfs/ccname when the /cloudfs share is hidden.

a. Map the /cloudfs network drive using the path /ccname/ADMIN$.

b. Open the folder /ccname/ADMIN$. Create a folder with ccname as its name.

c. Open the folder ccname. Create a folder using the same name you want to use for the network share.The complete path to the share is /ccname/ADMIN$/ccname/sharename. This is equivalent to /ccname/cloudfs/ccname/sharename. The UNC path, which users need to map the share is \\ccname\sharename.

Alternatively, if the share /cloudfs/<ccname> has previously been created, it can be used to create shares for end users. Although the share is not visible, it remains fully functional for this purpose.

Table 19 SMB Settings (Advanced) (continued)

Item Description



Global Real‐Time Collab‐oration Note: Use this feature sparingly because it adds additional operations for the

controller. With many cross-site collaborative users opening numerous files, the network traffic to handle read consistency and additional load on the controllers CPU should be closely monitored.

Do the following to set up and manage global real‐time collaboration:

1. Click Add an application.

2. Enter a name to identify the application. The application name is for user reference only. The controller identifies the application by file extension.

3. Enter the file extension for the application file type (example: .xlsx). Use spaces to separate multiple extensions.

4. Click Save to save and start the collaboration process.

You can also select one or more entries from the Global Real‐Time Collab‐oration list and do the following:• Click Edit Selected to edit the entries.• Click Delete Selected to remove the entries.• Click More and enable or disable global real‐time collaboration.• Click More and select Export Selected to share the settings with oth‐

ers.• Click More and select Import to import settings that were exported

from another controller.

Technical Preview: GEOPAK Cross‐site CollaborationThe 6.3 release includes an enhancement that is required when multiple users across different sites use GEOPAK. In cross‐site configurations the application requires the ability to communicate and coordinate where each user is making edits. Byte‐range locking makes this possible. The Read File Consistency feature described above can be used to enable byte range locking for GEOPAK.

To enable cross‐site collaboration for GEOPAK, select Geopak from the application list, click More and selected Enabled Selected. Click Save.

Table 19 SMB Settings (Advanced) (continued)

Item Description



Snapshot ManagerConfiguration > Advanced Settings > Snapshot Manager

Use this page to view the list of user snapshots that have been created and to create a single, unscheduled snapshot manually. Table 20 describes the settings on the page.

Figure 29 Snapshot Manager

Table 20 Snapshot Manager

Item Description

Create Snapshot Click Create Snapshot. Enter a name to identify the snapshot, and click Add.

Delete Snapshot Select one or more snapshots and click Delete Selected. You cannot delete system‐managed snapshots.



CacheConfiguration > Advanced Settings > Cache

This page contains settings for the intelligent read cache. Table 21 describes the settings on the page. Work with Panzura support before you consider modifying these settings from the system defaults.

Figure 30 Cache Settings


Table 21 Cache Settings

Item Description

Intelligent Read Cache Enable or disable the intelligent read cache.

Percent of Storage for Cache

Enter the percentage of storage that is reserved for cache. The default is 40%, which is the maximum recommended value. Work with Panzura Support before changing this value.

Cache all on Cloud Read Select whether to enable or disable caching for read operations. Default is enabled.

When a client requests to read a block of data, the controller fetches the drive file, selects the block, and returns it to the client. Typically the entire drive file is kept in memory cache for a few seconds or minutes before being flushed.

When the cache all on cloud read option is enabled, the entire drive file will persist in the cache until it is forced out, possibly for days or weeks.

This feature can reduce the number of cloud reads required for files that are being frequently accessed by clients. The only potential downside is that other data in the cache will be flushed more frequently.



Data Locality SettingsConfiguration > Advanced Settings > Data Locality Settings

NoteThis page is visible only if the data locality license is installed.

Use this page to create policies to govern what data is cached locally on the controller.

The controller includes Intelligent Read Cache (IRC), which is designed to provide LAN speed access to data stored in the cloud. Data locality further enhances IRC by allowing you to select specific files and data blocks to be continuously cached locally in the controller.

Data Locality Settings consist of policies and rules within a policy. Policies can act on local or remote file systems and provide automated caching, or pinning, of file data. You can create one data locality policy for each file system and each policy can have multiple rules within the policy.

Panzura recommends using the auto cache action with prepopulate enabled. This ensures that files are available in disk cache for end users. Prepopulating makes the data available without forcing a reduction in cache.

Pinning allows an administrator to forcefully localize (pin) data in the cache within a controller to provide guaranteed LAN speed performance. Because pinning consumes cache space, it should be considered only if needed for performance, with the trade‐off between performance and cache space kept in mind.

Local and Remote File Systems

A controller can have a local file system and multiple remote file systems. The local file system on this page refers to the controller name in CloudFS.

When file systems are synchronized in CloudFS, a copy of the metadata for each local file system on a controller is copied to the other controllers (Figure 31). The metadata stored on the other controllers is called the remote file system. Remote file system synchronization causes the controller to receive the metadata updates in CloudFS.

Figure 31 Local and Remote File System Synchronization

Because a local file system has the same name as the controller name, you can tell if a file system is local by comparing its name with the controller name shown at the top of the page (Figure 32).

Controllercc-a

cc-a cc-acc-b cc-b

RemoteLocal Remote Local

Controllercc-b



Figure 32 Local File System



Setting Up Data Locality

The following figures show the Data Locality page and the following table describes the tasks and settings on the page.

If the system is running and policies are operating, the table at the bottom of the page provides statistics on the rules. For example, the Data Hits column shows the frequency at which the policies are triggered.

Figure 33 Data Locality Settings Top Area ‐ Add a Policy

These fields are displayed forAdd a Policy



Figure 34 Data Locality Settings Bottom Area ‐ Add a Rule

These fields are displayed forAdd a Rule



After setting values, click Save to activate the settings.

Table 22 Data Locality Tasks

Item Description

Add a policy Click Add a Policy, specify the new policy in one of the following ways, and click Add:• Enter a policy name in the Add a New Policy Name field, and select a

default action from the following:—Auto cache. This is the standard behavior of the controller. The con‐

troller will evict blocks of a file as needed to accommodate new data.

— Pinned. This action effectively applies a ’last out’ policy to data. It will avoid evicting data unless the cache is full and new priority data is being ingested. Pinned data will be evicted only as a last resort after other data to maintain normal operations.

If you choose pinned as the default action, the only way to unpin is to specify the auto cache in a rule.

Note: We recommend that you keep the default action as auto cache and then use rules to assign pinning.

• Select a file system on which to base the policy from the Filesystem dropdown list, and select a policy from the Select a Policy dropdown list. This option allows you to reuse the rules from another policy when creating a new one.If you have multiple controllers in the cloud file system, the Filesystem dropdown list has multiple entries. In this case, you must decide where to apply the policy: to the local controller’s file system, or to a remote controller’s file system on this local controller. See Figure 31.For example, assume that you have nodes at site A and B. You are working from site A, but the data of interest is on site B. For the policy, select the controller B file system from the dropdown. Then when data is written to the remote file system, it is also localized on controller A.

Edit a policy After a data locality policy is created, you can edit the default action by selecting from the Action dropdown list .

Remove a policy Click the Delete icon to delete a policy.



Rescan a filesystem Click the Rescan icon to the filesystem, applying the policy. A dialog box opens to show the following options. Select an option and click Rescan Now to start the scan.• Entire File System. Initiates a full scan of the specified filesystem and

applies the rule.• Partial Rescan. Provides the ability to selectively apply the rule based

upon specified criteria, which can be a specific path, and/or a date range.

Note: The rescan process consumes resources on the controller. If possible, rescan for the policy at off-peak times.


Item Description



Add a rule 1. Click Add a rule.

2. Enter a rule expression.

The rule syntax is based on glob programming, with the available actions or auto cache or pinning added to a glob expression. The rules are case sensitive.

The controller supports the following types of glob expressions (examples are included):

— Match a directory path, which always begins with the filesystem.If the filesystem for the policy is \cloudfs\cc1‐ca, then homedir/sampledir/* matches anything in the sampledir directory under /cloudfs/cc1‐ca/homedir

— Match anything in a specified directory from any directory path.*/sampledir/* matches any path that includes a sampledir directory, such as ../homedir/sampledir/*, ../temp/sampledir/*, or ../Dept/Sales/sampledir/*

— Match one unknown character. ?at matches Cat, cat, Bat or bat.

— Match any number of unknown characters. Sys* matches Sys or System

— Match a characters as part of a group of characters. [CB]at matches Cat or Bat but not cat or bat

— Escape character. Sys\* matches Sys*, does not match Sys\*

For example, if you enter *.xls and the select Pinned as the action, the rule pins all files with a .xls extension.

3. Choose a rule action from the dropdown list:

—Auto cache. This is the standard behavior of the controller. The con‐troller will evict blocks of a file as needed to accommodate new data.

—Deny. When this action is selected, the creation of files with names matching the glob expression are not allowed for that filesystem. For example, if you enter *.mp3 and the select Deny as the action, the rule does now allow writing of any files with a .mp3 extension.

—Do not cache. The action effectively applies a ’first out’ policy to the data. Data is cached, but will be evicted first before other data if space is required in the controller, regardless of the type of data.

— Pinned. This action effectively applies a ’last out’ policy to data. It will avoid evicting data unless the cache is full and new priority data is being ingested. Pinned data will be evicted only as a last resort after other data to maintain normal operations.


Item Description



Bandwidth LimitConfiguration > Advanced Settings > Bandwidth Limit Settings

Use this page (Figure 35) to set policies that limit bandwidth during specified periods. Using bandwidth limits can ensure that the controller does not affect network availability for other users when the controller is communicating with the cloud to store or retrieve data. Panzura recommends that you set a bandwidth value for optimal cloud performance that the controller can use for automatic tuning.

Bandwidth limits applyto WAN Cloud Storage write operations (egress packets written to the cloud).

to WAN Cloud Storage read operations (ingress packets read from the cloud).

for an inline deployment, bandwidth limits apply only to the GB2 (WAN) network interface.


4. Indicate whether to prepopulate the specified files into the IRC whenever the rule is triggered. If you choose Prepopulate (which is recommended), files are cached but not pinned, so they can be evicted by the system if needed. This option is useful for performance optimization for reads when you don't want to forcefully consume cache space with pinning.

5. Indicate whether to apply deduplication to the data. This option controls deduplication for files that match the rule expression. If you specify No, deduplication is disabled for those files. Setting this option overrides the global deduplication setting and allows you to optimize deduplication at a fine‐grained level. For example, If you enabled deduplication globally on the Cloud FS page (“CloudFS” on page 46), you can override that setting for mp3 files by specifying a rule for mp3 files and setting dedup to No.

6. Click Add to save the rule and display it in the rule list.

Because rules are considered in the listed order, you might want to change the rule order. Click the arrow in the Move column to move an entry up or down in the list. To remove a rule, select it and click Delete Selected.


Item Description



Figure 35 Bandwidth Limit Settings


Table 23 Bandwidth Limit Settings

Item Description

Enable Select the checkbox to activate that policy. You can specify and activate up to five policies. If the conditions for a specific policy are met, then all of the following policies are ignored.

From DayTo Day

Select the days of the week to start and end the rate restriction.

For example, if you specify the range Monday through Thursday, then on Monday, Tuesday, Wednesday, and Thursday, the specified limit applies for the specific time period.

Hour Select the hour of the day start and end the rate restriction.

Bandwidth (Mbps) Enter the maximum bandwidth that is permitted during the period. Maxi‐mum is 1000 Mbps (default).



SNMPConfiguration > Advanced Settings > SNMP Settings

Use this page to specify the SNMP community string and trap settings. Figure 36 shows the page, and Figure 37 shows the additional settings for SNMPv3, which support an encrypted authentication channel. Table 24 describes the settings on the page.

In addition to the SNMP settings on this page, the controller supports the UC Davis MIB objects, which are available at: http://www.net‐snmp.org/docs/mibs/ucdavis.html

Figure 36 SNMP Settings


http://www.net-snmp.org/docs/mibs/ucdavis.html

http://www.net-snmp.org/docs/mibs/ucdavis.html


Figure 37 SNMP Settings (SNMPv3)


Table 24 SNMP Settings

Item Description

Community String Enter the community string for communication between the controller and the trap receiver. If you specify a custom community string, the public community string is disabled.

SNMP Trap Enter the IP address and community string for up to two trap receivers.

Trap Threshold Settings Enter the usage thresholds (percent) that will trigger SNMP trap messages of particular types: CPU usage, memory usage, disk usage, and Cloud usage. The controller generates SNMP traps of the specified type if the usage meets or exceeds the threshold.

The thresholds are useful to alert network administrators that additional capacity might be needed soon. For example, if you have 10 TB storage capacity in the cloud, you might want to set a threshold at 7.5 TB so that an SNMP trap is sent when that level is reached.



SNMP informationThe following table provides SNMP MIB, trap, and OID information.

Monitoring recommendationsThe amount of CPU load placed on a controller is measured in terms of the number of processes that are ready to run and in the queue awaiting CPU resources. These are the recommended thresholds by model. This is OID .1.3.6.1.4.1.32853.1.3.1.1.1.

For 28xx models:When above 320, monitor closely

When above 400, look into it

When above 800, take action

For 40xx models:When above 640, monitor closely



For the 5100 model:When above 480, monitor closely



Table 25 SNMP Information

Description Name Used in MIB Type OID

CPU Usage averaged over the previous 5 minutes. Measures the number of processes waiting for cpu resources.

cpuLoad Sensor .1.3.6.1.4.1.32853.1.3.1.1.1

pzCloudControllerHigh‐CPUUsage

Trap .1.3.6.1.4.1.32853.1.2.1.2.1000

Memory Usage at the time of the measurement in KB.

memUsed Sensor .1.3.6.1.4.1.32853.1.3.1.2.1

pzCloudControllerHighMemoryUsage

Trap .1.3.6.1.4.1.32853.1.2.1.2.1001

Disk Usage at the time of the measurement in KB.

localHDUsed Sensor .1.3.6.1.4.1.32853.1.3.1.3.1

pzCloudController‐HighD

Trap .1.3.6.1.4.1.32853.1.2.1.2.1002

Cloud Usage at the time of the measurement in KB.

cloudStiskUsageatsUsed Sensor .1.3.6.1.4.1.32853.1.3.1.4.1

pzCloudControllerHighCloudUsage

Trap .1.3.6.1.4.1.32853.1.2.1.2.1003

HA‐Local active controller failure notification

Sensor

pzTrapActiveDown Trap .1.3.6.1.4.1.32853.1.2.1.2.1006



For the 5300 and 5500 models:When above 960, monitor closely



For controllers operating in virtualized environments, such as VMware ESXi or Amazon Web Services, first determine the number of CPU cores assigned to the controller. When 4 cores are assigned, use the values given for the 28xx models. For larger number of cores, scale the values upward.

For example, a controller operating within AWS can have 8 cores. To scale the values, first divide the number of cores by 4 to get 2. Next, multiple this by the values for the 28xx models. The CPU load recommendations become (2*320=640), (2*400=800), and (2*800=1600).

LoggingConfiguration > Advanced Settings > Logging Settings

Use this page to specify a remote server to receive syslog messages from the controller event log. Table 26 describes the settings on the page and Table 26 lists the syslog message categories.

Figure 38 Syslog Settings




The following table provides a list of list of syslog message categories. When using syslog to monitor for events needing attention, Panzura recommends monitoring for LOG_EMERG, LOG_ALERT, and LOG_CRIT. LOG_EMERG and LOG_ALERT messages typically represent conditions requiring immediate attention. LOG_CRIT events represent events that can become EMERG or ALERT if not addressed.

Table 26 Syslog Settings

Item Description

Syslog Server Enter the IP address or hostname of the syslog server.

Logging Level Select the minimum level of messages to send to the server. The selected level and all higher levels are sent. For example, if you specify Error, then messages of type Error, Critical, Alert, and Emergency are sent.

Trace Log Select the minimum level of messages to send to the server. The selected level and all higher levels are sent. For example, if you specify Error, then messages of type Error, Critical, Alert, and Emergency are sent.

Add an Application Click Add an Application to specify the services to be logged in addition to the standard syslog logging. Select a service and a trace level, and click Add. Add additional entries as needed. To delete an entry, select it and click Delete Selected.

Table 27 Syslog Message Categories

LOG_INFO Informational messages.

LOG_NOTICE Conditions that are not error conditions, but should possibly be handled spe‐cially.

LOG_WARNING Warning messages.

LOG_ALERT A condition that should be corrected immediately, such as a corrupted system database.

LOG_ERR Indicates a general error for general notification. Can occur often even on a con‐troller that is operating normally.

LOG_CRIT Critical conditions, such as hard device errors.

LOG_EMERG A panic condition. This message is normally broadcast to all users.

LOG_DEBUG Messages that contain information normally of use only when debugging.


4 CloudFS Map View
This chapter describes the CloudFS Map view (CloudFS UI), which lets you see the health of the overall controller network.
“Using the CloudFS UI” on page 100

“Google map” on page 101

“Information windows” on page 104

“Site to site connectivity” on page 106

“Monitoring details” on page 108

Using the CloudFS UIThe CloudFS UI provides a graphical view of all the configured controllers. It displays the current synchronization status and allows you to step back in time to see behavior of the following statistics:

Cache status – Amount of cache space used (bytes).

Sync status – Synchronization delay (minutes, hours, or days).

Cloud status – Number of cloud I/O operations (upload and download).

SMB users – Number of clients connected to CloudFS.


Chapter 4 | CloudFS Map View

CloudFS UIThe following figure shows the CloudFS UI. The UI includes a Google maps image of the geographical area containing the controllers along with custom controls.

External controls

The following controls are external to the Google maps interaction:Time control. Allows you to keep the 1 minute refresh or turn automatic refresh off (1 minute is default).

Update now. Click to update the map and associate data on demand.

Google mapThe Google Map image shows the controllers based on their site location entered in the System Settings (Basic) page of the Web UI. You can specify a location using any method accepted by Google maps, including address, city, or latitude/longitude. Google Maps places markers on the map at the correct location.

Tip: When you have a map view that you like, save it as a bookmark in your browser. When you reopen the page using the bookmark, the zoom level, pan position, selected statistics, and site‐to‐site filter are all preserved; however, the time on the slider is reset to the current time.



When the map is loaded initially (or CloudFS tab is clicked), the zoom level is adjusted automatically and centered so to show all the controller markers on the map. You can zoom in and out, pan, change between satellite and map view, or do other functions supported in Google Maps.

Each controller has an icon that shows its function. The color of the icon marker indicates the highest event severity during the selected hour.

The map also displays these additional icons and properties.

Determining the location of a controller on the mapThe location of each controller is derived from the information entered in Location field on the Configuration > Basic Settings > System Settings page (“System (Basic)” on page 32).

The controller sends the specified location to Google to obtain the corresponding latitude and longitude and stores the information for use in the CloudFS UI. In some cases, however, this process doesn’t work. For example, if the controller is in a private cloud and the network doesn’t include a router to reach

Master controller

Subordinate controller

Standby controller

Blue bubble The controllers are currently synchronized, or they aren’t cur‐rently synchronized, but an estimate of the time to synchronize is displayed. The estimate is displayed in the bubble.

Red bubble The current trend shows increasing lags in synchronization, and no estimate can be provided.

Cluster When controllers are too close together to be viewed individu‐ally on the map at the current zoom level, they are shown with an icon that represents a cluster and shows the number of con‐trollers in the cluster.

Group icon When multiple controllers are at the same location, the map displays a group icon, regardless of the zoom level.

Expanded group icon

Click a group icon to show the individual icons that indicate the type of controller.



Google, the address is not translated into latitude and longitude and the controller is not displayed in the correct location on the map.

In this situation, you can obtain the latitude and longitude independently (from a site such as http://www.latlong.net/Show‐Latitude‐Longitude.html), and specify the values in the Location field on the System Settings page.

The setting must be entered in the format given in the following example, including the square brackets. After the entry is saved, the controller is able to use the values to place the controller on the map.

[latlng=37.279463,‐121.943682]

History barThe history bar area contains controls that allow you to look at selected statistics for any selected time in the past two weeks. Examining statistics and different times allows you to establish the status and health of the subcomponents at those times and can provide insight to help analyze problems that occurred.

The slider bar lets you move back and forth in time to select a time of interest.

The map time corresponds to the time selected with the slider bar.

The statistics selector allows you to display status for a specific statistic. Click the arrow to show or hide the options. Click the name of an option to see the list and select another.

The statistic count history shows a count of the selected statistic at each point over the past two weeks, corresponding to the slider bar. For example, the history chart in this figure shows the highest number of clients connected to the system (SMB users) between 6 and 8 days ago.


http://www.latlong.net/Show-Latitude-Longitude.html

http://www.latlong.net/Show-Latitude-Longitude.html


Information windowsWhen you click a controller icon on the map, an information window opens. The information in the window varies according to the type of statistic selected in the history area.

The following figure shows example information windows for the cache status, sync status, cloud status, and SMB users statistics.

The data is based on the following criteria. For information on viewing additional details, see (see “Monitoring details” on page 108.

Heat mapsHeat maps give additional information about the selected statistic and associated events.

The chart in the history area shows aggregate counts for a statistic, but not the distribution of the statistics across the managed controllers. That information is provided by the heat maps.

Chart type Criteria for heat map

Cache Status Cache space used, based on pinned files and user data

Sync Status Deficit (number of snapshots behind the latest snapshot)

Cloud Status Total cloud upload and download failures (failure count)

SMB Status Total number of SMB users



In this example, the selected statistic is cache status.

In this example, for the SMB users statistics, all clients are connecting to the Louisiana controller.

The heat map color gradient indicates intensity, as measured by the count of the selected statistic. Higher counts are indicated by a larger portion of the heat map in darker blue and yellow (highest counts). In this example, the controller in Los Angeles has a higher statistics count than the controller in Texas. The diameter of the heat map is always the same, but the intensity varies with the statistic count.



The data for the heat maps is based on the criteria listed in the information windows (see “Information windows” on page 104.

Site to site connectivityThe Site to Site control on the CloudFS map lets you examine the state of the links between controllers. Click the icon on the left of the Site to Site Propagation Time bar to display the available settings.



Select a source hostname or IP address and a destination. Click OK to shown the links between the specified controllers.

The link lines are color‐coded based on site‐to‐site latency, as follows: grey ‐ unknown or data not available

green ‐ between 0 to 175ms

yellow ‐ between 176 to 250ms

red ‐ above 250ms

Hover over a link to display details about the link, as shown here.



Monitoring detailsYou can view monitoring details for a selected status type (cache status, sync status, cloud status, or SMB status) by clicking the bar chart icon in an information window (see “Information windows” on page 104). The Monitoring page opens to show data on the selected status type (for example, the following figure shows data for cache status).

The following controls are available on the Monitoring page:Metrics. The available metrics are listed in the legend below the chart. Click a particular metric to toggle its display on or off.



Time range. Click to specify a time range.

Show events. Select the check box to show events on the chart. You can show all events, or just the info, major, or critical ones. Move your cursor over an event on the chart to display its details.

Contains. Enter text to filter the events that displayed.


5 Maintenance
This chapter describes Maintenance operations and includes instructions for performing maintenance operations on the Panzura controller.
See the following sections:“Diagnostics” on page 110

“High Availability” on page 118

“SMB Dashboard” on page 122

“SMB Users” on page 124

“Secure Erase” on page 124

“CIoudFS” on page 125

“CloudFS File Browser” on page 126

“Cloud Metrics” on page 129

“NFS” on page 132

“Master Snapshot” on page 132

“Cloud Delete” on page 135

“Image Upgrade” on page 136

“Reboot” on page 137

“Support” on page 138

“Password” on page 139

“Advanced” on page 141

DiagnosticsMaintenance > Diagnostics

Use this page to use packet capture tools and run diagnostic commands.Packet capture tools—Capture packets on the Ethernet ports. You can select to capture all packets or restrict the capture to TCP or UDP packets. The captured packets are saved into a file that you can download and send to Technical Support.

Diagnostic tools—Execute network, controller‐specific , and cloud diagnostic commands.

Performance Test tools—Execute Iperf commands to test network performance.


Chapter 5 | Maintenance

Figure 39 Maintenance > Diagnostics



Packet CaptureMaintenance > Diagnostics

To capture packets:

1. Select the type of packet capture from the dropdown list (see Table 28).

2. Select the interface (gb1 or gb2).

3. Click Start to start packet capture.

4. Click Stop to stop packet capture.

To download the captured packets in a file, select Maintenance > Support and click Download Support Log.

Diagnostic ToolsMaintenance > Diagnostics

To use the diagnostics tools:

1. Select a command from the dropdown list (see the following table for a list of commands, with some example options and output).

2. Click Run to display the command output, or show the available options, if the command includes options.

For example, in the following figure, clicking Run for the cdiag‐switch command displays the options.

Table 28 Packet Capture Operations

Item Description

pkt‐capture Capture TCP and UDP headers and packet.

pkt‐capture‐tcp Capture TCP headers and packet.

pkt‐capture‐udp Capture UDP headers and packet.

pkt‐capture‐header‐only Capture TCP and UDP headers.

pkt‐capture‐tcp‐header‐only Capture TCP headers.

pkt‐capture‐udp‐header‐only Capture UDP headers.



Figure 40 Sample Diagnostics Tools Output

In the following figure, including the on option for the cdiag‐switch command executes the command.

Figure 41 Sample Diagnostics Tools Output

Table 29 Diagnostics Tools Commands

Item Description

diag‐ad‐history Displays results of the authentication check that is done every 10 minutes. The results are a condensed and analyzed version of the Active Directory history log file.

cdiag‐report Displays data dump (same as data dump on the Cloud Metrics page). See “Cloud Metrics” on page 129. Example: cdiag‐report tail



cdiag‐switch Turns cloud diagnostics on or off. Enter on or off. Diagnostics must be on to use the cloud metrics tools. See “Cloud Metrics” on page 129. This set‐ting does not survive a reboot. Example: cdiag‐switch on

cloud‐connect‐test Displays license and connection information based on the cloud license that is loaded, including success, failure, and what ports are open or closed. If the cloud connect is successful, you can perform cloud‐upload‐test.

cloud‐runtime‐stat Displays runtime statistics. Useful mainly for uploads. The statistics for download are not as useful because pre‐fetch is used. For download, you may see failures occur even if status is OK, because the system is looking for future snapshots that do not exist.

cloud‐upload‐test Tests the connection to the cloud.

diag‐ad‐config Displays the status of the Active Directory connection (joined or not).

layer‐four‐traceroute Sends a Layer 4 traceroute command to the specified IP address and optional port number.Example: layer‐four‐traceroute‐gb2 10.3.3.3:443

layer‐four‐traceroute‐gb2 Sends a Layer 4 traceroute command to the specified IP address and optional port over the GB2 interface (cloud facing).Example: layer‐four‐traceroute 10.3.3.3:443

mark‐remote‐disable Disables remote file marking.

mark‐remote‐display Displays the current setting for remote file marking.

mark‐remote‐enable Enables remote file marking.

nslookup Obtains information about a host.Example: nslookup host5

pchar Displays information on bandwidth latency and loss between the control‐ler and the specified system. Example: pchar 10.3.4.5

ping Sends an ICMP ping command to the specified IP address.Example: ping 10.3.4.5

ping‐gb2 Sends an ICMP ping command to the specified IP address over the GB2 interface (cloud facing).Example: ping‐gb2 10.3.4.5

repair‐ad‐config Reinitialize the SMB/CIFS services. Note that issuing this command results in connection loss. This command does not provide any output.

restart‐smb‐service Restarts the SMB/CIFS service.

restart‐grw Panzura support use only.

run‐cmd Executes a CLI support‐level command. CAUTION: These commands should be executed only under the direction of Panzura support. Any misuse could void your warranty.

Table 29 Diagnostics Tools Commands (continued)

Item Description



search‐log Allows you to search the system log for the specified keyword.Example: search‐log AUDIT

show‐cfg‐error Displays configuration errors.

show‐dp‐data Panzura support use only.

show‐dp‐list Panzura support use only.

show‐dp‐stats Panzura support use only.

show‐fs‐list Lists all of the local and remote CloudFS file systems.

show‐fs‐snapshot Lists information about current snapshots.

show‐interface Displays interface information.

show‐inventory Displays the current PZOS version and the hardware configuration that was originally shipped.

show‐log‐config Displays information about config changes.

show‐log‐tail Displays contents of system message logs. If you are using the EAP capability, you can display the logs by using the command: show‐log‐tail /var/log/avquarantine

show‐malloc‐stats Displays virtual memory allocation.

show‐pktcap‐list Displays results of any previous packet capture.

show‐pktcap Displays the contents of pcap file for the most recent packet capture.

show‐pktcap‐hex Displays the hex dump of the pcap files for the most recent packet cap‐ture.

show‐pktcap‐host Displays the host information for the most recent packet capture.

show‐pktcap‐icmp Displays the ICMP information for the most recent packet capture.

show‐pktcap‐list Displays the list of existing packet captures.

show‐pktcap‐tcp Displays the TCP information for the most recent packet capture.

show‐pktcap‐udp Displays the UDP information for the most recent packet capture.

show‐pool‐iostat Shows current file system stats for read and write IO operations and band‐width usage.

show‐pool‐list Displays information about used and free space. Information is the same as in the Dashboard, but in raw form.

show‐pool‐status Displays information about drive availability and cloud license.

show‐route Displays route table information.

show‐system Displays system and file information.

show‐vm‐stats Displays virtual memory status.

show‐zfs‐properties Panzura support use only.

show‐zone‐stats Panzura support use only.


Item Description



Performance Test ToolsMaintenance > Diagnostics

The performance test tools measure bandwidth and link quality for the connection between the controller and the cloud. The controller is treated as a client when you specify another server or controller.

To measure performance:

1. Select the type of performance tool from the dropdown list.

2. Specify details for the test in the text area.

— To run a test with the controller as a server, select iperf‐server‐tcp‐start to start the test and iperf‐server‐stop to stop the test.

— To run a test with the controller as a client, select iperf‐client‐tcp and enter the hostname or IP address of another server or controller.

3. Click Run.

4. Click Stop when you are ready to stop the packet capture.

show‐system Shows a snapshot of the system resources, including load, CPU, and mem‐ory usage and the top running processes.

smb‐add‐gcfg Panzura support use only.

smb‐clr‐gcfg Panzura support use only.

smb‐debug Panzura support use only.

smb‐dsp‐gcfg Panzura support use only.

smb‐regen‐machine‐secret Panzura support use only.

traceroute Sends a traceroute command to the specified IP address.Example: traceroute 10.3.3.3

traceroute‐gb2 Sends a traceroute command to the specified IP address over the GB2 interface (cloud facing).Example: traceroute‐gb2 10.3.3.3


Item Description



Results are displayed in the Diagnostics Output area (Figure 42).

Figure 42 Sample Performance Tools Output

Output examples

This example shows output from client controller vmcc92.Diagnostics[57529]: Firewall is temporarily disabled to allow diagnostics operation and shall be enabled when operation is completed automatically.------------------------------------------------------------Client connecting to vmcc94, TCP port 5001TCP window size: 65.0 KByte (default)------------------------------------------------------------[ 4] local 10.199.10.92 port 45867 connected with 10.199.10.94 port 5001[ ID] Interval Transfer Bandwidth[ 4] 0.0- 5.0 sec 436 MBytes 731 Mbits/sec[ ID] Interval Transfer Bandwidth[ 4] 5.0-10.0 sec 416 MBytes 698 Mbits/sec[ ID] Interval Transfer Bandwidth[ 4] 10.0-15.0 sec 369 MBytes 619 Mbits/sec[ ID] Interval Transfer Bandwidth[ 4] 15.0-20.0 sec 312 MBytes 524 Mbits/sec[ ID] Interval Transfer Bandwidth[ 4] 20.0-25.0 sec 401 MBytes 673 Mbits/sec[ ID] Interval Transfer Bandwidth[ 4] 25.0-30.0 sec 359 MBytes 603 Mbits/sec[ ID] Interval Transfer Bandwidth[ 4] 30.0-35.0 sec 433 MBytes 727 Mbits/sec



This example shows output with the vmcc94, controller acting as the server.

Diagnostics[46450]: Firewall is temporarily disabled to allow diagnostics operation and shall be enabled when operation is completed automatically.------------------------------------------------------------Server listening on TCP port 5001TCP window size: 64.0 KByte (default)------------------------------------------------------------[ 5] local 10.199.10.94 port 5001 connected with 10.199.10.92 port 33313[ ID] Interval Transfer Bandwidth[ 5] 0.0-120.2 sec 9.09 GBytes 650 Mbits/sec[ 6] local 10.199.10.94 port 5001 connected with 10.199.10.92 port 45867[ ID] Interval Transfer Bandwidth[ 6] 0.0-120.0 sec 9.46 GBytes 677 Mbits/sec

High AvailabilityMaintenance > High Availability

NoteThis menu item is only visible on standby systems where High Availability has been previously configured.

On a standby controller, use the High Availability maintenance page to view synchronization status and to initiate a takeover for an active controller that is down.

Figure 43 High Availability



Viewing Synchronization StatusThe Sync Status section lists filesystems and associated snapshot activity, which you can use to assess conditions prior to takeover. For each filesystem, the table shows the ID for the last generated and last received snapshots, along with the timestamp of the last received snapshot and the current filesystem status.

If there is a discrepancy between the last generated snapshot and the last received snapshot, it might take a longer time to synchronize following takeover, or some data might become orphaned.

If you observe any discrepancy, you can obtain additional information by referring to the Active Controller Sync Status section of the Dashboard (see “Multi‐Site Topology” on page 21). In addition to snapshots generated and received, the Active Controller Sync Status section also reports on snapshots uploaded.

If there is a significant difference (> 50) between the values of uploaded and received snapshots, it will take longer for the standby controller to synchronize and become active.

If there is a difference of more than 1 or 2 between the generated and uploaded snapshots, some data might become orphaned as a result of the takeover.

TakeoverThe takeover process applies to HA‐Local and HA‐Global configurations.

Takeover for HA‐Global

For HA‐Global, the process works as follows. For the example, assume that the active controller is star‐01 (IP address 10.16.0.111) and that the standby controller is star‐03 (IP address 10.16.0.113).

1. The active controller (star‐01) is determined to be down.

2. Open the High Availability maintenance page for the standby controller (star‐03). In the figure, notice that the hostname is star‐03 and that the IP address is 10.16.0.113. After the takeover, the hostname of the operational controller remains as star‐03 using its own IP address (10.16.0.113), and it takes ownership of the star‐01 filesystem.

Figure 44 Maintenance > High Availability



3. Click Takeover and click OK to confirm.

A takeover status window opens.

As part of the takeover process, to ensure that the standby controller has the latest view of the file system, the process attempts to catch up on any file system snapshot downloads. The controller will continue to download file system snapshots in sequence until it encounters a failure. When this happens, the controller will retry the download a total of 10 times, pausing 30 seconds between attempts. After 10 attempts, the controller assumes it has caught up with all file system snapshot downloads and the takeover process continues.

The controller performs these actions to work around any network issues that might interfere with the process of downloading consistency snapshots from the cloud.

Figure 45 Takeover Status

4. When the takeover is complete, a popup window opens. Click OK.

5. Assuming that you have previously set up the Windows Server DFS‐N namespaces correctly, the Microsoft DFS namespace must be redirected to look at the standby controller that is now active. If this is not done, clients will see an error message when they attempt to access a share. In DFS, add a new folder target with the IP address of the standby controller (10.16.0.113), and delete the path to the failed controller (10.16.0.111). Once this is done, clients have access to the share as if they were still connected to the original controller.

Takeover for HA‐Local

NoteThis section is currently under review.

For HA‐Local, do the following for takeover:

1. Verify that the active (primary) controller is powered down.

2. Open the High Availability maintenance page for the standby controller.



3. Click Takeover and click OK to confirm.

A takeover status window opens.

As part of the takeover process, to ensure that the standby controller has the latest view of the file system, the process attempts to catch up on any file system snapshot downloads. The controller will continue to download file system snapshots in sequence until it encounters a failure. When this happens, the controller will retry the download a total of 10 times, pausing 30 seconds between attempts. After 10 attempts, the controller assumes it has caught up with all file system snapshot downloads and the takeover process continues.

The controller performs these actions to work around any network issues that might interfere with the process of downloading consistency snapshots from the cloud.

Figure 46 Takeover Status

4. When the takeover is complete, a popup window opens. Click OK.

5. (HA‐Local without shared addresses only) Administrator must change the DNS server entry so the old hostname points to the new IP address.

Clients now have access to the share as if they were still connected to the original controller.

Best Practices for High Availability Takeover

SMB/CIFS Environments

The following best practices apply to high availability takeover and restoration:Use HA‐Local to change controllers temporarily to perform maintenance.

When bringing a repaired controller back online in an HA‐Local configuration, it will automatically become the standby for the current active controller.

When bringing a repaired controller back online in an HA‐Global environment, use a new hostname and CCID. This requires that you request a replacement license from Panzura.

(For HA‐Local without shared addresses) Use Microsoft DFS namespace. This will handle the redirection of clients as part of the takeover.



NFS Environments

The following notes apply specifically to NFS environments:Specify the intr option each time an NFS export is mounted.

Allow NFS requests to be interrupted if the server goes down.

After performing a takeover, go to the client machines and manually unmount the exports from the failed controller and mount the same exports for the now active controller.

SMB DashboardMaintenance > SMB Dashboard

The SMB Dashboard page displays charts on SMB/CIFS activity: Metadata read cache performance

Data read cache performance

SMB/CIFS scaling and performance

By default, statistics are shown for the most recent 30 minutes. You can change the time scale to any of the following:

5 minutes

30 minutes

1 hour

12 hours

1 day

All (all available statistics)

The graphs are dynamic, and each includes multiple data point categories such as metadata reads and memory cache hits. You can show or hide any categories for a specific graph by clicking or hiding the category in the legend for that graph. For example, to focus only on the total metadata reads in the Metadata Read Cache Performance graph, click each of the other categories in the legend so that only that category remains.

You can zoom to a pre‐set period of time by using the Zoom button or set a custom zoom level by using the zoom controls below the legend. To zoom into a particular period, slide the zoom control to the left. As you do this, the data to the right of the zoom control is revealed in detail in the larger graph.



Figure 47 Maintenance > SMB Dashboard (excerpt)

Legend

Zoom control



SMB UsersMaintenance > SMB Users

This page displays a list of the current SMB users. You can search the list, choose the number of entries to display per page, and use the paging controls to page through the list.

Figure 48 Maintenance > SMB Users

Secure EraseMaintenance > Secure Erase

Secure Erase allows you to delete a file or folder in such a way that the contents cannot be restored, even using the most advanced technology available.

Secure Erase removes all versions of specified files and folders, including the associated objects stored in the cloud. User managed snapshots containing copies of the files and folders are explicitly noted in the Secure Erase output and not erased. This enables the administrator to take the appropriate action for the snapshots within the context of their environment. The snapshots will age out according to the settings defined in User Managed Snapshot settings (see “Master Snapshot” on page 132).

Use the Secure Erase page (Figure 49) to manage secure erase operations.

1. Specify the file or directory name to remove.

2. Select a date for deletion, or click Now for immediate deletion.

3. Click Erase to activate the delete operation.

The Schedule Files/Directories list shows when scheduled items will be deleted, and the table at the bottom of the page lists the files that have already been deleted.

Click Download Report to download a report of the actions taken by secure erase. After the report is downloaded, click Clear Entry to erase all the report contents from the system.



Figure 49 Maintenance > Secure Erase

CIoudFSMaintenance > CIoudFS

The CloudFS page displays a list of the current CloudFS hosts and allows you to pause or resume remote FS sync. Click Pause in the Remote FS Sync column to suspend sync operation and click Resume to restart. Click Save to implement the change.

You can search the list, choose the number of entries to display per page, and use the paging controls to page through the list.



CloudFS File BrowserMaintenance > CIoudFS File Browser

The file browser makes it possible to examine information about a selected file or directory within CloudFS. You use the file browser navigate to the file or directory in question and then display detailed information.

Note The ability to download files from the file browser has been disabled for security reasons.

When you have navigated to and selected the file or directory on the CloudFS File Browser page, press the ^ symbol at the bottom of the screen to reveal detailed information.

Figure 50 File Browser Page

Click to display details

Select the file or folder

Click to hide details



The detailed information is presented in the following tabs.

General Tab

The General tab includes the following information (see previous figure).

Global R/W Tab

The Global R/W tab includes the following information:File OwnerData OwnerFile PathFile Inode — number of inodes)File Size — size in MBLatest Snapshot — Number of files in latest snapshot

Table 30 General Tab Information

Attribute Possible Values Interpretation

Antivirus

File State Clean, Infected Once scanned, this value will be Clean or Infected.

Modified Since Scan Yes, No Yes indicates the file has been modified since it was last scanned. No indicates the file has not been mod‐ified.

Scan Tag ID Character string Identifies the version of the malware signature bun‐dle used by the AV scanner to check the file. AV scanners check this value prior to scanning a file to ensure it has not been checked with the current mal‐ware signatures.

Details

File Size Size in bytes

Last Accessed hh:mm:sec mm/dd/yyyy

Created on hh:mm:sec mm/dd/yyyy

Last Modified on hh:mm:sec mm/dd/yyyy

Cache

Cache Data Amount in bytes Values will range from 0 to the full size of the file. Values less than the full size of the file will occur dur‐ing normal operation.

Dirty Data Amount in bytes Values will range from 0 to the full size of the file. Values less than the full size of the file will occur dur‐ing normal operation.

Data Locality

Policy Action Cache, Auto Cache, Pinned



Figure 51 File Browser Page ‐ Global R/W Tab

SMB Tab

This tab provides permission information, including information on access control lists and access to the controller.

Figure 52 File Browser Page ‐ SMB Tab



Previous Versions Tab

This tab displays a list of previous versions of the file or folder and allows you to download a selected version.

Figure 53 File Browser Page ‐ Previous Versions Tab

Cloud MetricsMaintenance > Cloud Metrics

The graphs on this page provide detailed information on the communication links between the controller and the cloud. The cloud metrics are collected from the controller diagnostic database in five‐minute intervals. The graphs include information only on controller‐to‐cloud communications, not on file system, local storage, or LAN communications.

The graphs are dynamic. You can show or hide any categories for a specific graph by clicking or hiding the category in the legend for that graph. For example, to focus only on the total WAN output in the Write Throughput graph, click each of the other categories in the legend so that only that category remains.

To enable Cloud Metrics

1. Choose Maintenance > Diagnostics.

2. Under Diagnostic Tools select cdiag‐switch and add on as a parameter.

3. Click Run.

After five minutes you can open the Cloud Metrics page to view the graphs for the following metrics. To view the log entries used to generate the data for the past two hours, click the Show Cloud Call Log (last 2 hours) link at the bottom of the page.



ThroughputWrite Throughput: Throughput for all upload (PUT) operations to the cloud.

Read Throughput: Throughput all download (GET) operations from the cloud.

DurationAverage Write Duration: Average time in seconds for upload (PUT) operations to the cloud.

Average Read Duration: Average time in seconds for download (GET) operations from the cloud.



StatisticsCloud Write Statistics: Statistics for upload (PUT) operations to the cloud.

Cloud Read Statistics: Statistics for download (GET) operations from the cloud.

Snapshot throughputStatistics on the automatic filesystem consistency checkpoint snapshots that the controller takes during general operation. These are data consistency checkpoints that queue locally on the local file system and then are efficiently uploaded to the cloud as needed. This chart describes the frequency of snapshots and the depth of the queue of waiting uploads relative to the number of successful uploads to the cloud.



NFSMaintenance > NFS

Use this page (Figure 54) to restart the NFS service. Doing so terminates all NFS sessions.

Figure 54 Maintenance > NFS

Master SnapshotMaintenance > Master Snapshot

A master snapshot is a consistency point snapshot for the entire local file system on a controller. By default, master snapshots are taken once per week. Because master snapshots can consume significant I/O resources, Panzura provides the ability to modify the master snapshot schedule.

Use this page to modify the schedule for the master snapshot. You can set the date, time, and recurrence interval.

To modify the schedule for a master snapshot:

1. Select a day of the week and time from the dropdown lists.

2. Select a recurrence interval (from 1‐4 weeks).

3. Choose one of the following actions:

— Save to save the configuration and start the snapshot schedule.— Generate a Master Snapshot Now to order a snapshot on demand.



Figure 55 Maintenance > Master Snapshot

ICAP Un‐QuarantineMaintenance > ICAP Un‐Quarantine

Internet Content Adaptation Protocol (ICAP) is a standard or URL modification, web cache management, and anti‐virus scanning of URL, http posts, and file server files. The controller uses ICAP as a client to send file content to antivirus servers for virus scanning.

Use the ICAP Un‐Quarantine page to determine whether an ICAP server is responding, to quarantine files if that has not been done by the ICAP server, and to release quarantine as needed.

The following apply to the ICAP feature:This feature is available only if the ICAP license is installed.

Specify the ICAP parameters on the License Manager page. See “ICAP parameters” on page 135 for a description of the parameters.

If you have specify an ICAP server on the License Manager page, the IP address of the server is filled in automatically on the ICAP page. You can probe another server on this page by entering an IP address and clicking Probe server. however, the address you enter is not saved.

Results of the server probe are displayed in a pop‐up window.

Quarantining of files is typically done by the ICAP server. If needed, you can manually quarantine or un‐quarantine files in the ICAP Un‐Quarantine page.

Any viruses that are found are listed in /var/log/avquarantine, which is accessible on the Maintenance > Diagnostics page.



Figure 56 Maintenance > ICAP Un‐Quarantine

Table 31 ICAP Un‐Quarantine Page Settings and Actions

Item Description

Actions/Logs The Actions tab is open by default. Click Logs to view log information about quarantine and un‐quarantine actions.

Host This field is populated automatically if an ICAP server has been specified on the License Manager page. You can also enter or change the server IP address or hostname to probe. A host you specific on this page is not saved.

Check Communications Click to verify that the controller can communicate with the ICAP server.

File path Specify the path of the file to quarantine or un‐quarantine.

Quarantine Quarantine the specified file.

Un‐Quarantine Remove quarantine status from the specified file.

Query Status Display the current quarantine status.



ICAP parameters

To use ICAP, specify the following ICAP parameters on the Configuration > Licenses Manager page under AS‐ICAP. See “License Manager” on page 58.

Cloud DeleteMaintenance > Cloud Delete

Note This page is visible only on data protection controller models that are deployed exclusively for back‐up using Symantec NetBackup.

When a user deletes a file the objects that comprise the file are placed in a delete queue for 14 days. At the end of 14 days:

The objects are deleted from the object store provided.

The objects are not required to maintain the integrity of a snapshot or required to re‐hydrate a deduplicated file. This helps to ensure a more orderly delete process from all of the cloud controllers within a CloudFS. If you need to purge objects more quickly than that, contact Panzura Support.

The Cloud Delete schedule applies only to Symantec NetBackup images. After deleting a NetBackup image, an administrator can schedule the deletion of the related cloud objects in advance of the 14 day expiration period. This makes it possible to reclaim storage space within the object store, and in some cases lower the related expense.

Use the Cloud Delete page (Figure 57) to schedule cloud deletions.

Table 32 ICAP License Parameters

Parameter Description

Port The default ICAP port is 1344. Change the value if the ICAP server is listening on a different port.

Service ICAP service name. This is ignored by most ICAP servers; however, some vendors require specific values. avscan is the most common service name.

include‐files Comma‐separated list of of glob based file paths that will be scanned. Use * as a wildcard.

exclude‐files Comma‐separated list of of glob based file paths that will not be scanned. Use * as a wildcard.

scan‐on‐read Scan files when they are open for reading.

scan‐on‐write Scan files when they are closed following write operation.

denyonerror If no scanner is available or some system error has occurred, assume that the content is suspicious and deny client access.

allow206 Not currently supported.



To schedule cloud deletions:

1. Select checkboxes for days of the week and time of day.

2. Choose one of the following actions:

— Apply to save the configuration and start the deletion schedule.— Save to save without starting the schedule.

Figure 57 Maintenance > Cloud Deletion

Image UpgradeMaintenance > Image Upgrade

Use this page (Figure 58) to upgrade the controller manually to a specific image. New OS images are available from Panzura support. For information on enabling automated updates, see “Support” on page 138.

To manually upgrade the system image:

1. Download the image from Panzura to your local network.

2. Click Browse and navigate to the image file.

3. Click Open or Save (depending on your browser).

4. Click Upgrade.



Figure 58 Maintenance > Image Upgrade

RebootMaintenance > Reboot

Use this page (Figure 59) to reboot the controller. When you reboot the controller you have the option to specify a particular software image to use on subsequent reboots of the system. If you have a new version of PZOS that you want to use, make sure that you select it before rebooting.

To reboot the system:

1. Select the image to use upon reboot.

2. Click Reboot.

Figure 59 Maintenance > Reboot



SupportMaintenance > Support

Use this page (Figure 60) to perform the following operations:Enable automated system image updates. (To manually upgrade the controller, see “Image Upgrade” on page 136.)

Enable automated event log export to Panzura.

Export packet capture files.

Table 33 describes the operations.

Figure 60 Maintenance > Support

Table 33 Support Operations

Item Description

Automatically Send Logs to Panzura Support and Check for New Operating System Upgrades

If you enable this option and click Save, then each night the controller sends the event log to Panzura for analysis .

When there is an operating system update, the new version is automati‐cally downloaded to the controller. When you are ready to install the upgrade, choose Maintenance > Reboot, specify the new version, and click Reboot.

Download support log If you generated a packet capture on the Maintenance > Diagnostics page, click Download Support Log to download and save a copy of the logfile to your desktop (file name panzura.support). If requested, send this logfile to Panzura Support.

click this button to save the capture and then click Save to save the file to your local system so you can send it to Panzura. See “Diagnostics” on page 110 for instructions on taking packet captures.



PasswordMaintenance > Password

The controller supports the following types of administrator accounts:Admin—Full read‐write access to the Panzura controller and all Web UI pages.

Restricted user— Read‐only access. Can view only the Dashboard tab.

Panzura recommends changing the passwords to prevent unauthorized access. Use the Password page (Figure 61) to reset the passwords. Table 34 describes the settings on the page.

Figure 61 Configuration > Password

Support access Select a support assistance option and click Save to enable automated remote network support and monitoring.Options include: • Disabled—Remote support access is not permitted.• Limited Access—Panzura support staff has limited remote access to

the system and ability to perform a reduced set of remote diagnostic functions. The Panzura staff cannot see any user data, file systems, or the full CLI command set.

• Full Access—Panzura support staff has full remote access to the system to perform the needed maintenance and troubleshooting operations using the full set of CLI and shell tools in the system, all alert informa‐tion, error logs, and system logs. The file system and all data is accessi‐ble and Panzura support can even remotely access the WebUI, console and Dashboard if approval is given by the customer.

Table 33 Support Operations (continued)

Item Description



Table 34 Password Settings

Item Description

Change Password for Admin Enter and confirm the new password for the administrative user, and click Save Password. Default is admin.

Change Password for Restricted Users

Enter and confirm the new password for the user account, and click Save Password. Default is user.



AdvancedMaintenance > Advanced

Use this page to reset and clean up the system, take snapshots, and recover using snapshots. Table 35 describes the operations.

CautionContact Panzura Support before performing any of the operations on this page.

Figure 62 Maintenance > Advanced



Table 35 Advanced Operations

Item Description

Reset Configuration to Fac‐tory Defaults

Resets all system values to factory defaults. Stops all read/write operations on the controller, purges all data from the controller, clears all reporting statistics, deletes the configuration information, and resets the system to factory defaults.

Repurpose Controller Makes the controller available for other uses after it has been removed from a high availability configuration. This process removes the cloud controller ID (CCID). After clicking the but‐ton to repurpose the controller, contact Panzura support for a new license to operate the controller.

Delete all Storage and Clear Stats

Stops all read/write operations on the controller, purges all data from the controller, and clears all reporting statistics. The system reboots, stopping all read‐write operations.

Power Off Halts the controller and turns the power off.

Restore Data from Cloud Storage

Restores the file system on this controller with the file system in the cloud storage. The controller reboots and then recovers the metadata from the cloud storage backend.

You can choose to recover to the most current state of the file system, or to recover to the state of the file system as captured in a specific snapshot. See “Snapshot Manager” on page 94 for snapshot names.

When a controller is prepared for disaster (by following the disaster recov‐ery procedure), the screenshot is displayed on the controller. If the inten‐tion is to restore the local file system from the cloud backend, then the restore local file system action should be performed only when the follow‐ing message is displayed. If the message is not displayed on a new control‐ler that has been configured for disaster recovery, then contact Support before proceeding.

Master‐subordinate config‐uration sync

Causes the master controller to create a new configuration file that the subordinate controllers can synchronize to.

Decommission Use this option to disable any further reads/writes from the selected con‐troller. For details, see “Decommission a Controller” on page 143.

Active cleanup Indicates if an active cleanup is underway.



Decommission a ControllerDecommissioning a controller disables any further read/write contact with the controller and removes it from the cloud file system. Before decommissioning a controller:

Verify that all files belonging to the filesystem of the selected controller have been copied to another location.

If you want to decommission a master controller, first convert it to a subordinate controller.

Select the controller to decommission from the dropdown list in the Decommission area of the Maintenance > Advanced page, and click Decommission to begin the decommissioning process. • If the snapshot is not current, a message appears and decommissioning stops. Take a new snapshot,

and then restart decommissioning. See “Master Snapshot” on page 132.• If there is a problem establishing connection to the selected controller, you will be asked whether to

proceed with the controller removal without performing lock migration. This option is useful if you want to remove an invalid controller hostname from the CloudFS. You will be prompted to confirm, and given the option of automatically power off the machine when the decommission is complete.

• Errors are presented if any problem is found during decommissioning. Click Show Detail to view details of the error.

• When the process completes, a success message is displayed. If you did not select the automatic shutdown option, you will be reminded to power off the controller.

• When decommissioning is complete, the controller name in the Decommission dropdown list is fol‐lowed by “(Completed)”.

• The decommissioning process includes cleaning up files from the decommissioned controller. To view the cleanup status for a controller, select the controller in the Active Cleanup area of the Mainte‐nance > Advanced page, and click Cleanup Status. You can also remove the cleanup log, if it is not needed.


6 Reports
This chapter describes the reports that you can create on controller and network activity.
“About Reports” on page 144

“Creating Reports” on page 145

About ReportsYou can create reports on the following types of activity:

Cloud activity

Intelligent read cache distribution

Intelligent read cache effectiveness

Latency

Network

SMB user count

System snapshots

Events in ReportsDisplaying event information on the graphical reports can help in correlating events with system network activity. Events are classified as critical, major, or info. If you select critical, only critical events are displayed. If you select major, the major and critical events are displayed. If you select info, the info, major, and critical events are displayed.


Chapter 6 | Reports

Creating ReportsReports

The Reports page contains controls at the top and and area at the bottom to display the created charts.

To create a report:

1. Select a time range.

2. Select the Show Events checkbox if you want to include event information on the chart. Select the minimum level of severity to include, and enter a string, if desired, to limit the search. For example, if you select major and enter cloud, the chart will display all the events of severity major or critical that have ‘cloud’ in the alarm name or description.

3. Select one or more controllers to include in the report, or select All to include all controllers in your network. The data in the report is aggregated over all the selected controllers.

4. Click Add Chart. A dialog box opens for you to select the chart type. Make your selection and click OK to create and display the chart.


Chapter 6 | Reports

5. Click Add chart to add any additional charts. Adding additional charts can help in correlating events and troubleshooting. For example, if you see major or critical events related to cloud activity, you might gain insights by adding charts on latency and network activity to the reports page.

The following controls are available on the Reports page: Metrics. The available metrics are listed in the legend below the chart. Click a particular metric to toggle its display on or off.

Time range. Click to specify a time range.

Show events. Select the check box to show events on the chart. You can show all events, or just the info, major, or critical ones. Move your cursor over an event on the chart to display its details.


Chapter 6 | Reports

Contains. Enter text to filter the events that displayed.


A Configuring Service Provider Information

PFOS provides support for multiple storage providers. The following table can help you to translate the unique configuration fields of each provider to the fields on the License Manager page. See “License Manager” on page 56 for configuration instructions.

NoteEvery filer within a FS must specify the same name for "Path" within the Connector Settings. This field is case‐sensitive.

Activate licenses by selecting the checkbox next to each license and clicking Activate Selected.

Table 36 Configuration Information for Cloud Storage Providers

Cloud storage providerAmazon Simple Storage service (S3)

Panzura connector CSP‐Amazon

Panzura license field Amazon S3 parameter Notes

Path Not applicable to the Amazon web services settings

Enter a folder name

User name Access Key IDPassword Secret Access KeyBucket BucketHostname Region Endpoint

See Amazon AWS docs link:http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region


Appendix A |

Cloud storage provider AT&T StaaS

Panzura connector CSP‐Atmos

Panzura license field EMC Atmos parameter Notes

Path Not applicable to the EMC web ser‐vices settings

Enter a folder name

UID UIDSubtenant ID Subtenant ID:serviceclass=Policy Policy can be

:serviceclass=policy1 or :serviceclass=policy2.Example: Subtenant ID:serviceclass=policy2The policy types are case sensitive (they must be all lowercase).Refer to AT&T for information regarding policy1 and policy2.

Changing this setting requires a reboot of the filer.

Shared secret Shared secretHostname Atmos node name Your Atmos (RMG) Resource

Mgmt Group site node name

Cloud storage provider Cleversafe

Panzura connector CS‐Private‐Cleversafe

Panzura license field Cleversafe Notes

Path User‐specified Enter a folder name.User name User namePassword PasswordBucket Cleversafe Vault NameHostname Cleversafe Accesser Name or IP

address


Appendix A |

Cloud storage provider Dell EMC ECS S3

Panzura connector Dell/EMC ECS

Panzura license field Dell EMC parameter Notes

Path User specifiedUser name Access Key IDPassword Secret Access KeyBucket BucketHostname ECS node name

Cloud storage provider Dell Virtustream

Panzura connector Dell Virtustream

Panzura license field Dell Virtustream parameter Notes

Path User specifiedUser name Access Key IDPassword Secret Access KeyBucket BucketHostname Hostname Access point where the bucket is to

be accessed.


Appendix A |

Cloud storage provider EMC Atmos

Panzura connector CSP‐Atmos

Panzura license field EMC Atmos parameter Notes

Path Not applicable to the EMC web ser‐vices settings

Enter a folder name

UID UIDSubtenant ID Subtenant IDShared secret Shared secretHostname Atmos node name Your Atmos (RMG) Resource

Mgmt Group site node name

Cloud storage provider IBM

Panzura connectorIBM Cloud Object Storage ‐ S3 Interface

Panzura license field Notes

Path Path Enter a folder name.User name User name User name or access ID.Password Password Password or secret access key.Vault Vault Name of the bucket.Hostname Hostname Access point where the bucket is

to be accessed.

Panzura ConnectorIBM Cloud Object Storage ‐ Native Interface


Path Path Enter a folder name.User name User name User name or access ID.Password Password Password or secret access key.Vault Vault Vault name.Hostname Hostname Assessor name or IP address.

Panzura ConnectorIBM Cloud Object Storage ‐ Swift Interface


Path Path Enter a folder name.User name User name User name or access ID.Password Password Password or secret access key.Container Container Object storage container.Hostname Hostname Assessor name or IP address.AuthPath AuthPath Identity server used to authorize

access.


Appendix A |

Cloud storage provider IIJ

Panzura connector IIJ

Panzura license field Cloud Provider Equivalent Notes

Path Path Enter a folder name.Use Name Use Name User name or access key ID.Password Password Password or secret access key.Bucket Name Bucket Name Name of the bucket.Hostname Hostname Access point where the bucket is

to be accessed.

Cloud storage provider Google storage

Panzura connector CSP‐Google

Panzura license field Google cloud storage parameter Notes

Path Not applicable to the Google web services settings

Enter a folder name

User name Access KeyPassword SecretBucket BucketHostname Google storage host address Currently Google requires this to

be commondatastorage.googlea‐pis.com

Cloud storage provider Microsoft Azure Cloud Storage

Panzura connector CSP‐Microsoft

Panzura license field Microsoft Azure Parameter Notes

Hostname windows.netPath ‐‐‐ Enter a folder nameStorage Account Name Storage Account Name

Primary Access Key PRIMARY ACCESS KEY From manage access keysContainer CONTAINER Container needs to be created

before license activation


B Windows Users and Files that Are Slow to Open

The Gray‐X feature allows Windows users to determine if a file is not stored in their local controller’s disk cache,
and therefore will take some time to open. This feature is especially useful if the user is working with large files that are not frequently accessed and therefore might not be in the local disk cache. This feature is available only on Windows.
When you open a folder in Windows File Explorer, the Panzura Storage Controller determines whether all file blocks are resident locally in cache. If any blocks are missing from cache, a gray X is displayed in the File Explorer window.

Gray‐X is disabled by default. When enabled, the Gray‐X status is displayed in the Window Explorer file listing.

Figure 63 Gray‐X Indicators

Enable or disable the Gray‐X feature1. Log in to the admin UI to the controller, and open the Maintenance tab.

2. Under Diagnostic Tools, select smb‐add‐gcfg and do either of the following:

— To enable the Gray‐x feature, enter the value pz_replock check blocks = yes and click Run.— To disable the Gray‐X feature, enter the value pz_replock check blocks = no and click Run.

Reboot is not required.

NoteThis feature will place an incremental load on the cloud controller for each active user. Enabling this feature on a trial basis with your end users is recommended to ensure an acceptable end user experience.


Appendix B |


C Creating A Microsoft Azure Storage Container

Creating a storage bucket within Azure can be up to a three part process.

The first part is creating a master account on the Azure portal for your organization. The master account is a central location for accessing all of your Azure services. It is also used for billing purposes.

The second part is to create an Azure storage account within the master account.

Finally, the third part is to create the storage bucket that your Panzura cloud controllers will use to securely store your encrypted data. The information needed to configure the Panzura controller to use your storage bucket is highlighted here.

Part 1: Create a Microsoft Azure account for your organization

If this is your first time using Microsoft Azure, you will need to create a master account for billing purposes. The account can be created by navigating to https://azure.microsoft.com and selecting my account located at the top right of the window.

Part 2: Create an Azure storage account within the master account1. Sign in to the master account from the Azure portal.

2. On the left window pane, select New > Data + Storage > Storage account.

3. Enter a name for your storage account. Make note of the storage account name. It will be required later when configuring the Panzura controller.

4. Specify the deployment model to be used. For all new Azure storage accounts ,Panzura recommends using the Resource Manager type. The Classic model is also supported.

5. Select Standard for the performance tier.

6. Microsoft Azure offers a range of data redundancy capabilities. Panzura recommends consulting Microsoft’s descriptions of these capabilities prior to configuring your bucket. Make this selection carefully. While possible, changing this configuration later can be an involved process and might require downtime.

Panzura supports LRS. The ZRS, GRS, and RA‐GRS modes are not supported.

7. Select the subscription in which you want to create the new storage account.

8. Specify a new resource group or select an existing resource group. For more information on resource groups, see Using the Azure Portal to manage your Azure resources.

9. Select the geographic location for your storage account.

10. Click Create to create the storage account.

11. After the storage account has been successfully created, navigate to the storage account windows pane. Select the key icon located the right of Essentials. Copy key1 and paste it to a temporary location. It will be required later when configuring the Panzura controller.


https://azure.microsoft.com/en-us/documentation/articles/resource-group-portal/

https://azure.microsoft.com

Appendix C |

Part 3: Create the cloud storage bucket within the Azure storage account

1. Within the Azure Portal, navigate to Storage accounts.

2. Select the storage created in Part 2.

3. Within the storage account window pane, select Blobs.

4. Within the Blob service window pane, select the container below the name of the blob service.

5. Enter a name for the container. Set the Access Type to Private and select create. Make note of the container name. It will be required later when configuring the Panzura controller.

This completes the creation and configuration of an Azure cloud bucket for use with Panzura cloud controllers. During this process three items were noted as being required later. Each of these items is required to activate the Azure cloud license on the Panzura controller.

: windows.net

Path: panzura (this can be changed to any combination of letters and numbers)

Container: This is name of the container specified in Part 3, step 5 above

Storage Account Name: This is the name of the storage account specified in Part 2, step 3.

Primary Access Key: This is key1, which was captured in Part 2, step 11.

After the Azure bucket is added to the Panzura license manager, navigate to Maintenance > Diagnostics in the Panzura Web UI and perform the cloud‐upload test to verify that the connection is functional.


Appendix C |


D Creating an IBM Cloud Object Storage Container

Creating a cloud storage container or vault on IBM COS can be divided into several sections. The following information describes each section and the associated steps. Refer to the IBM Cloud Object Storage technical documentation for more detailed information.

Step 1: Create an IBM storage vault1. Create a vault template:

a. Log in to IBM COS and click the Configure tab.

b. In the dsNet navigation pane, expand Storage Pools.

c. Select the IBM COS storage pool where you want to create the vault template, and click the Storage Pool link in the General section.

d. In the Vault Templates section, click Create Vault Template.

e. Disable the following items by deselecting the check boxes for Name Index Enable and also Enable SecureSlide Technology. Select the Recovery Listing Enable option.

f. In the Deployment section, select the access pool or pools that you want to use for the template and click Save.

2. Set the vault template as the default for your IBM COS dsNet:

a. Click the Configure tab.

b. In the Default Vault Template Configuration section, click Configure.

c. Select a vault template to use as the default, and click Update to set that template as the default.

d. Record the name of vault. It is required later when configuring the Panzura cloud controller.

Step 2: Create a user account on the IBM COS instance

Use an IBM COS account with administration authority to create a user account on the IBM COS instance in your environment. Ensure that the new user account has the Vault Provisioner role.

1. Click the Security tab and select the new user account.

2. Generate an access key for the new user:

a. In the Access Key Authentication section, click Change Keys.

b. On the Edit Access Keys page, click Generate New Access Key.

c. Click Back.

3. In the Access Key Authentication section, locate the Access Key ID and Secret Access Key values.

4. Record both keys carefully as they are needed later when configuring the Panzura cloud controller.

Step 3: Locate the URL 1. Click the Configure tab.

2. In the dsNet navigation pane, expand the Devices and Accesser sections.


Appendix D |

3. Select the IBM COS accesser. Verify that the accesser belongs to an access pool to which the default vault template is deployed.

4. SIn the Device Configuration section for the accesser, record the IP address value so you can use it when you configure storage pools. Use http:// before the IP address value to prevent certificate security errors.

5. Record the IP address of the accesser or load balancer. It is needed later when configuring the Panzura cloud controller.

Step 4: Configure Panzura for IBM COS

Configure the CS‐Private‐Cleversafe connector.

1. Hostname. The IP address of the IBM COS Accesser or load balancer.

2. Path. An arbitrary string to denote the path into which disk drive objects are stored.

3. User name. The vault username specified during IBM COS configuration.

4. Password. The vault user password specified during COS configuration.

5. Bucket. The vault name specified during COS configuration.


E Disk Expansion

You can expand the controller disk capacity with additional SSD drives. This expansion will require approximately 30 minutes. Controllers under high load might require more time. Before getting started, locate the SSD Expansion Pack (with three drives) and the capacity expansion license.

Installing an SSD Expansion Pack involves installing the SSDs physically in the controller, installing the capacity expansion license, and configuring the SSDs and adding them to the controller. If you are installing more than one Expansion Pack, you must install one pack at a time.

1. Install the expansion SSDs in the next three consecutive slots available in the chassis. For example, if the controller currently has SSDs installed in slots 0, 1, 2, the new SSDs must be installed in slots 3, 4, 5. Slots that are skipped are no longer available for future use.

2. In the Web UI, select Basic Settings > License Manager and activate the license or licenses. The figure shows an entry for SSD. Store the license files in a convenient location.

3. Select Advanced Setting > Disk Expansion. The page has buttons for the following actions:

— Discover New Drives. After a new SSD Expansion pack has been physically installed in the controller, use this button to initiate a discovery. The controller will also periodically check for new SSDs. So this step might not be necessary.

— Configure New Disks. Initiates the configuration process for the SSD Expansion pack.— Un‐configure New Disks. If needed, this button can be used to unconfigure an SSD Expansion Pack that

has never been placed into use. This operation cannot be used with disks that have been provisioned and added to the controller.

— Provision. Put the new SSD Expansion pack into service. You must wait until the state of the disk is Online before provisioning (see the following figure).


Appendix E |

4. Click Discover New Drives. In the figure, notice that three of the drives are discovered (ready), but shown as unconfigured.

5. Click Configure New Disk. Review the SSD configuration and click Submit.

6. Click Provision to bring the SSD Expansion Pack online.

NoteThis operation cannot be undone. Ensure that this is the desired configuration and then proceed.


Appendix E |

7. When provisioning is complete, verify that the SSDs has been successfully added. In the figure, notice that the drives that were previously shown as ready but unconfigured and now show as online.

When the state of each SSD is online, the capacity of the controller has been successfully expanded. This completes the process and the new capacity is now in use.


F File Access Auditing Support for SMB and NFS Clients

The level of support for file access auditing differs for SMB and NFS clients, as shown in the following table.

Table 37 File Auditing Support

Category Operation Description SMB NFS

General filesystem operations

access Check access permissions x x

create Create a file x x

getattr Get file attributes x x

link Create Link to an object x x

mkdir Create a directory x x

mknod Create a special device x x

read Read from file x x

readir Read from directory x x

readirplus Extended read from directory x x

readlink Read from symbolic link x x

remove Remove a file x x

rename Rename a file or directory x x

rmdir Remove a directory x x

setattr Set file attributes x x

symlink Create a symbolic link x x

write Write to file x x

ACLs aclcheck Check access control list x

aclget Get access control list x

aclset Set access control list x

Extended Attributes delxattr Delete extended attribute x

getxattr Get extended attribute x

listxattr List extended attribute x

setxattr Set extended attribute x


Appendix F |

SMB/CIFS chflags Change flags x

chmod Change mode of file x

chown Change owner of file x

close Close file x

connect Connect to a fileshare x

disconnect Disconnect from a fileshare x

fsync Flush all write data to disk x

lock Lock file x

open Open file x

recvfile Receive file x

search Search using a specified template x

sendfile Send file x

streaminfo Provide information about an IO stream

x

trunc Truncate file to zero length x

unlock Unlock file x

Table 37 File Auditing Support

Category Operation Description SMB NFS


Appendix F |


G Best Practices when Configuring ICAP for Virus Scanning

Panzura offers the options of scan‐on‐read and scan‐on‐write when configuring ICAP for virus scanning services.

See “Antivirus and Malware Scanning” on page 62 for information on configuring ICAP and “ICAP Un‐Quarantine” on page 133 for information on determining whether an ICAP server is responding, quarantine files if that has not been done by the ICAP server, and release quarantine as needed.

Scanning Options

Scan‐on‐Read Scan‐on‐read is the practice of scanning when a file is opened, before the client reads the data.This is the recommended deployment configuration, as it provides the best protection and performance. Assuming that the virus‐scanning server is updated with current virus definitions, this approach prevents the propagation of viruses to other clients and devices.

Scan‐on‐WriteWith scan‐on‐write, files already stored on the controller that were not previously scanned, or not scanned with the latest virus definitions, could be opened by a client and then propagated to other clients and devices. This option is intended only for unusual use cases with a high percentage of write operations followed by many read‐only operations. It allows for background scanning, but can result in performance degradations and IO bottlenecks in high volume read/write environments.

Consult with Panzura support before using scan‐on‐write.

SMB / CIFS Client LimitationsSMB/CIFS file servers have a limited number of error codes that can be sent in response to requests that can't be completed. For example, the protocol does not explain when a file is inaccessible due to an antivirus scanner. When a file has been quarantined or an error occurs with deny‐on‐error enabled, clients see Access Denied errors for these files. Remember to check your antivirus server and the controller for quarantined files or errors when troubleshooting.

When the ICAP service/daemon sends a scan file request to the antivirus server, the server has less then 60 seconds before the SMB/CIFS protocol timeout. The scanning operation must be completed before this duration, otherwise the SMB/CIFS session will timeout.

File Filters An inline scan refers to the antivirus server scanning the file when a client requests the file, before an open is allowed on the file. This blocks the client while the scan is performed so caches and filters are used to scan a file only when needed.


Appendix G |

File filters are common file types that can affect client performance during inline‐scans due to the limitations for clients mentioned in the previous section. Archive files must be opened to scan the individual files in the archive, which adds time to the scan.

On the license page of the controller under the ICAP license, you can configure file types to include and exclude from scans. If any of these file types are from a trusted source they should be excluded from scanning.

The following file types are recommend for exclusion because the are supported by antivirus software.

Database Files

.ldb

.mdb

.pst

.nsf

Archive or large Files

.7z

.tar

.cab

.tgz

.iso

.vhd

.jar

.vmdk

.rar

.zip

.bak
