Veritas Flex Appliance Getting Started and Administration Guide
- Product overview
- Release notes
- Getting started
- Managing network settings
- Managing users
- Managing Flex Appliance Console users and tenants
- Using Flex Appliance
- Managing the repository
- Managing application instances from Flex Appliance
- Managing application add-ons on instances
- Upgrading application instances
- About Flex Appliance updates
- Appliance security
- Monitoring the appliance
- Configuring alerts
- Viewing the hardware status
- Reconfiguring the appliance
- Troubleshooting guidelines
About lockdown mode
Flex Appliance lockdown mode offers additional security levels to protect your appliance and data, in addition to the hardened, secure operating environment that comes out of the box.
Lockdown mode provides the following benefits:
It prevents unauthorized access or modification to the underlying operating system (OS). Once lockdown mode is enabled, administrators cannot make changes to the OS or the internal components.
If you need access to the OS for emergency operations, you must contact Veritas Technical Support to obtain a One-Time Password and temporarily unlock the appliance. This functionality prevents unauthorized changes even if a malicious actor gained access to stolen credentials.
It includes the option to create WORM storage instances that prevent your data from being encrypted, modified, or deleted. WORM is the acronym for Write Once Read Many. Any data that is saved on these instances is protected with the following security measures:
This protection ensures that the backup image is read-only and cannot be modified, corrupted, or encrypted after backup.
This property protects the backup image from being deleted before it expires. The data is protected from malicious deletion.
Flex Appliance includes the following lockdown modes:
This mode is the default mode of the appliance. Normal mode does not support WORM storage.
This mode adds additional access restrictions but retains a level of flexibility. In this mode:
You can create WORM storage instances and also delete them, including any existing data.
Any administrator can delete WORM storage instances if there is no immutable data. However, only the default admin user can delete them if immutable data is present.
When you delete a WORM storage instance as the default admin user, the instance can be running or stopped. When you delete a WORM instance as any other user, the instance must be running so that the system can verify that there is no immutable data present.
To change from enterprise mode to normal mode, you must first delete all WORM storage instances.
This mode adds the highest level of access restrictions. In this mode:
You can create WORM storage instances. You can delete the instances only if there is no immutable data present.
Any administrator can delete WORM storage instances if there is no immutable data.
When you delete a WORM storage instance, the instance must be running so that the system can verify that there is no immutable data present.
To change from compliance mode to enterprise mode or normal mode, you must first wait for all data on the WORM storage instances to expire and then delete the instances.
In both enterprise mode and compliance mode, storage reset is disabled.
Veritas strongly recommends that you enable enterprise lockdown mode to prevent unauthorized access to the OS, even if you do not plan to create WORM storage instances.
Lockdown mode does not block access to the remote management (IPMI) port. Veritas recommends that you set up your network to restrict access and only allow security administrators or the users that manage the physical hardware to use the port.
The appliance must be in lockdown mode before you can create WORM storage instances. See Changing the lockdown mode.
For more information on creating and managing WORM storage instances, see the NetBackup Application Guide for Flex Appliance.