SnapCenter and Tamperproof Snapshots

Tamperproof snapshots was first supported in the SnapCenter 5.0 release. See the SnapCenter 5.0 Release Notes from March 08, 2024: SnapCenter Software 5.0 Release Notes

SnapCenter Software 5.0 Release Notes

If you search for "Tamperproof" or "TPS", you won't find anything. Searching for "SnapLock":

What’s new in SnapCenter Software 5.0
- Support for SnapLock

New or changed PowerShell cmdlets

• Cmdlet:
• Refresh-SM
• What has changed:
• New cmdlet

• Cmdlet:
• Add-SmPolicy
• What has changed:
• The following parameters are included:
• SnapLockRetentionPeriod
• SnapLockRetentionPeriodType
• PluginPolicyType UnixFileSystems

• Cmdlet:
• Set-SmPolicy
• What has changed:
• The following parameters are included:
• SnapLockRetentionPeriod
• SnapLockRetentionPeriodType
• PluginPolicyType UnixFileSystems

Limitations related to SnapLock feature

When you perform delete resource group, delete retention, detach policy while deleting backups, and remove host operations on a resource group that has resources on different storage (snaplock storage and non-snaplock storage), backups on non-snaplock storage are not removed by the SnapCenter Server. You should manually delete the backup from storage.

It is recommended to segregate snaplock and non-snaplock databases into different resource groups.

SnapCenter Software 6.0 and 6.0.1 Release Notes

Nothing additional to the above.

Other Documentation and Comments

• SnapCenter Software documentation
• Securing Microsoft SQL Server on ONTAP
• Lock a Snapshot copy for protection against ransomware attacks
• SnapLock and tamperproof snapshot copies for ransomware protection
• Snapshot copy locking
• When does ONTAP delete Tamperproof Snapshot? - NetApp Knowledge Base
• The tamperproof snapshot is auto-deleted when the next scheduled snapshot is generated after the retention period ends.
• Veeam-created FlexClones accumulate on volumes with Tamperproof snapshots enabled - NetApp Knowledge Base
• SnapMirror Snapshots build up after activating Tamperproof Snapshots in a Cascade - NetApp Knowledge Base
• Setting up Tamperproof or Snapshot locking fails for FabricPool volumes - NetApp Knowledge Base
• Snapshot Locking is not supported for FabricPool volumes
• Can anti-ransomware and tamperproof be enabled at the same time? - NetApp Knowledge Base

Note: Tamperproof snapshot does not offer the choice of Compliance and Enterprise. Mode in which it operates is more like Compliance mode except for disk level protection.

https://docs.netapp.com/us-en/ontap/snaplock/snapshot-lock-concept.html <~~ lists unsupported features

[Appendix: A] SCV: AFF retention is controlled by date because it is managed by SCV with “delete after X days”. But the Vault copy is based upon count, and an inexperienced admin could accidently delete months of Vault snapshots by running multiple backups on one day. Tamperproof snapshots could prevent that.

[Appendix: B] Tamperproof snapshot does not offer the choice of Compliance and Enterprise. Mode in which it operates is more like Compliance mode except for disk level protection.

[Appendix: C] Are Snapshots affected by SnapLock "privileged-delete"? - NetApp Knowledge Base + volume file privileged-delete

[Appendix: D] Other Notes on TPS:

• Compliance clock. Make sure the time is correct - we cannot roll it back.
• Testing: Keep snapshot copy deletion expiration period low during testing (so it can be changed easily if required).
• Flexgroup volume can only be deleted if the root constituent volume expiry has passed.
• SnapCenter and TPS had limited supported scenarios i.e. primary only (may have changed in 6.0.1+).