StorageGuard overview
StorageGuard™ addresses the challenges of securing the vulnerable enterprise data storage and backup systems. It automatically collects the up-to-date configurations of the enterprise’s data storage systems and checks for security misconfigurations and vulnerabilities including violation of vendor security best practices, organizational security baseline configuration requirements, ransomware protection guidelines, non-compliance with information security standards and more. It informs the relevant IT teams of violations and how to repair them in order to close the security gaps that put critical data systems at risk.
Key benefits of StorageGuard
- Meets vendor and community-driven security configuration best practices.
- Validation of Configuration Compliance with information security standards (ISO, CIS Controls, PCI DSS, NIST, NERC CIP, DORA, NIS2 and more).
- Automatically validates security baseline configurations.
- Automatically detects security vulnerabilities and misconfigurations.
- Tracks and reports on security configuration changes.
- Provides remediation guidelines for detected misconfigurations and facilitates automatic healing.
- Provide positive and negative configuration audit reports.
- Provides the platform for easily implementing custom security configuration checks for storage, backup, and host systems.
- Supports all leading enterprise data storage systems including SAN, NAS, Storage Network, Storage Management, Storage Virtualization, Data Protection Systems and more.
- An enterprise-grade solution – A secure and scalable solution that can be easily customized and/or integrated with other management systems.
New in Version 9.2.8
New features and highlights
This StorageGuard release introduces new features and major enhancements in the following areas:
Newly Supported Platform: VAST DataThis new release enables StorageGuard to collect security configurations and automatically detect best practice violations or vulnerabilities across VAST clusters. VAST Data is a unified, high-performance storage platform designed for large-scale analytics and AI workloads. |
Check Details PageA new UI page is now available that provides detailed information about a check’s risk template. The page includes the risk summary, API/CLI command, impact, resolution, associated compliance frameworks and labels, parameters and more. To learn more about a check that has passed successfully, you can:
|
Enhanced security
This release includes security enhancements and resolves third-party vulnerabilities. Refer to Support Announcements for additional information.
Additional changes and enhancements
The following section highlights additional notable changes or enhancements:
| Id | Description |
|---|---|
| SG-30441 | Flexible Username Handling with CyberArk Credentials: Allow users to manually specify the username format (e.g., domain\username, fqdn\username) while StorageGuard retrieves only the password from CyberArk, enabling compatibility with systems requiring different login formats |
| SG-30351 | Enable setting priority values across multiple risk findings |
| SG-30274 | Support for exporting Reports to the JSON format through the UI or Rest API |
| SG-30186 | Enhance the inventory to include NetBackup Flex Appliance instances and node-level details |
| SG-30076 | Added a column in configuration compliance report that links directly to detailed check information, improving investigation workflows |
| SG-30065 | Display parameter descriptions as tooltips on parameter names in compliance screens to improve usability |
| SG-29691 | Added support for collecting and analyzing configuration data from VAST clusters |
| SG-28506 | Enhanced the ‘View Configuration’ screen to provide clearer structure, readability, and usability when reviewing collected configurations |
Fixed issues
The following issues are resolved:
| Id | Description |
|---|---|
| SG-28059 | Fixed an issue where users could enable Using Proxies for automatic updates without selecting an available proxy |
| SG-28485 | SG-C0013T234V01: Approved NTP servers — Corrected an issue where the Approved NTP Servers compliance check displayed incorrect violation values |
| SG-30221 | Resolved an issue causing the Assets Inventory table to refresh repeatedly even when no scan was running |
| SG-30084 | SG-C0041T234V01: Local identity provider status — Fixed the Local Identity Provider Status check to correctly analyze identity provider status instead of returning “N/A” result |
| SG-29947 | SG-C0103T169V01 - Retention rule status — Corrected logic errors in the Retention Rule Status check that caused incorrect results when retention rules were missing or unavailable |
| SG-29935 | Fixed inaccurate DDoS vulnerability detection related to advisory DSA-2025-333 |
| SG-29915 | Resolved issues in high-availability Dell PowerProtect DD (Data Domain) configuration collection that resulted in risks being incorrectly closed during node role transitions (active/standby) |
| SG-29908 | Fixed an issue that could cause the dashboard to temporarily display negative risk counts after policy changes |
| SG-29682 | Added support for ignoring NetBackup clients information in the scan and asset inventory through a configurable mediator.netbackup.skip.clients system property |
| SG-29150 | Fixed incorrect remediation guidance for end-of-life Brocade switches that cannot be upgraded to FOS 9.x |
| SG-28955 | Resolved an issue where certain Brocade switch models were missing from the Assets inventory |
| SG-27650 | Cisco - SG-C0417T037V01: Password hash strength, SG-C0418T037V01: Strong password encryption — Improved logic between password-related checks so that Password Hash Strength is marked as non-applicable when strong password encryption information is unavailable |
| SG-27593 | SG-C0306T193V01: Syslog communication protocol — Fixed an issue where the Syslog Communication Protocol check returned insufficient information result |
| SG-25718 | SG-C0148T187V01: User protocols status – cDOT — Corrected inaccurate summaries in the NetApp User Protocols Status check, ensuring reported findings accurately reflect effective protocol enforcement. |
| SG-29646 | Fixed an error message displayed after successful completion of analysis tasks that could incorrectly indicate a failure |
| SG-18696 | SG-C0387T037V01 SAN Fabric - Zone member identification — Improved SAN Fabric zone member identification to ensure accurate reporting |
Knowledgebase Updates
The following section describes new and modified checks:
New Checks
Veritas NetBackup Flex Appliance
- SG-C0060T234V02: DNS server redundancy (instance)
- SG-C0164T234V02: Required domain name (instance)
- SG-C0243T234V02: DNS server configuration (instance)
- SG-C0246T234V02: Required search domains (instance)
- SG-C0449T234V02: Approved DNS servers (instance)
- SG-C0450T234V02: Required DNS servers (instance)
- SG-C0019T234V02: Target ddboost plugin version (media servers)
VAST Cluster (New in the Support Matrix)
Renamed Checks
| System Type | Previous Name | Current Name |
|---|---|---|
| Veritas NetBackup Flex Appliance | SG-C0165T234V01: Authorization policy status | SG-C0722T234V01: Instance deletion MPA |
Additional Notes
- NetBackup Flex Appliance DNS and Domain checks have been modified to rely on the appliance /networking API
- Additional (new) checks have been created for NetBackup Flex Appliance Instance-level DNS and Domain configurations
- Configuration collection for Unisphere for PowerMax (U4P) has been enhanced to cover a broader set of API endpoints
Installation Notes for this Release
Read the Installation Procedure Chapter of the User Guide for guidance about installing StorageGuard v9.2.8. In addition, review the Deployment and Scanning resources for guidance about the StorageGuard infrastructure requirements and the preparations needed for scanning your datacenters.
Upgrade for this Release
An upgrade path to version 9.2.8 is available from the 9.2.2 release and above. If your system is currently installed with an earlier release, an upgrade to version 9.2.2 or above is mandatory before upgrading to version 9.2.8.
Important notes:
- The upgrade will require the complete stop of StorageGuard operations, including data collection and data analysis. While it is fully automatic, the length of the upgrade process may require several hours to complete in large environments. During this time, it is important not to restart the StorageGuard server or terminate the upgrade task. In addition, it is essential that the database used by StorageGuard be available throughout the upgrade process.
- Prior to upgrading, take care to read the release notes in full, and make any necessary changes to the StorageGuard infrastructure and/or to user account permissions as required, and ensure sufficient free disk space is available on the master server. It is important to review newly required read-only privileged commands and make necessary changes to sudo0F to allow StorageGuard to run the commands.
- Prior to upgrading, verify you have an up-to-date backup of the StorageGuard server disk drives using your standard backup tools, and an up to date StorageGuard database export.
- Once the upgrade on the master StorageGuard server is completed and the Tomcat service starts, StorageGuard will automatically check and upgrade the StorageGuard collectors. There is no manual collector upgrade process. For gradual collector upgrade, disable the collectors before initiating the upgrade on the master server, and gradually enable the collectors you wish to upgrade following the completion of the software upgrade on the master server.
To upgrade from version 9.2.7 to version 9.2.8:
- Login as a local administrator to the master StorageGuard Server.
- Run ContinuitySuite_9.2.8.exe as an administrator.
- Click Next on the Welcome screen.
- Select “Yes, upgrade Continuity Suite 9.2.7 to 9.2.8”.
- Accept the License Agreement and click Next.
- Accept the GNU License Agreement and click Next.
- Select whether to perform a database export prior to upgrading and whether to start Tomcat after the upgrade completes and click Next. It is recommended to keep the default settings.
- Click Install to begin the Software Upgrade process. This process may require up to several hours to complete, depending on the size of the scanned environment.
- Click Finish.
Important Notes
Database Locale requirement
The Database instance used as the backend database for the Continuity Software Platform must be configured with the English Locale.
Web Browser Support
StorageGuard supports Google Chrome, Firefox, and Microsoft Edge. Microsoft IE is not supported.
Recommended display size and resolution
StorageGuard’s web UI is optimized for Full HD (1080p) resolution, 21” or larger displays, and a 16:9 aspect ratio. Smaller screens or lower resolutions may cause some content to be partially hidden; if needed, use your browser’s zoom-out feature to view all information.
Scan of Storage and Replication Management servers
It is recommended to scan all production and DR storage management servers as hosts, even if they are already configured as storage proxies. Storage proxy scans operate at the API/CLI level, while host scans of the management servers enable collection of additional configuration files and settings.
Scan of Windows hosts through WMI
Scanning of Windows hosts updated with KB3139940 might fail with an “Access Is Denied” message. To overcome this failure, please make sure that the user configured to authenticate to this server is a member of the Local Administrator group on the StorageGuard server. StorageGuard also provides an alternative method of scanning Windows servers using WMI which requires PowerShell version 5.1 or higher.
User account for technical support only
The csadmin user provides access to support tools that can cause damage if not used properly; This user is intended to be used by Continuity Software support engineers only. Enable and login with the csadmin user only when directed to do so by support personnel. This user is locked by default.
Recommended scan protocol for Windows hosts
StorageGuard supports a variety of scan options for Windows hosts. The recommended scan option is using WinRM over HTTPS.
Known Issues
The following section highlights additional notable known product issues:
| Id | Description |
|---|---|
| SG-29876 | Under Scan Troubleshooting, the Storage column may not show the Storage System Name; Workaround - the name is presented in the Summary column |
| SG-29877b | The Pure Storage probe executes two incorrect API calls |
| SG-21689 | Uninstalling SG update from "Add/Remove Programs" does not work as expected |
| SG-29904 | The Cisco probe may execute commands for disabled features resulting in "Cmd exec error" |
| SG-28627 | System Properties for controlling the Unisphere for PowerMax (U4P) timeout are missing (Contact support for workaround guidance) |
| SG-27459 | Brocade FOS commands executed as part of a script do not report an error if fail to execute |
| SG-29683 | NetBackup Flex Appliance authentication will fail when the password contains special chars |
| SG-29878 | The HPE Primera probe runs several malformed commands resulting in a command error |
| SG-30576 | In certain cases, IBM FlashSystem svc_cyber_data.sh data collection may fail during the scan, impacting the success of the data retention checks (C0098T175V01, C0505T175V01) |
| SG-29861 | Under Compliance, the details column may present "Successfully scanned" even though the relevant API/CLI command failed; this is because the "Successfully scanned" message refers to the overall system's scan status and not specifically for the API/CLI command used in this check. Workaround: Review failed commands under the Scan Troubleshooting or Task Manager UI |
| SG-29840 | The inventory does not present Commvault components such as HSX Storage and Media Agents |
| SG-30350 | Verification for certain technologies (including NetBackup Flex, PowerMax/VMAX Unisphere, PowerStore, Unity, Hitachi NAS, and others) may incorrectly appear successful even when invalid connection details are provided |
| SG-30092 | Unisphere for PowerMax is presented as “Unisphere VMAX” in the inventory |
| SG-30082 | ONTAP SVM (vserver) assets may not display serial numbers in the inventory view |
| SG-29750 | During upgrades, the installation wizard may prompt to update Java even when the same version is already installed |
| SG-29966 | Several ONTAP checks do not support detection based on REST API, only based on ZAPI: SG-C0162T187V04: Expired SSL certificate - OU, SG-C0447T187V02: Self-signed certificate - OU, SG-C0195T187V01: Firewall status, SG-C0384T187V01: Active Telnet (Firewall policy) |
| SG-29913 | Certain ONTAP checks may incorrectly result in Insufficient Information status: SG-C0025T187V01: LDAP server redundancy, SG-C0128T187V01: CIFS SMB anonymous user access restriction, SG-C0546T187V01: LDAP AD enabled, SG-C0551T187V01: Dynamic authorization status, SG-C0001T187V01: Audit logging status, SG-C0024T187V01: Authentication server redundancy, SG-C0098T187V01: Data retention period, SG-C0163T187V01: Approved AD domain, SG-C0097T187V01: Data retention mode, SG-C0141T187V01: IPv6 status, SG-C0242T187V01: NDMP authentication type, SG-C0300T187V01: Snapshot autodeletion, SG-C0552T187V01: Authorization policy rules |
| SG-28910 | The DDOS "SG-C0386T061V01: Telnet uninstalled" check analyzed the service status instead of installation status |
| SG-29747 | The correct name for PowerMax check SG-C0175T121V01 is "Event types enabled for syslog" |
| SG-28166 | The Brocade "SG-C0419T031V01: SNMPv3 user authentication protocol" check shows SNMPv3 users without authentication instead of incorrect hash algorithm |
| SG-29746 | Inaccurate name for PowerMax checks SG-C0025T091V01, SG-C0039T091V01, SG-C0060T091V01, SG-C0243T091V01, SG-C0449T091V01; these checks inspect DNS and LDAP configurations on PowerMax NAS |
| SG-30593 | The following IBM FlashSystem checks may display inaccurate or incomplete command/API references in the evidence section: C0209T175V01 – Idle session timeout (remote support), C0031T175V01 – Authentication server configuration, C0038T175V01 – Kerberos status, C0039T175V01 – LDAP server configuration. Scan results are not affected. |
| SG-30590 | The IBM FlashSystem Protected copy checks (C0293T175V02, C0293T175V03) may return Insufficient Information when no recovery copies are configured |
| SG-30588 | The IBM FlashSystem check SG-C0447T175V01 – Self-signed certificate may flag system certificates that are part of the default IBM certificate chain and are not user-replaceable |
| SG-30585 | The IBM FlashSystem CHAP checks (C0411T175V01, C0411T175V02) may report Insufficient Information when iSCSI is not configured or not in use |
| SG-30583 | The IBM FlashSystem check SG-C0039T175V01 – LDAP server configuration may not include complete supporting evidence even when LDAP is enabled |
| SG-30575 | The IBM FlashSystem check SG-C0209T175V01 Idle session timeout (remote support) may be reported as non-compliant when remote support is disabled, where the setting is not applicable |
| SG-30520 | On Hitachi NAS systems, the check SG-C0123T230V01 – SNMP versions enabled may be marked as Not Applicable despite SNMP being enabled |
| SG-30519 | On Hitachi NAS systems, the SG-C0243T230V01 DNS server configuration check may return Insufficient Information when DNS is not configured or when an empty API response is returned |
| SG-30518 | On Hitachi NAS systems, the check SG-C0171T230V01 – NTP server configuration may generate false findings in certain environments |
| SG-30516 | On Hitachi NAS systems, the checks SG-C0039T230V01 – LDAP server configuration, SG-C0546T230V01 – LDAP AD enabled, and SG-C0451T230V01 – Antivirus scan status may return Insufficient Information when the related services are not configured |
| SG-30194 | ONTAP end of support checks (C0600T187V01, SG-C0600T187V02, SG-C0602T187V0, C0602T187V02) may return Insufficient Information despite lifecycle data being available |
| SG-30176 | ONTAP checks SG-C0172T187V01 – NTP service status and SG-C0171T187V01 – NTP server configuration may appear as duplicate or overlapping checks |
Limitations
Assigning a profile to an Active Directory group
When assigning a profile to an AD Universal Group, the StorageGuard master server must have access to the Global Catalog of the AD Forest.
When assigning a profile to an AD Local Domain Group, StorageGuard will not be able to assign the Profile to AD Users from a different Domain – even though such configuration is valid within AD. In other words – an AD user can log in to StorageGuard (with all the correct profiles assigned) only if each AD Local Domain Group it belongs to is part of the same AD Domain the AD user belongs to.
Special characters are converted during object import to StorageGuard
When importing names and properties of objects from CSV/CMDB/API, special characters such as “&”, ‘no-break-space’ and certain UTF8 chars are converted to alphanumeric chars.
In specific cases scan error messages are not sufficiently informative
The Scan Troubleshooting screen occasionally presents scan error messages that include the error code, but no additional details.
Workaround: Run the erroneous command or script manually to see the full scan error message. If further assistance is required, contact Technical Support.
SSH key supports only keys with less than 4000 characters [P-6645]
Elevated rights required for certain read-only Commvault API calls
Few of the optional read-only API calls executed by StorageGuard on Commvault require elevated rights - SNMP & Audit Trail API. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis, however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands.
Elevated rights required for certain read-only Dell Data Domain commands
Few of the read-only commands executed by StorageGuard on Data Domain require the limited-admin role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only user role.
Elevated rights required for certain read-only Dell Unity API calls
Few of the read-only API calls executed by StorageGuard on Unisphere for Unity require the security administrator role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only operator role.
Elevated rights required for certain read-only Hitachi Ops Center API calls
Few of the read-only API calls executed by StorageGuard on Hitachi Ops Center require the Security Administrator role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only operator role.
Elevated rights required for scanning Windows hosts
It’s recommended to scan a Storage Management system both at the application level and the OS level. OS-level scan is optional but recommended for a comprehensive security configuration analysis. The OS-level scan is performed by connecting through either WinRM or WMI and then running read-only commands and queries. These commands and queries, even though read-only, require elevated rights.
NetBackup version support
StorageGuard supports scanning NetBackup systems from release 8.1 and above. NetBackup 7.x and 8.0.x are not supported.
CVE detection limitation
StorageGuard may report a CVE vulnerability that was either worked around or mitigated through remedial steps other than applying software updates.
CVE detection knowledgebase
The CVE knowledgebase is limited to advisories and CVEs that have been publicly announced by the vendor, MITRE or other source to the community.
PowerMax 5978 patch level
StorageGuard cannot determine the patch level for Dell PowerMax 5978 arrays, only the microcode.
NetApp StorageGRID model and serial number (SG-30081)
The StorageGuard inventory does not present StorageGRID model and serial number in the inventory due to API limitations.
Revision History
Document revision history:
| Revision | Date | Description |
| 1.0 | 8 January 2026 | Initial publication |
| 1.1 | 14 January 2026 | Updated note on Unisphere for PowerMax |
Comments
0 comments
Please sign in to leave a comment.