At a Glance – StorageGuard 9.2.9
- New platform support for HPE Alletra MP and CTERA
- New application authentication options, including SAML and HashiCorp
- New Custom Check Fields, allowing administrators to add and manage custom metadata on checks and findings
- Expanded configuration collection and knowledgebase for Dell (PowerMax, PowerProtect DD, Unity), Hitachi (NAS, Ops Center), Infinidat, Commvault, NetApp ONTAP, and additional platforms
- Expanded Auto Update capabilities to include configuration checks and scan definitions
StorageGuard overview
Key benefits of StorageGuard
StorageGuard offers the following key benefits for enterprise storage and backup environments.
Configuration Baselines and Drift Management
- Prevent configuration drift by defining approved configuration baselines, ensuring consistent deployment across the environment, and continuously monitoring for deviations.
- Eliminate manual configuration validation efforts by leveraging automated scans and actionable findings enriched with evidence and remediation guidance.
- Streamline reporting and remediation workflows using built‑in integrations (e.g., ServiceNow, Jira, CyberArk, HashiCorp) and comprehensive APIs.
- Automate configuration audit reporting and organizational requirements by easily defining custom security configuration checks and tailored reports.
Security and Compliance
- Maintain the security of storage and backup infrastructure by validating alignment with vendor‑recommended hardening guidelines and security configuration best practices.
- Prepare for audits and demonstrate compliance with industry standards, regulatory requirements, and cybersecurity frameworks, including NIST, CIS Controls, PCI DSS, FFIEC, NERC CIP, DORA, NIS2, HIPAA, CRI, and others.
- Proactively manage end‑of‑support (EOS) risks through advance notifications identifying systems affected by upcoming EOS events.
- Identify and remediate security exposures related to vendor advisories, known vulnerabilities (CVEs), and missing patches.
Enterprise Platform Coverage
- Support for enterprise storage and backup technologies, including NAS, AI storage, Object Storage, SDS, SAN arrays, Storage Networks, Storage Management, Storage Virtualization, Data Protection systems, Cloud storage and more.
- Support for heterogeneous, multi‑vendor storage and backup environments, covering leading platforms from Dell, VAST Data, Hitachi, Cohesity, IBM, Everpure (Pure Storage), HPE, Amazon, Commvault, NetApp, Rubrik, Lenovo, Azure, Veeam, Nasuni, CTERA, Fujitsu, Broadcom (Brocade), Veritas, Cisco and more.
- Enterprise‑grade architecture delivering a secure, scalable solution that is easily customizable and integrable with existing management systems.
New in Version 9.2.9
New features and highlights
This StorageGuard release introduces new features and major enhancements in the following areas:
Support for HPE Alletra MPStorageGuard now supports HPE Alletra MP systems, enabling the collection of security configurations and the automatic identification of best-practice violations and vulnerabilities.
Support for CTERAThis release adds support for CTERA, allowing StorageGuard to collect security configurations and automatically identify vulnerabilities across CTERA portals and edge filers.
Custom Check Fields Users can now define custom fields for checks. These fields appear in findings on the Risks page and in Configuration compliance and Vulnerability Status reports. Administrators can configure the field name, value type, and default value. Default values can be overridden on the finding level. Refer to StorageGuard Custom Check Fields for additional information. |
|
|
Enhanced Auto Update The automatic update capability has been expanded to include configuration checks and scans, in addition to the previously supported updates for security advisories and CVE vulnerabilities. To benefit from the enhancements, configure new automatic update options. Refer to Updating the StorageGuard Knowledge Base – User Guide to learn more. | |
|
Additional authentication option for the StorageGuard application (SAML, Hashicorp) StorageGuard now supports SAML-based authentication, in addition to the existing OIDC support. Moreover, StorageGuard now supports Hashicorp-based authentication for the StorageGuard application, in addition to the existing support for using Hashicorp for scan credentials. | |
Enhanced securityThis release includes security enhancements and resolves third-party vulnerabilities. Refer to Support Announcements for additional information. | |
Note: As part of the Core6 rebranding process, certain screens, documents, and other materials now reference Core6 instead of the former company name, Continuity Software.
Additional changes and enhancements
The following section highlights additional notable changes or enhancements:
| Id | Description |
| SG-11021 | Expanded Infinidat Infinibox configuration collection. |
| SG-30136 | Enhanced support for Dell Unisphere for PowerMax (U4P). |
| SG-30347 | Enhanced support for Hitachi NAS (HNAS) appliances. |
| SG-20802 | Expanded Dell PowerProtect DD (Data Domain) configuration collection. |
| SG-28230 | The Asset Inventory has been updated to present Commvault HyperScale X (HSX) systems. |
| SG-30441 | Added the ability to control the username pattern when using CyberArk |
| SG-27953 | The “SG-C0239T187V01: Multi-factor authentication” check was enhanced to allow excluding service accounts with 1FA by design |
| SG-30135 |
The system now supports new types of scheduled tasks: Discovery - the system shall run only commands and APIs required for asset discovery Vulnerability Analysis - the system shall analyze exposure to security advisories and vulnerabilities (security configuration and baseline checks are not included) |
| SG-30492 | The system now supports configuring a proxy for Azure AD integration. Define the proxy in the Proxy Configuration screen, and then select it within the Azure AD Integration configuration screen. |
| SG-30488 | A restricted administrative option is now available to delete risk findings (disabled by default). This capability is intended for controlled scenarios, such as transitioning scanned environments from Pilot to Production. |
| SG-28879 | Improved System Event Log: comprehensive event logging and additional fields (actor, object and more) |
| SG-30463 | Added information about the StorageGuard database connection in the About screen |
| SG-29340 | Added a last update timestamp on the View Security Collection screen |
| SG- 26217 | Added support for TLS 1.3 for StorageGuard communication |
| SG-29703 | Support for breadcrumbs UI navigation |
| SG-30351 | Add ability to bulk edit priority of check type |
| SG-30274 | Support for exporting reports to JSON |
Fixed issues
The following issues are resolved:
| Id | Description |
| SG-28992 | Resolved scenarios where the “SG-C0191T187V01: NFS export ACL status” ONTAP check does report a finding. |
| SG-31175 | Inaccurate details and remediation for “SG-C0234T187V01: Maximum password age”. |
| SG-31191 | ONTAP: Evidence data incorrectly displayed as CLI Instead of API. |
| SG-31188 | In certain conditions, users may be able to scan more systems than licensed. |
| SG-31108 | Security Policies: the “Enabled” column is missing in export to Excel. |
| SG-30711 | Pure FlashArray: NTP configuration collection issue in newer PureFA versions. |
| SG-30928 | Findings closed and reopened following Commvault name collection enhancements. |
| SG-30926 | The SG-C0015T031V01 – Required/Approved Syslog servers checks for Brocade are not working as expected. |
| SG-30925 | Risks details page: unable to add Assignee and Due Date together |
| SG-30880 | Compliance Details: Export is not working for column Evidence. |
| SG-30879, SG-30878, SG-30877, SG-30876 | Incorrect findings for the ONTAP SG-C*T187V01 (password rules) checks. |
| SG-30860 | Insufficient distinction between Cisco MDS and Nexus models in End of Support detection |
| SG-30836 | Suboptimal textual description for the “SG-C0468T169V01: Maximum concurrent sessions” check. |
| SG-30831 | License Expiration Notification improvements. |
| SG-30776 | Active Directory Group Profile not being displayed in Edit Mode. |
| SG-30753 |
Outdated PMAX/VMAX probe types: Dell EMC PMAX / VMAX → Dell Solution Enabler Dell EMC PMAX / VMAX (Unisphere) → Dell Unisphere for PMAX |
| SG-30751 | Risk Details: Newly created users are not assigned when added from Assignee field. |
| SG-30682 | Outdated proxy type name for IBM Spectrum Protect. |
| SG-30667 | Analysis dates are kept for no more than 45 days. |
| SG-30660 | Custom collection expansion packages: the backup dialog does not present all packages. |
| SG-30659 | Manage custom data collection resources: The filter by column “Active” is not working. |
| SG-30599, SG-30600, SG-30645 | Resolved Export/Import issues for custom checks. |
| SG-30593 | Incorrect Command/API shown for several IBM FS checks. |
| SG-30583, SG-30585, SG-30586, SG-30592, SG-30575 | Improved detection and details for IBM checks: SG-C0039T175V01: LDAP server configuration, SG- C0411T175V01/2: CHAP authentication mode, SG-C0395T175V01: SMTP server configuration, SG-C0293T175V02/3: Protected recovery copies, C0155T175V01 / C0156T175V01 - SNMP service, SG-C0209T175V01: Idle session timeout - remote support. |
| SG-30578 | Selections are not saved in the analysis scope dialog of the security policy. |
| SG-30576 | IBM SVC configuration collection failure. |
| SG-30574 | Setting “today” for the “Suppress Until” action does not work properly . |
| SG-30548 | Custom data collection: Assign items to expansion package failure. |
| SG-30489 | Scan task: discovery may cause closure and reopen of risks in certain circumstances. |
| SG-30350 | Incorrect successful status presented for the ‘verify’ action on NetBackup Flex Appliance . |
| SG-30284 | Partial End-of-Support (EOS) detection for Dell PowerMax 10.x Family. |
| SG-30238 | An Active Directory user cannot be added without an email address. |
Knowledgebase Updates
The following section describes new and modified checks:
New Checks
- Dell Unisphere for PowerMax
- SG-C0315T121V01: Approved SYMAPI servers
- SG-C0320T121V01: Required SYMAPI client hosts
- SG-C0347T121V01: SNMP trap host configuration
- SG-C0156T121V01: SNMP service status
- SG-C0205T121V01: Host access list
- SG-C0600T121V01: End of support, SG-C0600T121V02: Future end of support
- SG-C0163T121V01: Approved AD domain (PMAX/SE users)
- SG-C0019T121V03: Target OS version - unisphere
- SG-C0019T121V02: Target OS version - PMAX
- SG-C0019T121V01 OS version - SE
- SG-C0056T121V01: Default passwords
- SG-C0331T121V01: Audit log retention
- SG-C0363T121V01: SE client security level
- SG-C0231T121V01: Non-default local users (PMAX/SE users)
- SG-C0119T121V01: Unapproved user groups (PMAX/SE users)
- SG-C0032T121V01: Central authentication (PMAX/SE)
- SG-C0015T121V01/C0016T121V01: Approved/Required Syslog servers (SE's SYSLOG)
- Cohesity Veritas NetBackup
- SG-C0019T234V03: Target media version
- Dell PowerProtect DD
- SG-C0573T061V01 Mtree Retention Log Level
- SG-C0723T061V01: Required Kerberos realm
- Brocade SAN
- SG-C0422T031V01: SNMPv3 privacy encryption algorithm
- Hitachi NAS
- SG-C0553T230V01: Secure FTP enabled
- SG-C0058T230V01: SNMP community default string
- SG-C0197T230V03: Client IP ACL - SSC
- SG-C0197T230V02: Client IP ACL - REST
- SG-C0197T230V01: Client IP ACL - HTTPS
- SG-C0468T230V03: Maximum concurrent sessions - SSC
- SG-C0468T230V01: Maximum concurrent sessions - HTTPS
- SG-C0468T230V02: Maximum concurrent sessions - REST
- SG-C0380T230V01: FTP service status
- SG-C0155T230V01: SNMP service disabled
- NetApp ONTAP
- SG-C0031T187V01: Authentication server configuration
- Dell PowerScale
- SG-C0137T073V01: Disable inactive users
- Commvault
- SG-C0065T049V1: Data at-rest encryption - Disk Pool
- SG-C00065T049V2: Data at-rest encryption - HyperScale Storage
- SG-C0568T049V1: Client encryption key length - Disk Pool
- SG-C0568T049V2: Client encryption key length - HyperScale Storage
- SG-C0073T049V1: Data encryption strength - Disk Pool
- SG-C0073T049V2: Data encryption strength - HyperScale Storage
- SG-C0119T049V1: Unapproved user groups - Disk Pool
- SG-C0119T049V2: Unapproved user groups - HyperScale Storage
Removed (Obsolete) Checks
- NetApp ONTAP
- SG-C0447T187V01: Self-signed certificate
- SG-C0448T187V01: Trusted certificate-authority (CA)
- SG-C0162T187V01: Expired SSL certificate
- SG-C0172T187V01: NTP service status
- HPE 3PAR
- SG-C0239T244V02: Multi-factor authentication - SSMC
Renamed Checks
None.
Additional Notes
- Parameter change for “NFS versions enabled” checks: now controlled through a minimum version parameter as opposed to enabled/disabled by version.
Installation Notes for this Release
Read the Installation Procedure Chapter of the User Guide for guidance about installing StorageGuard v9.2.9. In addition, review the Deployment and Scanning resources for guidance about the StorageGuard infrastructure requirements and the preparations needed for scanning your datacenters.
Upgrade for this Release
An upgrade path to version 9.2.9 is available from the 9.2.2 release and above. If your system is currently installed with an earlier release, an upgrade to version 9.2.2 or above is mandatory before upgrading to version 9.2.9.
Important notes:
- The upgrade will require the complete stop of StorageGuard operations, including data collection and data analysis. While it is fully automatic, the length of the upgrade process may require several hours to complete in large environments. During this time, it is important not to restart the StorageGuard server or terminate the upgrade task. In addition, it is essential that the database used by StorageGuard be available throughout the upgrade process.
- Prior to upgrading, take care to read the release notes in full, and make any necessary changes to the StorageGuard infrastructure and/or to user account permissions as required, and ensure sufficient free disk space is available on the master server. It is important to review newly required read-only privileged commands and make necessary changes to sudo to allow StorageGuard to run the commands.
- Prior to upgrading, verify you have an up-to-date backup of the StorageGuard server disk drives using your standard backup tools, and an up to date StorageGuard database export.
- Once the upgrade on the master StorageGuard server is completed and the Tomcat service starts, StorageGuard will automatically check and upgrade the StorageGuard collectors. There is no manual collector upgrade process. For gradual collector upgrade, disable the collectors before initiating the upgrade on the master server, and gradually enable the collectors you wish to upgrade following the completion of the software upgrade on the master server.
To upgrade from version 9.2.8 to version 9.2.9:
- Login as a local administrator to the master StorageGuard Server.
- Run ContinuitySuite_9.2.9.exe as an administrator.
- Click Next on the Welcome screen.
- Select “Yes, upgrade Continuity Suite 9.2.8 to 9.2.9”.
- Accept the License Agreement and click Next.
- Accept the GNU License Agreement and click Next.
- Select whether to perform a database export prior to upgrading and whether to start Tomcat after the upgrade completes and click Next. It is recommended to keep the default settings.
- Click Install to begin the Software Upgrade process. This process may require up to several hours to complete, depending on the size of the scanned environment.
- Click Finish.
Important Notes
Database Locale requirement
The Database instance used as the backend database for the Continuity Software Platform must be configured with the English Locale.
Scan of Storage and Replication Management servers
It is recommended to scan all production and DR storage management servers as hosts, even if they are already configured as storage proxies. Storage proxy scans operate at the API/CLI level, while host scans of the management servers enable collection of additional configuration files and settings.
Scan of Windows hosts through WMI
Scanning of Windows hosts updated with KB3139940 might fail with an “Access Is Denied” message. To overcome this failure, please make sure that the user configured to authenticate to this server is a member of the Local Administrator group on the StorageGuard server. StorageGuard also provides an alternative method of scanning Windows servers using WMI which requires PowerShell version 5.1 or higher.
User account for technical support only
The csadmin user provides access to support tools that can cause damage if not used properly; This user is intended to be used by Continuity Software support engineers only. Enable and login with the csadmin user only when directed to do so by support personnel. This user is locked by default.
Recommended scan protocol for Windows hosts
StorageGuard supports a variety of scan options for Windows hosts. The recommended scan option is using WinRM over HTTPS.
Known Issues
The following section highlights additional notable known product issues:
| Id | Description |
| SG-30082 | ONTAP SVM (vserver) assets may not display serial numbers in the inventory view |
| SG-29904 | The Cisco probe may execute commands for disabled features resulting in "Cmd exec error" |
| SG-29876 | Under Scan Troubleshooting, the Storage column may not show the Storage System Name; Workaround - the name is presented in the Summary column |
| SG-29861 | Under Compliance, the details column may present "Successfully scanned" even though the relevant API/CLI command failed; this is because the "Successfully scanned" message refers to the overall system's scan status and not specifically for the API/CLI command used in this check. Workaround: Review failed commands under the Scan Troubleshooting or Task Manager UI |
| SG-28627 | System Properties for controlling the Unisphere for PowerMax (U4P) timeout are missing (Contact support for workaround guidance) |
| SG-27459 | Brocade FOS commands executed as part of a script do not report an error if fail to execute |
| SG-21689 | Uninstalling SG update from "Add/Remove Programs" does not work as expected |
Limitations
Assigning a profile to an Active Directory group
When assigning a profile to an AD Universal Group, the StorageGuard master server must have access to the Global Catalog of the AD Forest.
When assigning a profile to an AD Local Domain Group, StorageGuard will not be able to assign the Profile to AD Users from a different Domain – even though such configuration is valid within AD. In other words – an AD user can log in to StorageGuard (with all the correct profiles assigned) only if each AD Local Domain Group it belongs to is part of the same AD Domain the AD user belongs to.
Special characters are converted during object import to StorageGuard
When importing names and properties of objects from CSV/CMDB/API, special characters such as “&”, ‘no-break-space’ and certain UTF8 chars are converted to alphanumeric chars.
In specific cases scan error messages are not sufficiently informative
The Scan Troubleshooting screen occasionally presents scan error messages that include the error code, but no additional details.
Workaround: Run the erroneous command or script manually to see the full scan error message. If further assistance is required, contact Technical Support.
SSH key supports only keys with less than 4000 characters [P-6645]
Elevated rights required for certain read‑only API calls and commands
Some optional read‑only APIs and commands executed by StorageGuard on specific platforms require elevated privileges. Granting these rights is recommended to enable a more comprehensive risk analysis, but it is not mandatory.
Regardless of the permissions granted, StorageGuard executes read‑only APIs and commands only.
Platform‑specific notes:
- Commvault: Certain optional read‑only API calls (including SNMP and Audit Trail APIs) require elevated rights.
- Dell PowerProtect Data Domain: Some read‑only commands require the limited‑admin role. Alternatively, the scan user can be configured with the read‑only user role.
- Dell Unity (Unisphere for Unity): Some read‑only API calls require the Security Administrator role. Alternatively, the scan user can be configured with the read‑only operator role.
- Hitachi Ops Center: Some read‑only API calls require the Security Administrator role. Alternatively, the scan user can be configured with the read‑only operator role.
- Windows hosts: OS‑level scanning (via WinRM or WMI) runs read‑only commands and queries but requires elevated rights. OS‑level scans are optional but recommended, in addition to application‑level scans, for comprehensive security configuration analysis.
CVE detection limitation
StorageGuard may report a CVE vulnerability that was either worked around or mitigated through remedial steps other than applying software updates.
CVE knowledgebase
The CVE knowledgebase is limited to advisories and CVEs that have been publicly announced by the vendor, MITRE or other source to the community.
PowerMax 5978 patch level
StorageGuard cannot determine the patch level for Dell PowerMax 5978 arrays, only the microcode.
NetApp StorageGRID model and serial number (SG-30081)
The StorageGuard inventory does not present StorageGRID model and serial number in the inventory due to API limitations.
Revision History
Document revision history:
| Revision | Date | Description |
| 1.0 | 11 March 2026 | Initial publication |
Comments
0 comments
Please sign in to leave a comment.