Vault to Vault
This feature makes it possible to transfer files between different networks using a secure and controlled connection. When enabled, all file and folder operations will be sent from the primary Vault to the destination Vault server. Based on the following transfer policies file operation rules can be specified:
- All files
- Only allowed files
- Only supervisor approved files (only when Supervisor approval feature is enabled)
Supported operations
The supported file and folder actions can be seen in the table below:
| Operation | File | Folder |
|---|---|---|
| Upload (Create) | ||
| Share | ||
| Move | ||
| Rename | ||
| Delete |
MetaDefender Vault versions should be identical on primary and destination server.
Guest user creation is also supported. Please keep in mind that the other user manipulation actions (update, delete, etc.) are not implemented.
Configuration
The functionality can be configured by navigating to the Settings page and then choose Vault to Vault
By default the feature is disabled. In order to enable the feature and proceed to configuration, the user must switch on "Enable mirroring".
In order to connect with an upstream Vault instance, the following steps must be performed:
- Provide the REST URL of the upstream Vault instance. The URL must have the following format <schema>://<address>:<port>/[vault_rest].
It is important to provide the absolute URL and path to the secondary Vault's REST service (i.e. http://192.168.0.2:8010/vault_rest).
- Log in with an administrator account on the second Vault and generate an API key. The generated API key will be used to authorize requests from the first vault.
- Enforce Synchronization: by default this option is disabled, turn on if you want to show bad requests when there is any desynchronization between the two Vaults
Transfer policy configuration specified which files should be transferred:
- Transfer all files
- Transfer only allowed files
- Transfer only supervisor approved files (only if Supervisor approval feature is enabled):
- A file is considered supervised if:
- the file is approved by the required supervisors
- the file is revoked by a supervisor
- the file is revoked by an administrator
- Files that have been blocked by MetaDefender Core can be supervised only if they receive an administrator approval
- All files in a group transfer must be supervised before the request can be forwarded to the upstream Vault instance. This includes files stored in the recycle bin.
- A file is considered supervised if:
Administrators can now revoke blocked files, regardless of ownership.
This additional entitlement carries the benefit of expressiveness. Prior to version 3.1.0, we had no way to signal if an administrator had inspected a blocked file. An administrator could only approve a blocked file, thus making it available to supervisors.
The Supervisor Approval feature must be enabled, in order for the Transfer only supervisor approved files policy to work as expected.
If the feature is turned off the following validation error will be displayed, and the update button will be disabled.
Future file uploads will not be transferred to the destination Vault until either of the following steps is made:
- supervisor approval is enabled
- other transfer policy is selected
(Optional) Aggregate all file/folder actions to a single user. All forwarded actions will be interpreted as if the impersonated user requested them. For example, files will be uploaded to the impersonated user's account regardless of the user who initiated the actions on the first vault.
The impersonated user must exist on both Vault instances. This implies that both instances must integrate with the same Active Directory or have the same local accounts created. If the impersonated user does not exist then all requests will be done on behalf of the user which generated the API key.
- (Optional) Validate settings - If enabled, an initial connection test is performed to ensure that the settings are valid. If disabled, no attempt is made to validate the configuration. This can be useful when responses from the other network are not allowed.
In the case, a data diode is deployed between the two Vault servers it may be impossible to receive a response from the second Vault. The validation feature will have to be manually turned off in order for the setup to work.
