PowerScale: How to disable/enable SMB encryption along with other information in SMB2/SMB3 versions

We can run the command below from a node, and it shows what version of the SMB protocol the clients are using. This is while they are connected to that node.

# isi smb sessions list --verbose --format=table

How to Enable SMB3 encryption in a cluster:

By default, SMB3 encryption is disabled. To enable SMB3 encryption, and permit both encrypted and unencrypted clients access to the server:

1. Go to Protocols > Windows Sharing (SMB) > Server Settings.
2. In the Encryption section, under Enable encryption on encryption-capable SMB clients, select Use Custom.
3. Check Enable encryption on encryption-capable SMB clients.

Both encrypted and unencrypted clients are allowed access.

There are no settings in PowerScale OneFS to allow only an SMB3 clients and deny SMB2 client connections. However, with 'Reject Unencrypted Access' SMB2 does not connect as explained below.
As we can see the below example, by default the 'Reject Unencrypted Access' is enabled. This means that if there is any unencrypted traffic seen (ONLY when SMB3 encryption is enabled) it rejects both the SMB2 and SMB1 traffic.

Command to check SMB settings globally:

# isi smb settings global view
    Access Based Share Enum: No
  Dot Snap Accessible Child: No
   Dot Snap Accessible Root: Yes
     Dot Snap Visible Child: No
      Dot Snap Visible Root: Yes
Enable Security Signatures: No
                 Guest User: nobody
                 Ignore Eas: No
       OneFS CPU Multiplier: 4
          OneFS Num Workers: 0
  Reject Unencrypted Access: Yes <<<<<<<<<<<<<<
Require Security Signatures: No
           Server Side Copy: Yes
              Server String: PowerScale Server
       Support Multichannel: Yes
            Support NetBIOS: No
               Support SMB2: Yes
    Support Smb3 Encryption: No   <<<<<<<<<<<<<

Since SMB3 Encryption is disabled by default, the option ' Reject Unencrypted Access: Yes ' is not effective. Once the SMB3 encryption is enabled, that is effective.
The detailed explanation on encryption is available in the 'PowerScale Design and Considerations for SMB' document as attached. 

If administrators want to avoid SMB2 connections being rejected when SMB3 encryption is enabled, they can modify the attribute 'Reject Unencrypted Access' to "no" (disabled). This allows SMB2 connections while SMB3 connections are encrypted as per the settings. This setting can also be set globally or at a specific zone level or for a particular share.

If we "require" encryption by setting (globally or on an access zone) both settings to ' Yes ' like below:

Support Smb3 Encryption: Yes
  Reject Unencrypted Access: Yes

The share setting ' Smb3 Encryption Enabled ' is implicitly set to ' Yes ', that is encryption is enabled on all shares, regardless of that share-level setting. In short, "if we require encryption, we also implicitly enable it."

It is recommended that this be tested on a designated test share prior to implementing it globally or at a specific zone level.

https://www.delltechnologies.com/asset/en-us/products/storage/industry-market/h17463-powerscale-design-and-considerations-for-smb.pdf
See Page 36.

PowerScale: OneFS Upgrades Info Hub

Additional information from Microsoft:
https://cloudblogs.microsoft.com/windowsserver/2012/04/19/smb-2-2-is-now-smb-3-0/