topic Re: Blocking SMB Traffic in Advanced Threat Prevention Discussions

Blocking SMB Traffic

ce1028 — Mon, 07 May 2018 03:43:26 GMT

I was doing a review of some firewall policies and noticed the company I am consulting for is allowing all applications risk 1 through 3 from their trust to untrust zones. Not sure why it's setup that way yet, but in doing so, SMB traffic is alllowed out.

I want to immediately put a control in that blocks SMB traffic outbound. Is it recommended to create the policy using only ports, tcp/udp port 445, or should I block via SMB application? My thought is block via ports, but I'll do whatever is the recommended way.

What about tcp/udp port 137 and 139? Should these also be added to the blocked 'from trust to untrust' rule?

I'm curious to what you all are doing.

thanks

Re: Blocking SMB Traffic

mivaldi — Mon, 07 May 2018 18:15:33 GMT

They are not mutually exclusive. You can do both. Just leave the rule where you define application SMB, set to application 'any', so if SMB is used evasively through different ports, it can also be blocked.

Re: Blocking SMB Traffic

ce1028 — Tue, 08 May 2018 00:05:06 GMT

Not sure I'm following your response. Do you mean if you choose SMB for application, set the Service to Any?

Is it common practice to create multiple rules to block SMB?

Re: Blocking SMB Traffic

mivaldi — Tue, 08 May 2018 00:09:25 GMT

Yes, SMB for application, Service to Any.

Not sure what common practice is, but some environments require that *no* packets leave out on specific ports.

The app-id engine needs to allow a few packets through before it identifies the application, so if you go solely with an app-id rule, a few packets will always leave the firewall before there's a block action enforced.

Re: Blocking SMB Traffic

ce1028 — Wed, 09 May 2018 22:44:54 GMT

thanks. what method do you use on your firewalls (if you don't mind me asking)

Re: Blocking SMB Traffic

mivaldi — Wed, 09 May 2018 23:52:43 GMT

I'm with Palo Alto Networks Support, so I will allow other members of the community to provide that answer.

Re: Blocking SMB Traffic

OtakarKlier — Thu, 10 May 2018 17:41:39 GMT

Hello,

We have a strict deny all allow by exception policy at our company. So we only allow appplications/ports/urls etc., based on approval from the executives. If you are looking to block traffic, start with the logs and see what is being allowed out and start blocking on it. The ACC tab can help you with this as well.

As for writing policies, I try to use applications rather than actual ports.

Hope that helps.

Re: Blocking SMB Traffic

ce1028 — Sat, 12 May 2018 18:59:33 GMT

Hi,

The deny all, allow by exception would be ideal. Possibly can convince that for the future.

Right now, I want to focus only on blocking SMB

Re: Blocking SMB Traffic

Retired Member — Fri, 08 Jun 2018 19:48:30 GMT

Risk 1 through 3 from their trust to untrust zones is not a great way to allow traffic to the Internet.

There are 58 pages of applications when I look at this on my firewall.

I found this out the hard way when someone set this up for our guest networks and we had a big netbios attacks launch from a rogue machine on our network. Whittle it down to what you actually need.