https://live.paloaltonetworks.com/t5/general-topics/windows-based-file-shares-what-applications/m-p/41723#M30692 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>gsamuels wrote:</P><P></P><P> Best practice would be to temporarily allow any application on this policy at which point the traffic log should indicate all applications required to allow the the remote disk share.</P></PRE><P></P><P>Problem with that is two-fold.</P><P></P><P>1) The traffic you're looking for quickly gets "lost in the wash" - it's difficult to tell which traffic is what you want/need and which is not, especially if the destination server is multi-purpose.</P><P></P><P>2) This kind of defeats the purpose of having a firewall and DMZ - if I wanted unfetted communications, I would just have the server inside and not put any rules on it at all.</P><P></P><P>Cheers.</P></BODY></HTML> Fri, 14 Jan 2011 03:09:38 GMT dagibbs 2011-01-14T03:09:38Z https://live.paloaltonetworks.com/t5/general-topics/windows-based-file-shares-what-applications/m-p/41721#M30690 <HTML><HEAD></HEAD><BODY><P>Hi.</P><P></P><P>Can anyone tell me what applications you need to allow in a PA policy rule to allow Microsoft remote disk drive shares to be accessed?</P><P></P><P>For example, I have a server in my DMZ I want to be able to access drive shares on from my inside network by simply typing</P><P></P><P>\\&lt;server&gt;\share$</P><P></P><P>I've added the following</P><P></P><P>ms-ds-smb</P><P>netbios-dg</P><P>netbios-ns</P><P>netbios-ss</P><P></P><P>And yet I can't get a share mapped properly through the PA. It fails every time.</P><P></P><P>Anyone cast some light on what I might be missing?</P><P></P><P>Thanks.</P></BODY></HTML> Thu, 13 Jan 2011 00:01:03 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-based-file-shares-what-applications/m-p/41721#M30690 dagibbs 2011-01-13T00:01:03Z https://live.paloaltonetworks.com/t5/general-topics/windows-based-file-shares-what-applications/m-p/41722#M30691 <HTML><HEAD></HEAD><BODY><P> Best practice would be to temporarily allow any application on this policy at which point the traffic log should indicate all applications required to allow the the remote disk share.</P></BODY></HTML> Fri, 14 Jan 2011 02:45:55 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-based-file-shares-what-applications/m-p/41722#M30691 gsamuels 2011-01-14T02:45:55Z https://live.paloaltonetworks.com/t5/general-topics/windows-based-file-shares-what-applications/m-p/41723#M30692 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>gsamuels wrote:</P><P></P><P> Best practice would be to temporarily allow any application on this policy at which point the traffic log should indicate all applications required to allow the the remote disk share.</P></PRE><P></P><P>Problem with that is two-fold.</P><P></P><P>1) The traffic you're looking for quickly gets "lost in the wash" - it's difficult to tell which traffic is what you want/need and which is not, especially if the destination server is multi-purpose.</P><P></P><P>2) This kind of defeats the purpose of having a firewall and DMZ - if I wanted unfetted communications, I would just have the server inside and not put any rules on it at all.</P><P></P><P>Cheers.</P></BODY></HTML> Fri, 14 Jan 2011 03:09:38 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-based-file-shares-what-applications/m-p/41723#M30692 dagibbs 2011-01-14T03:09:38Z https://live.paloaltonetworks.com/t5/general-topics/windows-based-file-shares-what-applications/m-p/41724#M30693 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>if you are using DFS, this should be the open ports:</P><P></P><P>System service name: DfsApplication protocol Protocol Ports <BR />NetBIOS Datagram Service UDP 138 <BR />NetBIOS Session Service TCP 139 <BR />LDAP Server TCP 389 <BR />LDAP Server UDP 389 <BR />SMB TCP 445 <BR />RPC TCP 135 <BR />Randomly allocated high TCP ports TCP random port number between 1024 - 65535*</P><P></P><P>Opening any ports between the two devices is the only way to identify how many ports are used. This because any system configurations could vary the ports used/necessary and it's related always to your infrastructure (version of S.O, apps, etc).</P></BODY></HTML> Fri, 14 Jan 2011 11:03:16 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-based-file-shares-what-applications/m-p/41724#M30693 migration 2011-01-14T11:03:16Z https://live.paloaltonetworks.com/t5/general-topics/windows-based-file-shares-what-applications/m-p/41725#M30694 <HTML><HEAD></HEAD><BODY><P>Hi dagibbs,</P><P></P><P>You can always lock the ports and src/dst ip's down while you are performing the application investigation phase.&nbsp; Then you are no less secure than a traditional firewall until you get the information you need to further lock down the application(s).&nbsp; It's also very simple to filter the logs by src/dst to see all of the relevant conversations and weed out the others while testing.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Fri, 14 Jan 2011 16:11:42 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-based-file-shares-what-applications/m-p/41725#M30694 kbrazil 2011-01-14T16:11:42Z