PA SMB deny behaviour

Reply
Highlighted
L4 Transporter

PA SMB deny behaviour

Hi,

 

We have detected a atrange behaviour with SMB session.

 

We have created a rule for blocking wannacry (SMB) sessions 

Captura2.JPG

 

We can see sessions being blocked:

 

Captura3.jpg

 

So all sessions from trust to untrust should be blocked but we have done a tcpdump in our ISP router an we see 

 

2017-11-21 20:01:46: 8x.x.x.x => 213.187.106.86:445
2017-11-21 20:01:46: 8x.x.x.x => 213.187.106.87:445
2017-11-21 20:01:46: 8x.x.x.x  => 213.187.106.88:445
2017-11-21 20:01:46: 8x.x.x.x  => 213.187.106.92:445
2017-11-21 20:01:46: 8x.x.x.x  => 213.187.106.93:445
2017-11-21 20:01:46: 8x.x.x.x  => 213.187.106.94:445

 

Why ISP is receiving sessions in port445 to untrust if we have deny all session from inside to outside????

 

Regards

 

L7 Applicator

Re: PA SMB deny behaviour

try filtering your policy on "( action neq deny ) and ( port.dst eq 445 )" instead of your rule to see if there's anything allowed

 

also try one with ( addr.dst in 213.187.106.86 ) to see if it shows up in any other form

L4 Transporter

Re: PA SMB deny behaviour

There is not any session being alloweb with neq deny.

I think PA is permitting the 3way handshake to detect the app (so these packets is ahwt we see in ISP router) but we have denied by service, i think PA shouldnt permit 3way handshake.

 

using this filter ( addr.dst in 213.187.106.86 ), we dont see any logs in PA. Weird......

 

Its a bit strange...

L7 Applicator

Re: PA SMB deny behaviour

No, the 3way handshake is alowed through if you have a policy that includes applications. You have 'any' so the action is applied on the port.

 

Is it possible the connection could have originated from a different source zone? (the policy is only for trust). Could someone have connected a host on the outside network segment?

L4 Transporter

Re: PA SMB deny behaviour

ammmmmm, i though that if i block using service 445 the 3way is not done. So how can i do in order to discard all connections in 445, so ISP router wont receive this traffic????

 

 

L4 Transporter

Re: PA SMB deny behaviour

cap.JPGThis is the session browser right now. I think that the 445-SMB  traffic that we are seeing in ISP router is because of threeway-handshake. But how can discard this traffic in order to not see it in ISP??

L7 Applicator

Re: PA SMB deny behaviour

if you use only ports, 3 way handshake is not allowed

 

can you do a > show running security-policy to verify the policies?

are the negated subnets necessary? can you try removing them?

L4 Transporter

Re: PA SMB deny behaviour

This is the rule by CLI: 

 

"Block 445 Wannacry" {
from trust;
source any;
source-region none;
to untrust;
destination [ 0.0.0.0/5 8.0.0.0/7 11.0.0.0/8 12.0.0.0/6 16.0.0.0/4 32.0.0.0/3 64.0.0.0/4 80.0.0.0/6 ];
destination-region none;
user any;
category any;
application/service [ any/tcp/any/445 any/udp/any/445 ];
action deny;
icmp-unreachable: no
terminal no;
}

 

Ill create a first rule permiting the traffic in our networks, and below ill create another one denying.

 

I read SMBv3 is encrypted, it could be that 3way handshake should be done in order to know app????

L7 Applicator

Re: PA SMB deny behaviour

the 3 way handshake is NOT allowed in this particular rule because you have 'any' in the application , 2 ports and deny. this means any packet matching destination port 445 will be dropped

 

it IS possible (since this is rule #3, the 3 way handshake is being allowed by rule #1 or #2 (if they allow port 445 and have an (different) application, because then we DO allow the handshake to be able to identify the application)

 

so maybe this rule needs to move up to #1

L4 Transporter

Re: PA SMB deny behaviour

Exactly, that what i think. Three-way is not enabled filtering by service.

 

Rules 1 y 2 are deployed by panorama, and the sources are specific hosts. So it shouldnt be the problem......

 

cappp.jpg

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!