This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Windows based file shares - what applications?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Windows based file shares - what applications?

dagibbs
L4 Transporter

‎01-12-2011 04:01 PM

Hi.

Can anyone tell me what applications you need to allow in a PA policy rule to allow Microsoft remote disk drive shares to be accessed?

For example, I have a server in my DMZ I want to be able to access drive shares on from my inside network by simply typing

\\<server>\share$

I've added the following

ms-ds-smb

netbios-dg

netbios-ns

netbios-ss

And yet I can't get a share mapped properly through the PA. It fails every time.

Anyone cast some light on what I might be missing?

Thanks.

2 people had this problem.
Labels:
0 Likes Likes
4 REPLIES 4

gsamuels
L3 Networker

‎01-13-2011 06:45 PM

Best practice would be to temporarily allow any application on this policy at which point the traffic log should indicate all applications required to allow the the remote disk share.

dagibbs
L4 Transporter
In response to gsamuels

‎01-13-2011 07:09 PM 

gsamuels wrote:
 Best practice would be to temporarily allow any application on this policy at which point the traffic log should indicate all applications required to allow the the remote disk share.

Problem with that is two-fold.

1) The traffic you're looking for quickly gets "lost in the wash" - it's difficult to tell which traffic is what you want/need and which is not, especially if the destination server is multi-purpose.

2) This kind of defeats the purpose of having a firewall and DMZ - if I wanted unfetted communications, I would just have the server inside and not put any rules on it at all.

Cheers.

0 Likes Likes

migration
L0 Member
In response to dagibbs

‎01-14-2011 03:03 AM

Hi,

if you are using DFS, this should be the open ports:

System service name: DfsApplication protocol Protocol Ports
NetBIOS Datagram Service UDP 138
NetBIOS Session Service TCP 139
LDAP Server TCP 389
LDAP Server UDP 389
SMB TCP 445
RPC TCP 135
Randomly allocated high TCP ports TCP random port number between 1024 - 65535*

Opening any ports between the two devices is the only way to identify how many ports are used. This because any system configurations could vary the ports used/necessary and it's related always to your infrastructure (version of S.O, apps, etc).

kbrazil
L4 Transporter
In response to dagibbs

‎01-14-2011 08:11 AM

Hi dagibbs,

You can always lock the ports and src/dst ip's down while you are performing the application investigation phase.  Then you are no less secure than a traditional firewall until you get the information you need to further lock down the application(s).  It's also very simple to filter the logs by src/dst to see all of the relevant conversations and weed out the others while testing.

Cheers,

Kelly

  • 6686 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks