- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-27-2018 11:41 AM
Apologies ahead of time- I'm very new to Palo Alto's firewalls...I've built several CIFS rules (based upon/cloned) from existing rules created by somewhat more senior PAN co-workers. I've asked them the following question but haven't gotten an answer I'm comfortable with, and was hoping somewhere here could set things right in my mind: When I'm attempting to allow CIFS file sharing, there's choices for Applications of ms-ds-smb, ms-ds-msb-base, then the different version numbers? Does md-ds-smb cover ALL versions of smb (v1, v2 and v3). When is ms-ds-smb-base needed?
I've also seen where the incumbant PAN coworkers have sometimes simply defined a service TCP Port 445 in rules. My guess would be that a service of TCP Port 445 doesn't do any application validation, and defining it as an Application is preferred?
Thanks for the enlightenment ahead of time....
Mike
08-27-2018 12:24 PM
The answers you seek can be found under the Objects tab under Applications or via Palo Alto's applipedia .
ms-ds-smb = This is an app container for smb-base, smbv1, smbv2, smbv3.
ms-ds-smb-base: Think of this as a building block that will almost always need to be allowed. This essentially gives the firewall something to identify before we're able to tell what version of smb is being utilized.
If you simply define the service you're going to run the risk that something else will be tunneled/used over that port, and while the firewall will identify the true application being used it won't block the communication from taking place. Defining an application where possible is always going to be prefered.
12-16-2021 06:52 AM
Using ms-ds-smb will autorise all versions along with their vulnerabilities. You simply have to be careful while using containers depending on the applications they contain. As always, as with port-based rules, configure the least number of required applications and ports for your needs.
08-27-2018 12:24 PM
The answers you seek can be found under the Objects tab under Applications or via Palo Alto's applipedia .
ms-ds-smb = This is an app container for smb-base, smbv1, smbv2, smbv3.
ms-ds-smb-base: Think of this as a building block that will almost always need to be allowed. This essentially gives the firewall something to identify before we're able to tell what version of smb is being utilized.
If you simply define the service you're going to run the risk that something else will be tunneled/used over that port, and while the firewall will identify the true application being used it won't block the communication from taking place. Defining an application where possible is always going to be prefered.
03-31-2021 09:48 AM - edited 03-31-2021 09:52 AM
Hi,
So to clarfiy md-ds-smb will cover smb-base, smbv1, smbv2, smbv3 but is not a recommended approach? Is this the case for all app containers?
Thanks!
Marc
12-16-2021 06:52 AM
Using ms-ds-smb will autorise all versions along with their vulnerabilities. You simply have to be careful while using containers depending on the applications they contain. As always, as with port-based rules, configure the least number of required applications and ports for your needs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!