Difference Of Applications "ms-ds-smb", "ms-ds-smb-base" and ms-ds-smbv1, ms-ds-smbv2, ms-ds-smbv3

Reply
Highlighted
L1 Bithead

Difference Of Applications "ms-ds-smb", "ms-ds-smb-base" and ms-ds-smbv1, ms-ds-smbv2, ms-ds-smbv3

Apologies ahead of time- I'm very new to Palo Alto's firewalls...I've built several CIFS rules (based upon/cloned) from existing rules created by somewhat more senior PAN co-workers. I've asked them the following question but haven't gotten an answer I'm comfortable with, and was hoping somewhere here could set things right in my mind: When I'm attempting to allow CIFS file sharing, there's choices for Applications of ms-ds-smb, ms-ds-msb-base, then the different version numbers? Does md-ds-smb cover ALL versions of smb (v1, v2 and v3). When is ms-ds-smb-base needed? 

 

I've also seen where the incumbant PAN coworkers have sometimes simply defined a service TCP Port 445 in rules. My guess would be that a service of TCP Port 445 doesn't do any application validation, and defining it as an Application is preferred?

 

Thanks for the enlightenment ahead of time....

 

Mike


Accepted Solutions
Highlighted
Cyber Elite

@michaelmertens,

The answers you seek can be found under the Objects tab under Applications or via Palo Alto's applipedia 

ms-ds-smb = This is an app container for smb-base, smbv1, smbv2, smbv3. 

ms-ds-smb-base: Think of this as a building block that will almost always need to be allowed. This essentially gives the firewall something to identify before we're able to tell what version of smb is being utilized. 

 

If you simply define the service you're going to run the risk that something else will be tunneled/used over that port, and while the firewall will identify the true application being used it won't block the communication from taking place. Defining an application where possible is always going to be prefered.  

 

View solution in original post


All Replies
Highlighted
Cyber Elite

@michaelmertens,

The answers you seek can be found under the Objects tab under Applications or via Palo Alto's applipedia 

ms-ds-smb = This is an app container for smb-base, smbv1, smbv2, smbv3. 

ms-ds-smb-base: Think of this as a building block that will almost always need to be allowed. This essentially gives the firewall something to identify before we're able to tell what version of smb is being utilized. 

 

If you simply define the service you're going to run the risk that something else will be tunneled/used over that port, and while the firewall will identify the true application being used it won't block the communication from taking place. Defining an application where possible is always going to be prefered.  

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!