Difference Of Applications "ms-ds-smb", "ms-ds-smb-base" and ms-ds-smbv1, ms-ds-smbv2, ms-ds-smbv3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Difference Of Applications "ms-ds-smb", "ms-ds-smb-base" and ms-ds-smbv1, ms-ds-smbv2, ms-ds-smbv3

L2 Linker

Apologies ahead of time- I'm very new to Palo Alto's firewalls...I've built several CIFS rules (based upon/cloned) from existing rules created by somewhat more senior PAN co-workers. I've asked them the following question but haven't gotten an answer I'm comfortable with, and was hoping somewhere here could set things right in my mind: When I'm attempting to allow CIFS file sharing, there's choices for Applications of ms-ds-smb, ms-ds-msb-base, then the different version numbers? Does md-ds-smb cover ALL versions of smb (v1, v2 and v3). When is ms-ds-smb-base needed? 

 

I've also seen where the incumbant PAN coworkers have sometimes simply defined a service TCP Port 445 in rules. My guess would be that a service of TCP Port 445 doesn't do any application validation, and defining it as an Application is preferred?

 

Thanks for the enlightenment ahead of time....

 

Mike

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

@michaelmertens,

The answers you seek can be found under the Objects tab under Applications or via Palo Alto's applipedia 

ms-ds-smb = This is an app container for smb-base, smbv1, smbv2, smbv3. 

ms-ds-smb-base: Think of this as a building block that will almost always need to be allowed. This essentially gives the firewall something to identify before we're able to tell what version of smb is being utilized. 

 

If you simply define the service you're going to run the risk that something else will be tunneled/used over that port, and while the firewall will identify the true application being used it won't block the communication from taking place. Defining an application where possible is always going to be prefered.  

 

View solution in original post

Using ms-ds-smb will autorise all versions along with their vulnerabilities. You simply have to be careful while using containers depending on the applications they contain. As always, as with port-based rules, configure the least number of required applications and ports for your needs.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@michaelmertens,

The answers you seek can be found under the Objects tab under Applications or via Palo Alto's applipedia 

ms-ds-smb = This is an app container for smb-base, smbv1, smbv2, smbv3. 

ms-ds-smb-base: Think of this as a building block that will almost always need to be allowed. This essentially gives the firewall something to identify before we're able to tell what version of smb is being utilized. 

 

If you simply define the service you're going to run the risk that something else will be tunneled/used over that port, and while the firewall will identify the true application being used it won't block the communication from taking place. Defining an application where possible is always going to be prefered.  

 

Hi,

  So to clarfiy  md-ds-smb will cover smb-base, smbv1, smbv2, smbv3 but is not a recommended approach?  Is this the case for all app containers?

 

Thanks!

Marc

Using ms-ds-smb will autorise all versions along with their vulnerabilities. You simply have to be careful while using containers depending on the applications they contain. As always, as with port-based rules, configure the least number of required applications and ports for your needs.

  • 2 accepted solutions
  • 26168 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!