PA SMB deny behaviour

soporteseguridad · ‎11-22-2017

Hi,

We have detected a atrange behaviour with SMB session.

We have created a rule for blocking wannacry (SMB) sessions

We can see sessions being blocked:

So all sessions from trust to untrust should be blocked but we have done a tcpdump in our ISP router an we see

2017-11-21 20:01:46: 8x.x.x.x => 213.187.106.86:445
2017-11-21 20:01:46: 8x.x.x.x => 213.187.106.87:445
2017-11-21 20:01:46: 8x.x.x.x => 213.187.106.88:445
2017-11-21 20:01:46: 8x.x.x.x => 213.187.106.92:445
2017-11-21 20:01:46: 8x.x.x.x => 213.187.106.93:445
2017-11-21 20:01:46: 8x.x.x.x => 213.187.106.94:445

Why ISP is receiving sessions in port445 to untrust if we have deny all session from inside to outside????

Regards

reaper · ‎11-23-2017

I've also reproduced and I am not able to reproduce your issue.

BUT!, I think i may have found the issue... this is my policy

You may notice I used 'drop' and I'm getting all my 445 discarded as expected

you used 'Deny'

Deny requires an application to decide the appropriate 'reject' action for the application

if you need to actively reject i'd propose you use 'Reset Client' instead

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

reaper · ‎11-22-2017

try filtering your policy on "( action neq deny ) and ( port.dst eq 445 )" instead of your rule to see if there's anything allowed

also try one with ( addr.dst in 213.187.106.86 ) to see if it shows up in any other form

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

soporteseguridad · ‎11-22-2017

There is not any session being alloweb with neq deny.

I think PA is permitting the 3way handshake to detect the app (so these packets is ahwt we see in ISP router) but we have denied by service, i think PA shouldnt permit 3way handshake.

using this filter ( addr.dst in 213.187.106.86 ), we dont see any logs in PA. Weird......

Its a bit strange...

reaper · ‎11-22-2017

No, the 3way handshake is alowed through if you have a policy that includes applications. You have 'any' so the action is applied on the port.

Is it possible the connection could have originated from a different source zone? (the policy is only for trust). Could someone have connected a host on the outside network segment?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

soporteseguridad · ‎11-22-2017

ammmmmm, i though that if i block using service 445 the 3way is not done. So how can i do in order to discard all connections in 445, so ISP router wont receive this traffic????

soporteseguridad · ‎11-22-2017

This is the session browser right now. I think that the 445-SMB traffic that we are seeing in ISP router is because of threeway-handshake. But how can discard this traffic in order to not see it in ISP??

reaper · ‎11-22-2017

if you use only ports, 3 way handshake is not allowed

can you do a > show running security-policy to verify the policies?

are the negated subnets necessary? can you try removing them?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

soporteseguridad · ‎11-22-2017

This is the rule by CLI:

"Block 445 Wannacry" {
from trust;
source any;
source-region none;
to untrust;
destination [ 0.0.0.0/5 8.0.0.0/7 11.0.0.0/8 12.0.0.0/6 16.0.0.0/4 32.0.0.0/3 64.0.0.0/4 80.0.0.0/6 ];
destination-region none;
user any;
category any;
application/service [ any/tcp/any/445 any/udp/any/445 ];
action deny;
icmp-unreachable: no
terminal no;
}

Ill create a first rule permiting the traffic in our networks, and below ill create another one denying.

I read SMBv3 is encrypted, it could be that 3way handshake should be done in order to know app????

reaper · ‎11-22-2017

the 3 way handshake is NOT allowed in this particular rule because you have 'any' in the application , 2 ports and deny. this means any packet matching destination port 445 will be dropped

it IS possible (since this is rule #3, the 3 way handshake is being allowed by rule #1 or #2 (if they allow port 445 and have an (different) application, because then we DO allow the handshake to be able to identify the application)

so maybe this rule needs to move up to #1

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

soporteseguridad · ‎11-22-2017

Exactly, that what i think. Three-way is not enabled filtering by service.

Rules 1 y 2 are deployed by panorama, and the sources are specific hosts. So it shouldnt be the problem......

soporteseguridad · ‎11-22-2017

I tried to create a first rule permitting, and second one denying, but the problem is the same. 3way is done.

I have replicated this problem i my lab in version 8.0.5 and 3way is done fitlering by port 😞

it seems like normal behaviour in PA. Can someone confirm if you create a rule denying port 445, the 3way is done??

thanks alot

reaper · ‎11-22-2017

Ok I will admit this is weird

can you try setting up a flow basic to see what is happening exactly ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

soporteseguridad · ‎11-22-2017

Hi reaper,

I replicated the problem in my lab. I created a rule denying port 445 sessions and i can see this traffic in logs. It seems like 3way is done using SMB althoug you are denying by port445.

it seems like a bug or normal behaviour PA.

reaper · ‎11-23-2017

I've also reproduced and I am not able to reproduce your issue.

BUT!, I think i may have found the issue... this is my policy

You may notice I used 'drop' and I'm getting all my 445 discarded as expected

you used 'Deny'

Deny requires an application to decide the appropriate 'reject' action for the application

if you need to actively reject i'd propose you use 'Reset Client' instead

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Unlock your full community experience!

PA SMB deny behaviour

PA SMB deny behaviour

Show your appreciation!