05-06-2018 08:43 PM
I was doing a review of some firewall policies and noticed the company I am consulting for is allowing all applications risk 1 through 3 from their trust to untrust zones. Not sure why it's setup that way yet, but in doing so, SMB traffic is alllowed out.
I want to immediately put a control in that blocks SMB traffic outbound. Is it recommended to create the policy using only ports, tcp/udp port 445, or should I block via SMB application? My thought is block via ports, but I'll do whatever is the recommended way.
What about tcp/udp port 137 and 139? Should these also be added to the blocked 'from trust to untrust' rule?
I'm curious to what you all are doing.
thanks
05-07-2018 11:14 AM - edited 05-07-2018 11:15 AM
They are not mutually exclusive. You can do both. Just leave the rule where you define application SMB, set to application 'any', so if SMB is used evasively through different ports, it can also be blocked.
05-07-2018 05:05 PM
Not sure I'm following your response. Do you mean if you choose SMB for application, set the Service to Any?
Is it common practice to create multiple rules to block SMB?
05-07-2018 05:09 PM
Yes, SMB for application, Service to Any.
Not sure what common practice is, but some environments require that *no* packets leave out on specific ports.
The app-id engine needs to allow a few packets through before it identifies the application, so if you go solely with an app-id rule, a few packets will always leave the firewall before there's a block action enforced.
05-09-2018 03:44 PM
thanks. what method do you use on your firewalls (if you don't mind me asking)
05-09-2018 04:52 PM
I'm with Palo Alto Networks Support, so I will allow other members of the community to provide that answer.
05-10-2018 10:41 AM
Hello,
We have a strict deny all allow by exception policy at our company. So we only allow appplications/ports/urls etc., based on approval from the executives. If you are looking to block traffic, start with the logs and see what is being allowed out and start blocking on it. The ACC tab can help you with this as well.
As for writing policies, I try to use applications rather than actual ports.
Hope that helps.
05-12-2018 11:59 AM
Hi,
The deny all, allow by exception would be ideal. Possibly can convince that for the future.
Right now, I want to focus only on blocking SMB
06-08-2018 12:48 PM
Risk 1 through 3 from their trust to untrust zones is not a great way to allow traffic to the Internet.
There are 58 pages of applications when I look at this on my firewall.
I found this out the hard way when someone set this up for our guest networks and we had a big netbios attacks launch from a rogue machine on our network. Whittle it down to what you actually need.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
