Blocking SMB Traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Blocking SMB Traffic

L4 Transporter

I was doing a review of some firewall policies and noticed the company I am consulting for is allowing all applications risk 1 through 3 from their trust to untrust zones.  Not sure why it's setup that way yet, but in doing so, SMB traffic is alllowed out. 

 

I want to immediately put a control in that blocks SMB traffic outbound. Is it recommended to create the policy using only ports, tcp/udp port 445, or should I block via SMB application?   My thought is block via ports, but I'll do whatever is the recommended way.

 

What about tcp/udp port 137 and 139?  Should these also be added to the blocked 'from trust to untrust' rule?

 

I'm curious to what you all are doing.

 

thanks

 

8 REPLIES 8

L7 Applicator

They are not mutually exclusive. You can do both. Just leave the rule where you define application SMB, set to application 'any', so if SMB is used evasively through different ports, it can also be blocked.

Not sure I'm following your response. Do you mean if you choose SMB for application, set the Service to Any?

 

Is it common practice to create multiple rules to block SMB?

Yes, SMB for application, Service to Any.

 

Not sure what common practice is, but some environments require that *no* packets leave out on specific ports.

The app-id engine needs to allow a few packets through before it identifies the application, so if you go solely with an app-id rule, a few packets will always leave the firewall before there's a block action enforced.

thanks. what method do you use on your firewalls (if you don't mind me asking)

I'm with Palo Alto Networks Support, so I will allow other members of the community to provide that answer.

Hello,

We have a strict deny all allow by exception policy at our company. So we only allow appplications/ports/urls etc., based on approval from the executives. If you are looking to block traffic, start with the logs and see what is being allowed out and start blocking on it. The ACC tab can help you with this as well. 

 

As for writing policies, I try to use applications rather than actual ports.

 

Hope that helps.

Hi,

 

The deny all, allow by exception would be ideal. Possibly can convince that for the future.

 

Right now, I want to focus only on blocking SMB

Risk 1 through 3 from their trust to untrust zones is not a great way to allow traffic to the Internet.

There are 58 pages of applications when I look at this on my firewall.

 

I found this out the hard way when someone set this up for our guest networks and we had a big netbios attacks launch from a rogue machine on our network.   Whittle it down to what you actually need.

 

 

 

  • 14582 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!