Hot!smbv1 logs

Author
sims
Gold Member
  • Total Posts : 163
  • Scores: -4
  • Reward points: 0
  • Joined: 2014/06/09 03:26:11
  • Status: offline
2020/09/17 07:30:15 (permalink)
0

smbv1 logs

Hi,
Is there a way to identify smbv1 access log .
Thanks
#1

3 Replies Related Threads

    poundy
    Silver Member
    • Total Posts : 61
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/13 20:58:45
    • Status: offline
    Re: smbv1 logs 2020/09/21 15:48:15 (permalink)
    0
    SMB is expected to be an internal protocol, not a firewall-permitted one. I'd look at this from a Windows perspective not at the firewall. What are you trying to achieve rather than how you think you might like to review it ?
     
    #2
    sims
    Gold Member
    • Total Posts : 163
    • Scores: -4
    • Reward points: 0
    • Joined: 2014/06/09 03:26:11
    • Status: offline
    Re: smbv1 logs 2020/09/22 10:44:42 (permalink)
    0
    Hi,
    I am trying to see which server is still using the  SMB1
    Thanks 
    #3
    TecnetRuss
    Bronze Member
    • Total Posts : 40
    • Scores: 12
    • Reward points: 0
    • Joined: 2017/02/27 13:14:44
    • Status: offline
    Re: smbv1 logs 2020/09/22 11:32:40 (permalink)
    0
    Yes, you can with Application Control.
     
    Assuming that your servers and workstations are on different VLANs, you'd need to enable Application Control on the policies through which server to workstation (and vice versa, workstation to server) traffic flows, ensuring that the Application Control profile you're using includes the "SMB.v1" application signature and you've got logging set to "All".  Then you'll see traffic marked as "SMB.v1" in your logs (if it exists).
     
    This doesn't help you obviously if all your devices are on the same subnet as the traffic isn't flowing through the FortiGate to be inspected, and it won't catch same-subnet server-to-server SMB v1 traffic for the same reason, or if other network devices are handling your intra-VLAN routing.
     
    Technically, you could also use Application Control in a policy to block SMB v1 traffic from crossing the network boundaries governed by your FortiGate, but I wouldn't rely on this alone.  This may help with non-Windows devices (e.g. old NAS device) but blocking SMB v1 on your domain servers and workstations should be done by group policy.
     
    Russ
    NSE7
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5