Skip to main content
buddyd
buddyd
New Member
October 18, 2016
Question

disable netbios via Fortigate 240D?

  • October 18, 2016
  • 1 reply
  • 15034 views

Greetings Folks,

We have an active-passive cluster of 240D's, current OS is 5.2.8 build 727. Without going into too much detail, we are trying to use the Fortigate to disable NetBIOS over tcp/ip on Windows machines as we have recently seen a large amount of NBstat.Query errors from the IPS. Tech Support has provided documentation to do this, we have it configured but it seems to be ineffective. The command line (see below) will work if run directly on the Windows device but once converted to hex and added to the FG config, nothing. I have been assured by Fortinet tech support that the syntax/config is correct on the Fortigate.

Anyone else ever successfully do this? Has anyone been able to get this to work?

 

Any help/advice is greatly appreciated.

 

Thank you.

Buddy

 

######################################################

 

wmic /interactive:off nicconfig where TcpipNetbiosOptions=0 call SetTcpipNetbios 2

 

# config vdom

# edit #####FW1

# config system dhcp server

# edit 5

#

config system dhcp server
 
    edit 5
        set status enable
        set lease-time 604800
        set mac-acl-default-action assign
        set forticlient-on-net-status enable
        set dns-service specify
        set wifi-ac1 0.0.0.0
        set wifi-ac2 0.0.0.0
        set wifi-ac3 0.0.0.0
        set ntp-service specify
        set domain ''
        set wins-server1 0.0.0.0
        set wins-server2 0.0.0.0
        set default-gateway 192.168.26.1
        set next-server 0.0.0.0
        set netmask 255.255.254.0
        set interface "Wifi Guest"
            config ip-range
                edit 1
                    set start-ip 192.168.26.2
                    set end-ip 192.168.26.200
                next
            end
--More--                  set timezone-option default
        set tftp-server ''
        set filename ''
        set option1 252 '776d6963202f696e7465726163746976653a6f6666206e6963636f6e6669672077686572652054637069704e657462696f734f7074696f6e733d302063616c6c2053657454637069704e657462696f732032'
        set option2 0
        set option3 0
        set option4 0
        set option5 0
        set option6 0
        set server-type regular
        set conflicted-ip-timeout 1800
        set auto-configuration enable
        set vci-match disable
        set dns-server1 8.8.8.8
        set dns-server2 4.2.2.2
        set dns-server3 0.0.0.0
        set ntp-server1 0.0.0.0
        set ntp-server2 0.0.0.0
        set ntp-server3 0.0.0.0
    next
end
 

 

 

    1 reply

    emnoc
    emnoc
    New Member
    October 18, 2016

    Nebios over TCP?  And nbstat.query, i would look for fortinet and a vips signature for this. I believe they have one or could write one for you if not available now.

     

    buddyd
    buddydAuthor
    New Member
    October 18, 2016

    Thanks emnoc.

     

    We've noticed the IPS warning (nbstat.query) seems to be triggered by Windows 10 machines only, some testing with Windows 7 laptops doesn't exhibit the same behavior.

    My question is, if the configuration above for the dhcp server is correct (confirmed by Fortinet Support), then why doesn't it work?

    emnoc
    emnoc
    New Member
    October 18, 2016

    What's not working with that DHCP-server configuration  ? It looks  good from a casual glance, I'm too lazy to decode your  option252 ;)

     

    Did you try a diag debug app dhcps -1 to see  what could be happening ? is the  subnet and mask and gateway correct for that cfg and the correct interface

     

     

    e.g

     

    diag debug reset 

    diag debug en

    diag debug application  dhcps -1

     

    Where you expecting the dhcp-server to fix your nbstat.query issues? FWIW I believe  netbios over tcp is a window10 by default and most all others needs you to enable it via the local_properties tcpip ipv4 interfaces.

     

    If you set static or supplied WINS servers settings , than the clients should use that ONLY but without locking down the clients, this is not a best approach for control imho.

     

     

    Terms & ConditionsCookie settingsAccessibility statement