Skip to main content
xosearmado13
xosearmado13
New Member
May 15, 2017
Solved

Isolate communication to UDP ports 137 / 138 and TCP ports 139 / 445.

  • May 15, 2017
  • 1 reply
  • 11091 views

In my company we have an Fortigate 100d can someone please help me so that i can isolate this ports due to the ransomware attack that happened the last days.

Thank you very much.

    Best answer by ede_pfau

    hi,

    Fortinet has communicated that they have issued an AV signature update for this, as well as an IPS signature. In fact, there are 2 IPS signatures related to MS 17-010.

    This is the IPS sensor in CLI:

    config ips sensor
        edit "WannaCry"
            set comment "20170515 block Wannacry/EternalBlue trojan"
            config entries
                edit 1
                    set rule 43796
                    set status enable
                    set action block
                    set rate-count 1
                    set rate-duration 5
                next
                edit 2
                    set rule 43797
                    set status enable
                    set action block
                next
            end
        next
    end
    The first one is a filter set to block. The second is a rate limited signature which is set to trigger on the first appearance.

     

    So, instead of completely blocking SMB you can insert an IPS profile with this sensor to protect your clients' network shares.

    Note that not only Windows Server OS is affected but Windows 7, 8, 8.1 client OS.

    1 reply

    ede_pfau
    SuperUser
    ede_pfauAnswer
    SuperUser
    May 16, 2017

    hi,

    Fortinet has communicated that they have issued an AV signature update for this, as well as an IPS signature. In fact, there are 2 IPS signatures related to MS 17-010.

    This is the IPS sensor in CLI:

    config ips sensor
        edit "WannaCry"
            set comment "20170515 block Wannacry/EternalBlue trojan"
            config entries
                edit 1
                    set rule 43796
                    set status enable
                    set action block
                    set rate-count 1
                    set rate-duration 5
                next
                edit 2
                    set rule 43797
                    set status enable
                    set action block
                next
            end
        next
    end
    The first one is a filter set to block. The second is a rate limited signature which is set to trigger on the first appearance.

     

    So, instead of completely blocking SMB you can insert an IPS profile with this sensor to protect your clients' network shares.

    Note that not only Windows Server OS is affected but Windows 7, 8, 8.1 client OS.

    Carl_Wallmark
    Carl_Wallmark
    New Member
    May 16, 2017

    Don´t forget "DoublePulsar" and set it to RDP on port 3389 ;)

    lyberis19179
    lyberis19179
    New Member
    May 18, 2017

     

    Selective wrote:

    Don´t forget "DoublePulsar" and set it to RDP on port 3389 ;)

     

    Good morning mate, thanks for advice!! How can i do that and how can i apply it to my local Lan configuration???

     

    Cheers mates.

    Terms & ConditionsAccessibility statement