Skip to main content
sims
sims
Explorer II
September 17, 2020
Question

smbv1 logs

  • September 17, 2020
  • 1 reply
  • 7535 views

Hi,

Is there a way to identify smbv1 access log .

Thanks

    1 reply

    poundy
    poundy
    New Member
    September 21, 2020

    SMB is expected to be an internal protocol, not a firewall-permitted one. I'd look at this from a Windows perspective not at the firewall. What are you trying to achieve rather than how you think you might like to review it ?

     

    sims
    simsAuthor
    Explorer II
    September 22, 2020

    Hi,

    I am trying to see which server is still using the  SMB1

    Thanks 

    TecnetRuss
    TecnetRuss
    Visitor III
    September 22, 2020

    Yes, you can with Application Control.

     

    Assuming that your servers and workstations are on different VLANs, you'd need to enable Application Control on the policies through which server to workstation (and vice versa, workstation to server) traffic flows, ensuring that the Application Control profile you're using includes the "SMB.v1" application signature and you've got logging set to "All".  Then you'll see traffic marked as "SMB.v1" in your logs (if it exists).

     

    This doesn't help you obviously if all your devices are on the same subnet as the traffic isn't flowing through the FortiGate to be inspected, and it won't catch same-subnet server-to-server SMB v1 traffic for the same reason, or if other network devices are handling your intra-VLAN routing.

     

    Technically, you could also use Application Control in a policy to block SMB v1 traffic from crossing the network boundaries governed by your FortiGate, but I wouldn't rely on this alone.  This may help with non-Windows devices (e.g. old NAS device) but blocking SMB v1 on your domain servers and workstations should be done by group policy.

     

    Russ

    NSE7

    Terms & ConditionsAccessibility statement