Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kajlasunil
Staff
Staff

Created on ‎03-26-2025 07:57 AM

Article Id 382258

Technical Tip: How to block SMBv1 and allow SMBv3 on a FortiGate firewall

Description

The article describes how to block SMBv1 because it is a legacy protocol, making it a prime target for cyberattacks.
Scope FortiOS.
Solution

Since FortiGate firewall rules alone cannot differentiate between SMB versions, the best approach is to use an Application control signature to detect the SMB version.

SMBv1 operates over TCP 139 and TCP 445. Since SMBv2 and SMBv3 also use TCP 445, the Firewall policy must use Deep Packet Inspection (DPI) to block only SMBv1.

 

To block SMBv1 and allow SMBv3 on a FortiGate firewall, follow these steps:

 

Create an Application profile to block SMBV1:

  • Log in to FortiGate.
  • Go to Security Profiles -> Application Control.
  • Create a new profile or edit an existing one.
  • Select Add Signatures and search for SMB.
  • Select SMB v1 and set the action to Block and Save.

 

SMB App.PNG

 

Apply the Application Control Profile to a Firewall Policy:

  • Create a New Firewall policy to allow only the SMB protocol.
  • Under Security Profiles, enable Application Control, and select the profile created above.
  • Save and apply changes.

 

SMB policy.PNG

 

Related document: 

Deep inspection
1824
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.