Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sims
New Contributor III

smbv1 logs

Hi,

Is there a way to identify smbv1 access log .

Thanks

3 REPLIES 3
poundy
Contributor

SMB is expected to be an internal protocol, not a firewall-permitted one. I'd look at this from a Windows perspective not at the firewall. What are you trying to achieve rather than how you think you might like to review it ?

 

sims
New Contributor III

Hi,

I am trying to see which server is still using the  SMB1

Thanks 

TecnetRuss

Yes, you can with Application Control.

 

Assuming that your servers and workstations are on different VLANs, you'd need to enable Application Control on the policies through which server to workstation (and vice versa, workstation to server) traffic flows, ensuring that the Application Control profile you're using includes the "SMB.v1" application signature and you've got logging set to "All".  Then you'll see traffic marked as "SMB.v1" in your logs (if it exists).

 

This doesn't help you obviously if all your devices are on the same subnet as the traffic isn't flowing through the FortiGate to be inspected, and it won't catch same-subnet server-to-server SMB v1 traffic for the same reason, or if other network devices are handling your intra-VLAN routing.

 

Technically, you could also use Application Control in a policy to block SMB v1 traffic from crossing the network boundaries governed by your FortiGate, but I wouldn't rely on this alone.  This may help with non-Windows devices (e.g. old NAS device) but blocking SMB v1 on your domain servers and workstations should be done by group policy.

 

Russ

NSE7