topic Re: SMB inspection in General Topics

SMB inspection

Shahar_Grober — Wed, 24 Oct 2018 22:17:47 GMT

Hi Gurus,

Is there a way to inspect access to specific shares using SMB on R80.10

is there a resource for SMB as there is a resource for CIFS which allow creating a rule with access only to specific share

from what I have checked, CIFS resource is working with microsoft-ds service which uses port 445 which is the same as SMB. is this equivalent configuration to SMB inspection?

Does anyone know what the performance implication of enabling it on a security policy rule (does it disable SecureXL)?

Can someone point out how to configure it (documentation/SK)?

Re: SMB inspection

Benoit_Verove — Thu, 25 Oct 2018 15:30:08 GMT

Hi,

I've never tried but there is an SK for activating inspection (AV, & TE) on SMB : sk101606

You have to do that with Guibdedit, not in the smart console.

Regards,

Benoit

Re: SMB inspection

Shahar_Grober — Thu, 25 Oct 2018 19:10:33 GMT

sk101606 SMB/CIFS traffic by Anti-Virus blade or Threat Emulation blade.

I am talking about restricting access for a specific path

the topology is:

APP server on DMZ ----> Check Point R80.10 cluster ----> File Server

The connection between the APP Server on the DMZ to the file server is via SMB. the App is accessing a specific directory on the file server and pulling files.

we tested it with CIFS resource but:

1. CIFS Resource doesn't work in R80.10 (sk110519 - When configuring a rule with CIFS resource, policy enforcement does not work as expected and is denied to access all the permitted CIFS shares. As a result, all CIFS traffic is dropped.PRHF-612,
PMTR-12889, PMTR-17086, PMTR-17087 )

2. CIFS resources disable SecureXL accept templates

Any other idea on how to restrict SMB access to a specific path on the file server via Check Point gateway will be very helpful