topic Re: SMBv2-v3 on Mobile Access File Share (and not only SMBv1 - CIFS) in SASE and Remote Access

SMBv2-v3 on Mobile Access File Share (and not only SMBv1 - CIFS)

XavierBens — Tue, 12 Jun 2018 13:56:18 GMT

Hi,

I've found some unclear information regarding Server_Message_Block versions supported on mobile-access-blade file-share functionality.

What is unclear? We have "A file share defines a collection of files (...) such as SMB for Windows" in the MobileAccess Admin Guide R77 or in the sk104577 ATRG: Mobile Access Blade .

Even the sk111097 Slow upload speed of files via Mobile Access File Share (CIFS for example) says "CIFS for example".

BUT referring the sk112202 File Shares using SMBv2/SMBv3 cannot be accessed using the Mobile Access Blade File Share application : Mobile Access only support SMBv1 (formerly CIFS) and not SMBv2 nor SMBv3 (on any version and any platform).

Even in the ATRG, we have the picture bellow:

So, could we:

Be more accurate and say that only SMBv1 (CIFS) is supported on Mobile Access File Share functionality
support SMBv2 or SMBv3 ?

I've asked yesterday ‌ team to understand if there is a plan to support such versions.

Re: SMBv2-v3 on Mobile Access File Share (and not only SMBv1 - CIFS)

PhoneBoy — Tue, 12 Jun 2018 19:00:39 GMT

The reason we don't currently support SMBv2/v3 has to do with the Linux kernel we are using.

Once the gateway supports a newer kernel (like is planned for R80.20), it should be possible to support SMBv2/v3.

However, I can't say if R80.20 will support this out of the gate.

Re: SMBv2-v3 on Mobile Access File Share (and not only SMBv1 - CIFS)

XavierBens — Wed, 13 Jun 2018 13:55:03 GMT

And secureknowledge‌ team answered:

R&D responded: "It's a known RFE."
sk was modified accordingly.

The Solution part of the sk112202‌ as been effectively updated:

So: do not hesitate to Request for Enhancement.

Re: SMBv2-v3 on Mobile Access File Share (and not only SMBv1 - CIFS)

Jeroen_Demets — Fri, 06 Jul 2018 06:27:20 GMT

Ouch, I'm disappointed as SMB1 should be gone everywhere... too many vulnerabilities in it (remember wannacry?)

Check this link, even Microsoft wants it to be obsolete: https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

I'll submet the RFE right now as only supporting SMB1 is not worthy for a security vendor!

Re: SMBv2-v3 on Mobile Access File Share (and not only SMBv1 - CIFS)

Timothy_Hall — Fri, 06 Jul 2018 12:48:00 GMT

Not to pile on here, but SMBv1 does not handle latency in excess of what is typically encountered on a LAN very well. Quoted from the second edition of my book:

Special Case: CIFS/SMB Performance over VPN

The well-known CIFS/SMB (Common Internet File System/Server Message Block)
protocol frequently experiences degraded performance in the context of a site-to-site or
Remote Access VPN, but probably not for the reason you think. Commonly used for
mounting drive shares (among other functions) in Microsoft Windows networks,
CIFS/SMB version 1 was originally intended and optimized for use in a low-latency
LAN environment. Part of this optimization was the requirement that for every certain
amount of data sent (called an Application Block Size which ranges between 4KBytes-
64Kbytes), an acknowledgement must be received from the peer before any more data
can be sent. Note that this peer acknowledgement requirement is part of CIFS/SMB
itself, and completely unrelated to the underlying transport protocol such as TCP window
sizes or ACKs. The Network File System (NFS) protocol was also originally designed to
run across a LAN with assumed low latency.

While this performance limitation of CIFS/SMB version 1 is not directly related to
the use of a VPN, the networks employed by a VPN such as the Internet tend to have
significantly higher latency than LAN or private WAN connections. There could be an
impressive 10Gbit of Internet bandwidth between two sites on the Internet, but if the
latency is 100ms or greater, CIFS performance across the VPN (or even in the clear) will
be dismal no matter what you do.

While there is really no firewall tuning we can perform to improve this situation,
there is something you can do: Try to force the systems involved to utilize SMB version
2.1 or higher which supports pipelining; many very old Windows systems still default to
SMBv1. While the peer acknowledgement requirement still exists in SMB version 2.1
and later, pipelining allows multiple Application Blocks to be in transit between the
peers simultaneously instead of just one block at a time. Ensuring the use of SMB
version 2.1 or higher can provide dramatic CIFS/SMB performance improvements across
a VPN or any other network with high latency.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: SMBv2-v3 on Mobile Access File Share (and not only SMBv1 - CIFS)

Jeroen_Demets — Wed, 08 Jan 2020 08:05:09 GMT

old topic, but just wanted to reply that Gaia on kernel 3.10 gateways support SMBv2/v3

So that is one reason to reinstall your gateways instead of upgrading so you can use the new kernel

Re: SMBv2-v3 on Mobile Access File Share (and not only SMBv1 - CIFS)

Dreyfuss — Sat, 18 Apr 2020 22:29:03 GMT

So, there a way to force "SMBv3 only" on the Gaia?

Re: SMBv2-v3 on Mobile Access File Share (and not only SMBv1 - CIFS)

PhoneBoy — Sun, 19 Apr 2020 02:00:30 GMT

You can force it on the server side, I think, which is the correct approach.
In any case, we only support SMBv2/v3 on releases with Linux 3.10 kernel (default in R80.40).

Re: SMBv2-v3 on Mobile Access File Share (and not only SMBv1 - CIFS)

Dreyfuss — Thu, 18 Mar 2021 16:44:44 GMT

Thank you.

Re: SMBv2-v3 on Mobile Access File Share (and not only SMBv1 - CIFS)

Dreyfuss — Tue, 23 Mar 2021 11:45:51 GMT

Hi! The default for 80.30 is SMBv1, not v2/3. You must enforce the SMBv2/3 on Gaia side.