Fortinet black logo

Cookbook

CIFS support

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:186160
Download PDF

CIFS support

File filtering and antivirus scanning for proxy-based inspection on Common Internet File System (CIFS) traffic is supported.

File filtering for CIFS is performed by inspecting the first 4 KB of the file to identify the file's magic number. If a match occurs, CIFS file filtering prevents the CIFS command that contains that file from running.

The CIFS security profile handles the configuration of file filtering on CIFS. The antivirus profile handles the antivirus configuration for CIFS scanning.

For a CIFS profile to be available for assignment in a policy, the policy must use proxy inspection mode. See Proxy mode inspection for details.

The following are not supported by CIFS scanning in proxy inspection mode:

  • File types and infections within archive files cannot be detected.
  • Oversized files cannot be detected.
  • Special condition archive files (encrypted, corrupted, mailbomb, and so on) marked by the antivirus engine are blocked automatically.

Supported file types

File filter supports the following file types:

File Type Name

Description

7z

Match 7-zip files

arj

Match arj compressed files

cab

Match Windows cab files

lzh

Match lzh compressed files

rar

Match rar archives

tar

Match tar files

zip

Match zip files

bzip

Match bzip files

gzip

Match gzip files

bzip2

Match bzip2 files

xz

Match xz files

bat

Match Windows batch files

msc

Match msc files

uue

Match uue files

mime

Match mime files

base64

Match base64 files

binhex

Match binhex files

bin

Match bin files

elf

Match elf files

exe

Match Windows executable files

hta

Match hta files

html

Match html files

jad

Match jad files

class

Match class files

cod

Match cod files

javascript

Match javascript files

msoffice

Match MS-Office files. For example, doc, xls, ppt, and so on.

msofficex

Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

fsg

Match fsg files

upx

Match upx files

petite

Match petite files

aspack

Match aspack files

prc

Match prc files

sis

Match sis files

hlp

Match Windows help files

activemime

Match activemime files

jpeg

Match jpeg files

gif

Match gif files

tiff

Match tiff files

png

Match png files

bmp

Match bmp files

unknown

Match unknown files

mpeg

Match mpeg files

mov

Match mov files

mp3

Match mp3 files

wma

Match wma files

wav

Match wav files

pdf

Match pdf files

avi

Match avi files

rm

Match rm files

torrent

Match torrent files

msi

Match Windows Installer msi bzip files

mach-o

Match Mach object files

dmg

Match Apple disk image files

.net

Match .NET files

xar

Match xar archive files

chm

Match Windows compiled HTML help files

iso

Match ISO archive files

crx

Match Chrome extension files

Configure file-type filtering and antivirus scanning on CIFS traffic

To configure file-type filtering and antivirus scanning on CIFS traffic:
  1. Configure a CIFS domain controller
  2. Configure a CIFS profile
  3. Configure an antivirus profile

Configure a CIFS domain controller

The domain controller must be configured when CIFS traffic is encrypted, like SMB 3.0 traffic. The configuration tells the FortiGate the network location of the domain controller and the superuser credentials.

To configure the CIFS domain controller:
config cifs domain-controller
    edit "DOMAIN"
        set domain-name "EXAMPLE.COM"
        set username "admin-super"
        set password **********
        set ip 172.16.201.40
    next
end

Configure a CIFS profile

To create a CIFS profile, configure the server credential type and add file filter entries.

Set the CIFS server credential type

The CIFS server credential type can be none, credential-replication, or credential-keytab.

none

The CIFS profile assumes the CIFS traffic is unencrypted (used with SMB 2.0). This is the default value.

config cifs profile
    edit "cifs"
        set server-credential-type none
    next
end
credential-replication

To decrypt CIFS traffic, FortiOS obtains the session key from the domain controller by logging in to the superuser account. The domain controller must be configured.

config cifs profile
    edit "cifs"
        set server-credential-type credential-replication
        set domain-controller "DOMAIN"
    next
end

Variable

Description

domain-controller <string>

The previously configured domain to decrypt CIFS traffic for.

credential-keytab

To decrypt CIFS traffic, FortiOS uses a series of keytab values. This method is used when the SMB connection is authenticated by Kerberos. Keytab entries must be configured, and are stored in FortiOS in plaintext.

config cifs profile
    edit "cifs"
        set server-credential-type credential-keytab
        config server-keytab
            edit "keytab1"
                set keytab "BQIAAABFAAEAC0VYQU1QTEUuQ09NAAdleGFtcGxlAAAAAVUmAlwBABIAILdV5P6NXT8RrTvapcMJQxDYCjRQiD0BzxhwS9h0VgyM"
            next
        end
    next
end

Variable

Description

keytab <keytab>

Base64 encoded keytab file containing the credentials of the server.

Configure CIFS profile file filtering

Multiple file filter entries can be added to a profile.

To configure a file filter entry in a CIFS profile:
config cifs profile
    edit "cifs"
        config file-filter 
            set status {enable | disable}
            set log {enable | disable}
            config entries 
                edit <filter>
                    set comment <string>
                    set action {log | block}
                    set direction {incoming | outgoing | any}
                    set file-type <file_type>
                next
            end
        end
    next
end

Variable

Description

status {enable | disable}

Enable/disable file filter (default = enable).

log {enable | disable}

Enable/disable file filter logging (default = enable).

comment <string>

A brief comment describing the entry.

action {log | block}

The action to take for matched files:

  • log: Allow the content and write a log message (default).
  • block: Block the content and write a log message.

direction {incoming | outgoing | any}

Match files transmitted in the session's originating (incoming) and/or reply (outgoing) direction (default = any).

file-type <file_type>

The file types to be matched (default = none). See Supported file types for details.

Configure an antivirus profile

The antivirus profile handles the antivirus configuration for CIFS scanning.

To configure an antivirus profile:
config antivirus profile
    edit "av"
        ...
        config cifs
            set options {scan avmonitor quarantine}
            set archive-block {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled}
            set archive-log {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled}
            set emulator {enable | disable}
            set outbreak-prevention {disabled | files | full-archive}
        end
    next
end

Variable

Description

options {scan avmonitor quarantine}

Enable/disable CIFS antivirus scanning, monitoring, and quarantine.

archive-block {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled}

Select the archive types to block:

  • encrypted: Block encrypted archives.
  • corrupted: Block corrupted archives.
  • partiallycorrupted: Block partially corrupted archives.
  • multipart: Block multipart archives.
  • nested: Block nested archives.
  • mailbomb: Block mail bomb archives.
  • fileslimit: Block exceeded archive files limit.
  • timeout: Block scan timeout.
  • unhandled: Block archives that FortiOS cannot open.
archive-log {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled}

Select the archive types to log:

  • encrypted: Log encrypted archives.
  • corrupted: Log corrupted archives.
  • partiallycorrupted: Log partially corrupted archives.
  • multipart: Log multipart archives.
  • nested: Log nested archives.
  • mailbomb: Log mail bomb archives.
  • fileslimit: Log exceeded archive files limit.
  • timeout: Log scan timeout.
  • unhandled: Log archives that FortiOS cannot open.

emulator {enable | disable}

Enable/disable the virus emulator (default = enable).
outbreak-prevention {disabled | files | full-archive}

Enable the virus outbreak prevention service:

  • disabled: Disabled (default).
  • files: Analyze files as sent, not the content of archives.
  • full-archive: Analyze files, including the content of archives.

Log examples

File-type detection events generated by CIFS profiles are logged in the utm-cifs log category. Antivirus detection over the CIFS protocol generates logs in the utm-virus category. See the FortiOS Log Message Reference for more information.

Logs generated by CIFS profile file filter:
date=2019-03-28 time=10:39:19 logid="1800063001" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="notice" vd="vdom1" eventtime=1553794757 msg="File was detected by file filter." direction="incoming" action="passthrough" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33372 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="1154" filename="virus\\test.png" filtername="2" filetype="png"
date=2019-03-28 time=10:39:12 logid="1800063001" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="notice" vd="vdom1" eventtime=1553794751 msg="File was detected by file filter." direction="incoming" action="passthrough" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33370 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="81975" filename="virus\\screen.png" filtername="2" filetype="png"
date=2019-03-28 time=10:33:55 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="warning" vd="vdom1" eventtime=1553794434 msg="File was blocked by file filter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33352 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="28432" filename="filetypes\\mpnotify.exe" filtername="3" filetype="exe"
date=2019-03-28 time=10:33:45 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="warning" vd="vdom1" eventtime=1553794424 msg="File was blocked by file filter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33348 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="96528" filename="filetypes\\winmine.exe" filtername="3" filetype="exe"
Logs generated by AV profile for infections detected over CIFS:
date=2019-04-09 time=15:19:02 logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="vdom1" eventtime=1554848342519005401 msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="SMB" sessionid=177 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37444 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="outbreak\\zhvo_test.com" quarskip="File-was-not-quarantined." virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" dtype="File Hash" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a" filehashsrc="fortiguard" profile="av" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
date=2019-04-09 time=15:18:59 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1554848339909808987 msg="File is infected." action="blocked" service="SMB" sessionid=174 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37442 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="sample\\eicar.com" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

CIFS support

File filtering and antivirus scanning for proxy-based inspection on Common Internet File System (CIFS) traffic is supported.

File filtering for CIFS is performed by inspecting the first 4 KB of the file to identify the file's magic number. If a match occurs, CIFS file filtering prevents the CIFS command that contains that file from running.

The CIFS security profile handles the configuration of file filtering on CIFS. The antivirus profile handles the antivirus configuration for CIFS scanning.

For a CIFS profile to be available for assignment in a policy, the policy must use proxy inspection mode. See Proxy mode inspection for details.

The following are not supported by CIFS scanning in proxy inspection mode:

  • File types and infections within archive files cannot be detected.
  • Oversized files cannot be detected.
  • Special condition archive files (encrypted, corrupted, mailbomb, and so on) marked by the antivirus engine are blocked automatically.

Supported file types

File filter supports the following file types:

File Type Name

Description

7z

Match 7-zip files

arj

Match arj compressed files

cab

Match Windows cab files

lzh

Match lzh compressed files

rar

Match rar archives

tar

Match tar files

zip

Match zip files

bzip

Match bzip files

gzip

Match gzip files

bzip2

Match bzip2 files

xz

Match xz files

bat

Match Windows batch files

msc

Match msc files

uue

Match uue files

mime

Match mime files

base64

Match base64 files

binhex

Match binhex files

bin

Match bin files

elf

Match elf files

exe

Match Windows executable files

hta

Match hta files

html

Match html files

jad

Match jad files

class

Match class files

cod

Match cod files

javascript

Match javascript files

msoffice

Match MS-Office files. For example, doc, xls, ppt, and so on.

msofficex

Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

fsg

Match fsg files

upx

Match upx files

petite

Match petite files

aspack

Match aspack files

prc

Match prc files

sis

Match sis files

hlp

Match Windows help files

activemime

Match activemime files

jpeg

Match jpeg files

gif

Match gif files

tiff

Match tiff files

png

Match png files

bmp

Match bmp files

unknown

Match unknown files

mpeg

Match mpeg files

mov

Match mov files

mp3

Match mp3 files

wma

Match wma files

wav

Match wav files

pdf

Match pdf files

avi

Match avi files

rm

Match rm files

torrent

Match torrent files

msi

Match Windows Installer msi bzip files

mach-o

Match Mach object files

dmg

Match Apple disk image files

.net

Match .NET files

xar

Match xar archive files

chm

Match Windows compiled HTML help files

iso

Match ISO archive files

crx

Match Chrome extension files

Configure file-type filtering and antivirus scanning on CIFS traffic

To configure file-type filtering and antivirus scanning on CIFS traffic:
  1. Configure a CIFS domain controller
  2. Configure a CIFS profile
  3. Configure an antivirus profile

Configure a CIFS domain controller

The domain controller must be configured when CIFS traffic is encrypted, like SMB 3.0 traffic. The configuration tells the FortiGate the network location of the domain controller and the superuser credentials.

To configure the CIFS domain controller:
config cifs domain-controller
    edit "DOMAIN"
        set domain-name "EXAMPLE.COM"
        set username "admin-super"
        set password **********
        set ip 172.16.201.40
    next
end

Configure a CIFS profile

To create a CIFS profile, configure the server credential type and add file filter entries.

Set the CIFS server credential type

The CIFS server credential type can be none, credential-replication, or credential-keytab.

none

The CIFS profile assumes the CIFS traffic is unencrypted (used with SMB 2.0). This is the default value.

config cifs profile
    edit "cifs"
        set server-credential-type none
    next
end
credential-replication

To decrypt CIFS traffic, FortiOS obtains the session key from the domain controller by logging in to the superuser account. The domain controller must be configured.

config cifs profile
    edit "cifs"
        set server-credential-type credential-replication
        set domain-controller "DOMAIN"
    next
end

Variable

Description

domain-controller <string>

The previously configured domain to decrypt CIFS traffic for.

credential-keytab

To decrypt CIFS traffic, FortiOS uses a series of keytab values. This method is used when the SMB connection is authenticated by Kerberos. Keytab entries must be configured, and are stored in FortiOS in plaintext.

config cifs profile
    edit "cifs"
        set server-credential-type credential-keytab
        config server-keytab
            edit "keytab1"
                set keytab "BQIAAABFAAEAC0VYQU1QTEUuQ09NAAdleGFtcGxlAAAAAVUmAlwBABIAILdV5P6NXT8RrTvapcMJQxDYCjRQiD0BzxhwS9h0VgyM"
            next
        end
    next
end

Variable

Description

keytab <keytab>

Base64 encoded keytab file containing the credentials of the server.

Configure CIFS profile file filtering

Multiple file filter entries can be added to a profile.

To configure a file filter entry in a CIFS profile:
config cifs profile
    edit "cifs"
        config file-filter 
            set status {enable | disable}
            set log {enable | disable}
            config entries 
                edit <filter>
                    set comment <string>
                    set action {log | block}
                    set direction {incoming | outgoing | any}
                    set file-type <file_type>
                next
            end
        end
    next
end

Variable

Description

status {enable | disable}

Enable/disable file filter (default = enable).

log {enable | disable}

Enable/disable file filter logging (default = enable).

comment <string>

A brief comment describing the entry.

action {log | block}

The action to take for matched files:

  • log: Allow the content and write a log message (default).
  • block: Block the content and write a log message.

direction {incoming | outgoing | any}

Match files transmitted in the session's originating (incoming) and/or reply (outgoing) direction (default = any).

file-type <file_type>

The file types to be matched (default = none). See Supported file types for details.

Configure an antivirus profile

The antivirus profile handles the antivirus configuration for CIFS scanning.

To configure an antivirus profile:
config antivirus profile
    edit "av"
        ...
        config cifs
            set options {scan avmonitor quarantine}
            set archive-block {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled}
            set archive-log {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled}
            set emulator {enable | disable}
            set outbreak-prevention {disabled | files | full-archive}
        end
    next
end

Variable

Description

options {scan avmonitor quarantine}

Enable/disable CIFS antivirus scanning, monitoring, and quarantine.

archive-block {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled}

Select the archive types to block:

  • encrypted: Block encrypted archives.
  • corrupted: Block corrupted archives.
  • partiallycorrupted: Block partially corrupted archives.
  • multipart: Block multipart archives.
  • nested: Block nested archives.
  • mailbomb: Block mail bomb archives.
  • fileslimit: Block exceeded archive files limit.
  • timeout: Block scan timeout.
  • unhandled: Block archives that FortiOS cannot open.
archive-log {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled}

Select the archive types to log:

  • encrypted: Log encrypted archives.
  • corrupted: Log corrupted archives.
  • partiallycorrupted: Log partially corrupted archives.
  • multipart: Log multipart archives.
  • nested: Log nested archives.
  • mailbomb: Log mail bomb archives.
  • fileslimit: Log exceeded archive files limit.
  • timeout: Log scan timeout.
  • unhandled: Log archives that FortiOS cannot open.

emulator {enable | disable}

Enable/disable the virus emulator (default = enable).
outbreak-prevention {disabled | files | full-archive}

Enable the virus outbreak prevention service:

  • disabled: Disabled (default).
  • files: Analyze files as sent, not the content of archives.
  • full-archive: Analyze files, including the content of archives.

Log examples

File-type detection events generated by CIFS profiles are logged in the utm-cifs log category. Antivirus detection over the CIFS protocol generates logs in the utm-virus category. See the FortiOS Log Message Reference for more information.

Logs generated by CIFS profile file filter:
date=2019-03-28 time=10:39:19 logid="1800063001" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="notice" vd="vdom1" eventtime=1553794757 msg="File was detected by file filter." direction="incoming" action="passthrough" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33372 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="1154" filename="virus\\test.png" filtername="2" filetype="png"
date=2019-03-28 time=10:39:12 logid="1800063001" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="notice" vd="vdom1" eventtime=1553794751 msg="File was detected by file filter." direction="incoming" action="passthrough" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33370 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="81975" filename="virus\\screen.png" filtername="2" filetype="png"
date=2019-03-28 time=10:33:55 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="warning" vd="vdom1" eventtime=1553794434 msg="File was blocked by file filter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33352 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="28432" filename="filetypes\\mpnotify.exe" filtername="3" filetype="exe"
date=2019-03-28 time=10:33:45 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="warning" vd="vdom1" eventtime=1553794424 msg="File was blocked by file filter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33348 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="96528" filename="filetypes\\winmine.exe" filtername="3" filetype="exe"
Logs generated by AV profile for infections detected over CIFS:
date=2019-04-09 time=15:19:02 logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="vdom1" eventtime=1554848342519005401 msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="SMB" sessionid=177 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37444 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="outbreak\\zhvo_test.com" quarskip="File-was-not-quarantined." virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" dtype="File Hash" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a" filehashsrc="fortiguard" profile="av" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
date=2019-04-09 time=15:18:59 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1554848339909808987 msg="File is infected." action="blocked" service="SMB" sessionid=174 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37442 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="sample\\eicar.com" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"