Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

Scan compressed messages over CIFS protocol in proxy mode 6.4.2

With the newly added compression methods in the CIFS protocol, FortiGates can scan these compressed messages in proxy mode. The following compression algorithms are supported:

  • LZNT1
  • LZ77
  • LZ77+Huffman

This feature is supported on Windows 10 and Windows Server 2019 with update version 1809 and later.

The following example uses Ubuntu 20.04 as an SMB client and Windows 10 as an SMB server. A Python script is used on the client for message compression.

To scan messages using the CIFS protocol in proxy mode:
  1. Create a file filter profile using proxy mode for CIFS and apply it to a policy (see File filter for more information).

    Traffic is blocked by the file filter in this example:

  2. Verify that the WAD recognizes the compressed message:
    # diagnose wad debug enable level verbose
    # diagnose wad debug enable category cifs
    cifs_nbss_identify_protocol(583): nbss detected encapsulated compressed smb3 message
    smb2_nbss_alloc(1108): smb2 nbss 0x7ff471b0a1a0 allocated
    smb2_parse_stream(5337): smb2 parsing 118 plain-text bytes
    smb2_parsing_alloc(1551): smb2 parsing 0x7ff4709fbcb0 allocated
    smb2_payload_alloc(1025): smb2 payload 0x7ff470678e00 allocated
    smb2_msg_alloc(1612): smb2 message 0x7ff471aadd70 allocated
    smb2_hdr_print(1707): smb2 CON Request  [mid 3, sid 35184372088853, tid 0, st 0, r 0]
    smb2_parse_message(5249): smb2 processing 118 message bytes
  3. Verify the UTM log:
    1: date=2020-07-08 time=16:10:26 logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" eventtime=1594249826958143704 tz="-0700" policyid=1 sessionid=18382 srcip=10.1.100.66 srcport=58004 srcintf="port21" srcintfrole="undefined" dstip=172.16.200.150 dstport=445 dstintf="port23" dstintfrole="undefined" proto=6 service="CIFS" profile="filefilter" direction="outgoing" action="blocked" filtername="1" filename="test.doc" filesize=19456 filetype="msoffice" msg="File was blocked by file filter."
  4. Use Python for CIFS traffic with different compression algorithms. The compressed message and compression algorithm is visible in the packet capture.
    • LZNT1:

    • LZ77:

    • LZ77+Huffman:

Scan compressed messages over CIFS protocol in proxy mode 6.4.2

With the newly added compression methods in the CIFS protocol, FortiGates can scan these compressed messages in proxy mode. The following compression algorithms are supported:

  • LZNT1
  • LZ77
  • LZ77+Huffman

This feature is supported on Windows 10 and Windows Server 2019 with update version 1809 and later.

The following example uses Ubuntu 20.04 as an SMB client and Windows 10 as an SMB server. A Python script is used on the client for message compression.

To scan messages using the CIFS protocol in proxy mode:
  1. Create a file filter profile using proxy mode for CIFS and apply it to a policy (see File filter for more information).

    Traffic is blocked by the file filter in this example:

  2. Verify that the WAD recognizes the compressed message:
    # diagnose wad debug enable level verbose
    # diagnose wad debug enable category cifs
    cifs_nbss_identify_protocol(583): nbss detected encapsulated compressed smb3 message
    smb2_nbss_alloc(1108): smb2 nbss 0x7ff471b0a1a0 allocated
    smb2_parse_stream(5337): smb2 parsing 118 plain-text bytes
    smb2_parsing_alloc(1551): smb2 parsing 0x7ff4709fbcb0 allocated
    smb2_payload_alloc(1025): smb2 payload 0x7ff470678e00 allocated
    smb2_msg_alloc(1612): smb2 message 0x7ff471aadd70 allocated
    smb2_hdr_print(1707): smb2 CON Request  [mid 3, sid 35184372088853, tid 0, st 0, r 0]
    smb2_parse_message(5249): smb2 processing 118 message bytes
  3. Verify the UTM log:
    1: date=2020-07-08 time=16:10:26 logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" eventtime=1594249826958143704 tz="-0700" policyid=1 sessionid=18382 srcip=10.1.100.66 srcport=58004 srcintf="port21" srcintfrole="undefined" dstip=172.16.200.150 dstport=445 dstintf="port23" dstintfrole="undefined" proto=6 service="CIFS" profile="filefilter" direction="outgoing" action="blocked" filtername="1" filename="test.doc" filesize=19456 filetype="msoffice" msg="File was blocked by file filter."
  4. Use Python for CIFS traffic with different compression algorithms. The compressed message and compression algorithm is visible in the packet capture.
    • LZNT1:

    • LZ77:

    • LZ77+Huffman: