CIFS Support
This version supports file-type filtering and antivirus scanning for proxy-based inspection on CIFS traffic.
File filter for CIFS is performed by inspecting the first 4 kB of the file to identify the file's magic number. If a match occurs, CIFS file-filtering prevents the CIFS command that contains that file from running.
This feature also introduces a new security profile called cifs-profile
which handles the configuration for file-type filtering on CIFS.
The antivirus profile still handles the antivirus configuration for CIFS scanning.
Requirements
The firewall policy must be set to Proxy inspection mode for CIFS profile to be available for assignment to the policy.
The following are not supported by CIFS scanning in proxy inspection mode:
- File types and infections within archive files cannot be detected.
- Oversized files cannot be detected.
- Special condition archive files (encrypted, corrupted, mailbomb, etc.) marked by AV engine are blocked automatically.
- IPv6 CIFS traffic is not supported.
Sample configuration
You must use CLI to configure this feature.
CIFS domain controller configuration
The domain controller configuration is necessary when CIFS traffic is encrypted, such as used by SMB 3.0.
This configuration tells the FortiGate the location of the domain controller in the network and the superuser credentials.
This is all needed to decrypt SMB 3.0 traffic.
FGT_PROXY (vdom1) # config cifs domain-controller Define known domain controller servers. profile Configure CIFS profile. FGT_PROXY (vdom1) # config cifs domain-controller FGT_PROXY (domain-controller) # edit DOMAIN new entry 'DOMAIN' added FGT_PROXY (DOMAIN) # set ? *domain-name Fully qualified domain name (FQDN). E.g. 'EXAMPLE.COM'. *username User name to sign in with. Must have proper permissions for service. *password Password for specified username. port Port number of service. Port number 0 indicates automatic discovery. ip IPv4 server address. ip6 IPv6 server address. FGT_PROXY (DOMAIN) # show config cifs domain-controller edit "DOMAIN" set domain-name "EXAMPLE.COM" set username "admin-super" set password ENC 1mKKNo0z95t/+9B9IisyLsSfevTNRePp6mFk+dtDdZ7r2V8CYUrXp7kcxVauWpdHYlQsrY8g2Ypo+UYDsBUxELDpfLYC7C31rCm6WD0jYiRcQ/kZhWpwB5Dl3W7Z9865r/ntVu1YCsWex/+MnnMYyzFXaNJriXuPLYKEv2fe79NpmSuvouEMvc6zgPPBbXE+28SHzA== set ip 172.16.201.40 next end
Sample profile configuration for deep CIFS inspection (for SMB 3.0)
FGT_PROXY (vdom1) # config cifs profile FGT_PROXY (profile) # edit cifs FGT_PROXY (cifs) # set ? *server-credential-type CIFS server credential type. FGT_PROXY (cifs) # set server-credential-type ? none Credential derivation not set. credential-replication Credential derived using Replication account on Domain Controller. credential-keytab Credential derived using server keytab.
No-Encryption
none
is the default for CIFS profile's server-credential-type
parameter. When none
is set, the CIFS profile assumes the CIFS traffic is unencrypted (used with SMB 2.0).
Account-Replication
This method of decrypting CIFS traffic involves FortiOS obtaining the session key from the domain controller by logging into the superuser account.
When credential-replication
is set, the parameter domain-controller
becomes available and domain controller
must be specified.
For an example of the domain controller entry, see the CIFS domain controller configuration section above.
FGT_PROXY (vdom1) # config cifs profile FGT_PROXY (profile) # edit cifs FGT_PROXY (cifs) # set server-credential-type credential-replication FGT_PROXY (cifs) # set ? *server-credential-type CIFS server credential type. *domain-controller Domain for which to decrypt CIFS traffic. FGT_PROXY (cifs) # set domain-controller ? <string> please input string value DOMAIN domain-controller FGT_PROXY (cifs) # set domain-controller DOMAIN FGT_PROXY (cifs) # show config cifs profile edit "cifs" set server-credential-type credential-replication config file-filter config entries end end set domain-controller "DOMAIN" next end
Keytab
This method of decrypting CIFS traffic involves FortiOS using a series of keytab values to decrypt CIFS traffic.
Use this method when the SMB connection is authenticated by Kerberos.
When credential-keytab
is set, the keytab table server-keytab
becomes available and keytab entries can be configured.
Keytab values are stored in the FortiOS configuration in plain text.
FGT_PROXY (vdom1) # config cifs profile FGT_PROXY (profile) # edit cifs FGT_PROXY (cifs) # set server-credential-type credential-keytab FGT_PROXY (cifs) # config file-filter File filter. server-keytab Server keytab. FGT_PROXY (cifs) # config server-keytab FGT_PROXY (server-keytab) # edit keytab1 FGT_PROXY (keytab1) # set ? *keytab Base64 encoded keytab file containing credential of the server. FGT_PROXY (keytab1) # set keytab BQIAAABFAAEAC0VYQU1QTEUuQ09NAAdleGFtcGxlAAAAAVUmAlwBABIAILdV5P6NXT8RrTvapcMJQxDYCjRQiD0BzxhwS9h0VgyM FGT_PROXY (keytab1) # end FGT_PROXY (cifs) # show config cifs profile edit "cifs" set server-credential-type credential-keytab config file-filter end config server-keytab edit "keytab1" set keytab "BQIAAABFAAEAC0VYQU1QTEUuQ09NAAdleGFtcGxlAAAAAVUmAlwBABIAILdV5P6NXT8RrTvapcMJQxDYCjRQiD0BzxhwS9h0VgyM" next end next end
CIFS profile file filtering
This filter has two configurable parameters:
status
- Enables or disables the file filter. Default isenable
.log
- Enables or disables CIFS event logs when a file is detected. Default isenable
.
FGT_PROXY (vdom1) # config cifs profile FGT_PROXY (profile) # edit cifs FGT_PROXY (cifs) # config file-filter FGT_PROXY (file-filter) # set ? status Enable/disable file filter. log Enable/disable file filter logging. FGT_PROXY (file-filter) # set status ? enable Enable file filter. disable Disable file filter. FGT_PROXY (file-filter) # set log ? enable Enable file filter logging. disable Disable file filter logging.
CIFS profile file filter entries
The configurable parameters for each entry are:
action
- Blocks or monitors the detected file type. Default islog
.direction
- Sets the direction of traffic which the filter should be applied to. Default value isany
.file-type
- The file type to be detected. Default is blank (unset).
FGT_PROXY (file-filter) # config entries FGT_PROXY (entries) # edit 1 FGT_PROXY (1) # set ? comment Comment. action Action taken for matched file. direction Match files transmitted in the session's originating or reply direction. file-type Select file type. FGT_PROXY (1) # set action ? log Allow the content and write a log message. block Block the content and write a log message. FGT_PROXY (1) # set direction ? incoming Match files transmitted in the session's originating direction. outgoing Match files transmitted in the session's reply direction. any Match files transmitted in the session's originating and reply direction. FGT_PROXY (1) # set file-type ? name File type name. 7z Match 7-zip files. arj Match arj compressed files. cab Match Windows cab files. lzh Match lzh compressed files. rar Match rar archives. tar Match tar files. zip Match zip files. bzip Match bzip files. gzip Match gzip files. bzip2 Match bzip2 files. xz Match xz files. bat Match Windows batch files. msc Match msc files. uue Match uue files. mime Match mime files. base64 Match base64 files. binhex Match binhex files. bin Match bin files. elf Match elf files. exe Match Windows executable files. hta Match hta files. html Match html files. jad Match jad files. class Match class files. cod Match cod files. javascript Match javascript files. msoffice Match MS-Office files. For example, doc, xls, ppt, and so on. msofficex Match MS-Office XML files. For example, docx, xlsx, pptx, and so on. fsg Match fsg files. upx Match upx files. petite Match petite files. aspack Match aspack files. prc Match prc files. sis Match sis files. hlp Match Windows help files. activemime Match activemime files. jpeg Match jpeg files. gif Match gif files. tiff Match tiff files. png Match png files. bmp Match bmp files. ignored Match ignored files. unknown Match unknown files. mpeg Match mpeg files. mov Match mov files. mp3 Match mp3 files. wma Match wma files. wav Match wav files. pdf Match Acrobat pdf files. avi Match avi files. rm Match rm files. torrent Match torrent files. msi Match Windows Installer msi files. mach-o Match Mach object files. dmg Match Apple disk image files. .net Match .NET files. xar Match xar archive files. chm Match Windows compiled HTML help files. iso Match ISO archive files. crx Match Chrome extension files.
Change to antivirus profile
This version has a minor change to the antivirus profile.
The previous config smb
is now changed to config cifs
.
FGT_PROXY (av) # show full-configuration config antivirus profile edit "av" set comment '' set replacemsg-group '' set mobile-malware-db enable ... config cifs set options scan quarantine unset archive-block unset archive-log set emulator enable set outbreak-prevention full-archive end next end
Logs & Report
This feature includes a new UTM log category type: utm-cifs
which logs the file-type detection events generated by cifs-profile
.
Antivirus detection over CIFS protocol still generate logs under the utm-virus
category.
FGT_PROXY (vdom1) # execute log filter category Available categories: 0: traffic 1: event 2: utm-virus 3: utm-webfilter 4: utm-ips 5: utm-emailfilter 7: utm-anomaly 8: utm-voip 9: utm-dlp 10: utm-app-ctrl 12: utm-waf 15: utm-dns 16: utm-ssh 17: utm-ssl 18: utm-cifs
Logs generated by CIFS profile file filter:
date=2019-03-28 time=10:39:19 logid="1800063001" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="notice" vd="vdom1" eventtime=1553794757 msg="File was detected by file filter." direction="incoming" action="passthrough" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33372 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="1154" filename="virus\\test.jpg" filtername="2" filetype="png" date=2019-03-28 time=10:39:12 logid="1800063001" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="notice" vd="vdom1" eventtime=1553794751 msg="File was detected by file filter." direction="incoming" action="passthrough" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33370 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="81975" filename="virus\\screen.jpg" filtername="2" filetype="png" date=2019-03-28 time=10:33:55 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="warning" vd="vdom1" eventtime=1553794434 msg="File was blocked by file filter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33352 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="28432" filename="filetypes\\mpnotify.exe" filtername="3" filetype="exe" date=2019-03-28 time=10:33:45 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="warning" vd="vdom1" eventtime=1553794424 msg="File was blocked by file filter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33348 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="96528" filename="filetypes\\winmine.exe" filtername="3" filetype="exe"
Logs generated by AV profile for infections detected over CIFS:
date=2019-04-09 time=15:19:02 logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="vdom1" eventtime=1554848342519005401 msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="SMB" sessionid=177 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37444 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="outbreak\\zhvo_test.com" quarskip="File-was-not-quarantined." virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" dtype="File Hash" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a" filehashsrc="fortiguard" profile="av" analyticssubmit="false" crscore=50 craction=2 crlevel="critical" date=2019-04-09 time=15:18:59 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1554848339909808987 msg="File is infected." action="blocked" service="SMB" sessionid=174 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37442 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="sample\\eicar.com" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"