CIFS support
Antivirus scanning on Common Internet File System (CIFS) traffic is supported in flow-based and proxy-based inspection. The file filter profile handles the configuration of file filtering on CIFS. The antivirus profile handles the antivirus configuration for CIFS scanning.
File filtering for CIFS is performed by inspecting the first 4 KB of the file to identify the file's magic number. If a match occurs, CIFS file filtering prevents the CIFS command that contains that file from running. The file filter functions differently for un-encrypted and encrypted CIFS traffic:
-
For un-encrypted CIFS traffic, the standalone file filter works in flow and proxy mode.
-
For encrypted CIFS traffic, the CIFS profile must be enabled in the firewall policy because the SMB server’s credential settings are still be configured in CIFS profile. Using the standalone file filter only works in proxy mode.
For a CIFS profile to be available for assignment in a policy, the policy must use proxy inspection mode. See Proxy mode inspection for details. Note that in proxy inspection mode, special condition archive files (encrypted, corrupted, mailbomb, and so on) marked by the antivirus engine are blocked automatically.
Messages that are compressed with LZNT1, LZ77, and LZ77+Huffman algorithms can be scanned in proxy mode.
Configure file-type filtering and antivirus scanning on CIFS traffic
To configure file-type filtering and antivirus scanning on CIFS traffic:
Configure a CIFS domain controller
The domain controller must be configured when CIFS traffic is encrypted. The configuration tells the FortiGate the network location of the domain controller and the superuser credentials.
For FortiGate to retrieve the domain information, the user needs to grant Replicating Directory Changes permissions in the Domain Controller (DC). See How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account for more information. |
To configure the CIFS domain controller:
config user domain-controller edit "SERVER_NAME" set hostname "host" set domain-name "EXAMPLE.COM" set username "admin-super" set password ********* set ip 172.16.201.40 next end
Configure a CIFS profile
To create a CIFS profile, configure the server credential type and create a file filter profile.
Set the CIFS server credential type
The CIFS server credential type can be none
, credential-replication
, or credential-keytab
.
none
The CIFS profile assumes the CIFS traffic is unencrypted. This is the default value.
config firewall profile-protocol-options edit "cifs" config cifs set server-credential-type none end next end
credential-replication
To decrypt CIFS traffic, FortiOS obtains the session key from the domain controller by logging in to the superuser account. The domain controller must be configured.
config firewall profile-protocol-options edit "cifs" config cifs set server-credential-type credential-replication set domain-controller "SERVER_NAME" end next end
Variable |
Description |
---|---|
domain-controller <string> |
The previously configured domain to decrypt CIFS traffic for. |
credential-keytab
To decrypt CIFS traffic, FortiOS uses a series of keytab values. This method is used when the SMB connection is authenticated by Kerberos. Keytab entries must be configured, and are stored in FortiOS in plaintext.
config firewall profile-protocol-options edit "cifs" config cifs set server-credential-type credential-keytab config server-keytab edit "keytab1" set keytab "BQIAAABFAAEAC0VYQU1QTEUuQ09NAAdleGFtcGxlAAAAAVUmAlwBABIAILdV5P6NXT8RrTvapcMJQxDYCjRQiD0BzxhwS9h0VgyM" next end end next end
Variable |
Description |
---|---|
keytab <keytab> |
Base64 encoded keytab file containing the credentials of the server. |
Configure CIFS file filtering
Multiple rules can be added to a file filter profile. See File filter.
To configure a file filter for CIFS traffic:
config file-filter profile edit "cifs" set comment "block zip files on unencrypted cifs traffic" set feature-set flow set replacemsg-group '' set log enable config rules edit "rule1" set protocol cifs set action block set direction any set password-protected any set file-type zip next end next end
Variable |
Description |
---|---|
comment <string> |
A brief comment describing the entry. |
feature-set {flow | proxy} |
Flow or proxy mode feature set (default = |
replacemsg-group <string> |
Replacement message group. |
log {enable | disable} |
Enable/disable file filter logging (default = |
scan-archive-contents [enable | disable] |
Enable/disable scanning of archive contents (default = |
protocol {http ftp smtp imap pop3 mapi cifs ssh} |
Filter based on the specified protocol(s). |
action {log-only | block} |
The action to take for matched files:
|
direction {incoming | outgoing | any} |
Match files transmitted in the session's originating ( |
password-protected [yes | any] |
Match only password-protected files ( |
file-type <file_type> |
The file types to be matched. See Supported file types for details. |
Configure an antivirus profile
The antivirus profile handles the antivirus configuration for CIFS scanning.
To configure an antivirus profile:
config antivirus profile edit "av" ... config cifs set av-scan {disable | block | monitor} set outbreak-prevention {disable | block | monitor} set external-blocklist {disable | block | monitor} set quarantine {enable | disable} set archive-block {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled} set archive-log {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled} set emulator {enable | disable} end next end
Variable |
Description |
---|---|
av-scan |
Enable antivirus scan service:
|
outbreak-prevention {disable | block | monitor} |
Enable the virus outbreak prevention service:
|
external-blocklist {disable | block | monitor} |
Enable the external blocklist:
|
quarantine {enable | disable} |
Enable/disable quarantine for infected files (default = |
archive-block {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled} |
Select the archive types to block:
|
archive-log {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled} |
Select the archive types to log:
|
emulator {enable | disable} |
Enable/disable the virus emulator (default = |
Log samples
File-type detection events generated by CIFS profiles are logged in the utm-file-filter
log category. Antivirus detection over the CIFS protocol generates logs in the utm-virus
category. See the FortiOS Log Message Reference for more information.
Logs generated by CIFS profile file filter:
date=2024-01-02 time=10:47:30 eventtime=1704221249421998774 tz="-0800" logid="1900064001" type="utm" subtype="file-filter" eventtype="file-filter" level="notice" vd="root" policyid=1 poluuid="f4fe48a4-938c-51ee-8856-3e84e3b24af4" policytype="policy" sessionid=3985 srcip=13.13.13.13 srcport=49481 srccountry="United States" srcintf="port2" srcintfrole="undefined" srcuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" dstip=104.21.235.207 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" proto=6 service="HTTPS" profile="default" direction="incoming" action="log-only" url="https://png2.cleanpng.com/dy/transparent.png" hostname="png2.cleanpng.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" httpmethod="GET" referralurl="https://www.cleanpng.com/" rulename="2" filename="transparent.png" filesize=803672 filetype="png" msg="File was detected by file filter."
date=2024-01-02 time=10:52:01 eventtime=1704221520563734347 tz="-0800" logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" policyid=1 poluuid="f4fe48a4-938c-51ee-8856-3e84e3b24af4" policytype="policy" sessionid=4371 srcip=13.13.13.13 srcport=49639 srccountry="United States" srcintf="port2" srcintfrole="undefined" srcuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" dstip=104.21.235.207 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="d2f06fda-15e7-51ee-0d22-faaf5170dad2" proto=6 service="HTTPS" profile="default" direction="incoming" action="blocked" url="https://png2.cleanpng.com/dy/realistic.png" hostname="png2.cleanpng.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" httpmethod="GET" referralurl="https://www.cleanpng.com/" rulename="2" filename="realistic.png" filesize=3371220 filetype="png" msg="File was blocked by file filter."
Logs generated by AV profile for infections detected over CIFS:
date=2019-04-09 time=15:19:02 logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="vdom1" eventtime=1554848342519005401 msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="SMB" sessionid=177 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37444 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="outbreak\\zhvo_test.com" quarskip="File-was-not-quarantined." virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" dtype="File Hash" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a" filehashsrc="fortiguard" profile="av" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
date=2019-04-09 time=15:18:59 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1554848339909808987 msg="File is infected." action="blocked" service="SMB" sessionid=174 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37442 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="sample\\eicar.com" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"