Port 445 Outbound

I have an M270 with the latest Fireware 12.9.2

My question is this, does M270 block outbound traffic on port 445 by default?

I'm asking because of this new Outlook vulnerability:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

Mitigations
Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings.

I have IKEv2 configured too. How does the vulnerability affect my VPN users connecting to the LAN from remote locations?

Comments

  • edited March 2023

    There are 2 defaults:
    . the default stance of the firewall, which is to prevent all packet types crossing routed interfaces without a policy allowing them
    and
    . the default config which includes an Outgoing policy, which allows out all TCP & UDP packets - and thus allow out SMB.

    You can add a predefined SMB packet filter, From: Any-trusted, Any-optional To: Any-external, set to Denied
    Move this policy to or near the top of your policy list

  • edited March 2023

    If I understand your reply correctly, the first point means by default all traffic is not allowed (both directions) unless there is a policy allowing it.

    I disabled the default Outgoing policy on day 1. That ought to be enough to block SMB outbound packets without manually adding a packet filter as you suggested, right?

  • Unless some other policy is allowing it, correct.
    And you should see deny log entries for SMB packets in Traffic Monitor.
    If you never do, it suggests that some policy is allowing them.

    I have a specific SMB policy set to Denied, and to not log, so I no longer see any in Traffic Monitor.

    I just tried Policy Checker in the Web UI for TCP port 445, and got inconclusive results, even though I have it specifically denied. Odd...

  • I've never heard of (or used) Policy Checker. I don't use Web UI often.

    I didn't see SMB packets in Traffic Monitor earlier today. Even after adding SMB packet filter policy with logging enabled, I still don't see any outgoing traffic on port 445. The only thing I didn't do is moving the SMB policy to the top because I'm in automatic order mode. SMB policy is near the bottom (3rd from the bottom).

    Is it normal to not see port 445 packets in this scenario?

  • I see one denied packet from a VPN client 192.168.114.2 to server IP on port 445. TCP syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead).

  • I have changed my SMB Deny policy to log denies.
    I'm not seeing any denies.
    A good number of years ago, Windows PCs seemed to send out lots of SMB packets regularly, often to the Internet.
    Looks like this has finally stopped across routed interfaces, or perhaps because of my current network setup.
    I'm sure that it is still happening on my local LAN interface when doing Map Network Drive etc.

Sign In to comment.