Description
This article describes compression methods in the CIFS protocol.
Scope
For version 6.4.2.
Solution
With the newly added compression methods in the CIFS protocol, FortiGates can scan these compressed messages in proxy mode.
The following compression algorithms are supported:
- LZNT1.
- LZ77.
- LZ77+Huffman.
This feature is supported on Windows 10 and Windows Server 2019 with update version 1809 and later.
The following example uses Ubuntu 20.04 as an SMB client and Windows 10 as an SMB server.
A Python script is used on the client for message compression.
To scan messages using the CIFS protocol in proxy mode.
1) Create a file filter profile using proxy mode for CIFS and apply it to a policy.
Traffic is blocked by the file filter in this example:
This article describes compression methods in the CIFS protocol.
Scope
For version 6.4.2.
Solution
With the newly added compression methods in the CIFS protocol, FortiGates can scan these compressed messages in proxy mode.
The following compression algorithms are supported:
- LZNT1.
- LZ77.
- LZ77+Huffman.
This feature is supported on Windows 10 and Windows Server 2019 with update version 1809 and later.
The following example uses Ubuntu 20.04 as an SMB client and Windows 10 as an SMB server.
A Python script is used on the client for message compression.
To scan messages using the CIFS protocol in proxy mode.
1) Create a file filter profile using proxy mode for CIFS and apply it to a policy.
Traffic is blocked by the file filter in this example:
2) Verify that the WAD recognizes the compressed message:
- LZNT1:
# diagnose wad debug enable level verbose3) Verify the UTM log.
# diagnose wad debug enable category cifs
cifs_nbss_identify_protocol(583): nbss detected encapsulated compressed smb3 message
smb2_nbss_alloc(1108): smb2 nbss 0x7ff471b0a1a0 allocated
smb2_parse_stream(5337): smb2 parsing 118 plain-text bytes
smb2_parsing_alloc(1551): smb2 parsing 0x7ff4709fbcb0 allocated
smb2_payload_alloc(1025): smb2 payload 0x7ff470678e00 allocated
smb2_msg_alloc(1612): smb2 message 0x7ff471aadd70 allocated
smb2_hdr_print(1707): smb2 CON Request [mid 3, sid 35184372088853, tid 0, st 0, r 0]
smb2_parse_message(5249): smb2 processing 118 message bytes.
1: date=2020-07-08 time=16:10:26 logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter" level="warning" vd="root" eventtime=1594249826958143704 tz="-0700" policyid=1 sessionid=18382 srcip=10.1.100.66 srcport=58004 srcintf="port21" srcintfrole="undefined" dstip=172.16.200.150 dstport=445 dstintf="port23" dstintfrole="undefined" proto=6 service="CIFS" profile="filefilter" direction="outgoing" action="blocked" filtername="1" filename="test.doc" filesize=19456 filetype="msoffice" msg="File was blocked by file filter."- Use Python for CIFS traffic with different compression algorithms. The compressed message and compression algorithm is visible in the packet capture.
- LZNT1:
Reference Document.
https://docs.fortinet.com/document/fortigate/6.4.0/new-features/764465/scan-compressed-messages-over...
https://docs.fortinet.com/document/fortigate/6.4.0/new-features/764465/scan-compressed-messages-over...
