How to disable SMBv3 AV inspection
Objective
To give a step-by-step on disabling SMBv3 inspection on internal networks.
Environment
All Pan OS
Procedure
Symptom; Any Pan OS firewall that is getting false positive detections for SMBv3 traffic, with no file name and no details.
This workaround may be necessary for networks that do not want to shut off SMBv3 Multichannel and are receiving False positive detections for SMBv3 traffic.
1) Verify which rule is being hit for the SMBv3 traffic.
1a) Look in the Threat logs for the false-positive triggers and verify the rule in the rule column.
1b) Go to policies and look up the rule find the AV profile that is attached to that rule.
2) Go to Objects -> Anti-Virus and select the correct profile.
2a) Once in the correct profile click the Add button on the lower right side of the Application Exception panel.
3) Search and select MS-SMBv3
4) Change the action. The suggested action is allow.
5) Click okay, and commit.
Additional Information
This procedure will allow SMBv3 traffic without causing false positives due to multichannel splitting the file into pieces and sending it through the firewall.
Firewall SMB support now includes SMBv3 (3.0, 3.0.2, and 3.1.1) and has additional threat detection and file identification capabilities, performance, and reliability across all versions of SMB. These improvements provide an additional layer of security for networks, such as data center deployments, network segments, and internal networks by allowing files transmitted using SMB to be forwarded to WildFire for analysis. Because of the way that SMBv3 Multichannel works in splitting up files, customers should disable the use of multichannel file transfer for maximum protection and inspection of files.
As a result, Palo Alto Networks recommends disabling SMB Multichannel through the Windows PowerShell.
If disabling Multichannel is not an option then disabling SMBv3 inspection is the other viable route.
This is unlikely to weaken a security posture as all files placed on a file share should be inspected as they enter the network.
With the use of Traps, a file placed directly on an endpoint will be sent to wildfire and inspected.