ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

NETAPP and Recent SMB1 Issues

parkea2
‎2017-07-12 02:06 AM
23,297 Views

Can anyone point me to any offical NETAPP responses to the SMB1 discussed here:

 

https://whyistheinternetbroken.wordpress.com/2017/02/22/smb1-vuln-ontap/

 

I am not in a postion today to move to ONTAP 9.2 and disable SMB1.  However our

security scanner are reporting this daily now.

 

If I can quota an offical response from NETAPP stating its SMB1 is not vulnerable then

I can get  a risk acceptance to cover the scan failures until I upgrade to 9.2.

0 Kudos
View By:
Tags (2)
1 ACCEPTED SOLUTION

kryan
NetApp
‎2017-07-12 06:19 AM
23,264 Views

For a conclusive answer it would help to know exactly is the scanner reporting.

 

In the mean time, you might find this helpful:

https://kb.netapp.com/support/s/article/NTAP-20170515-0001

View solution in original post

9 REPLIES 9

kryan
NetApp
‎2017-07-12 06:19 AM
23,265 Views

For a conclusive answer it would help to know exactly is the scanner reporting.

 

In the mean time, you might find this helpful:

https://kb.netapp.com/support/s/article/NTAP-20170515-0001

parkea2
‎2017-07-12 06:35 AM
In response to kryan
23,254 Views

Thanks, you reply was very useful.  This is the Nessus link.

 

http://www.tenable.com/plugins/index.php?view=single&id=96982

 

 

0 Kudos

kryan
NetApp
‎2017-07-12 06:40 AM
In response to parkea2
23,250 Views

Thanks for the info on the generic "disable SMBv1" warning.

 

As of today (7/12/2017) it is not completely possible to disable SMBv1 for client access on any version of ONTAP other than 9.2. However, there are plans to add that capability to an existing LTS 9.x release and an upcoming 7-Mode release as well.

kryan
NetApp
‎2017-08-03 05:59 AM
In response to kryan
23,022 Views

ONTAP version 8.2.5 (7-Mode only) posted today and adds the ability to disable SMBv1 server and client.

VIVISIMOIT
‎2018-01-10 06:05 AM
In response to kryan
22,435 Views

How do you disable smb v1?  i see option to enable V2 but not disable v1.

0 Kudos

parkea2
‎2018-01-10 07:05 AM
In response to VIVISIMOIT
22,420 Views

See release notes for 8.2.5

 

https://library.netapp.com/ecmdocs/ECMLP2760543/html/frameset.html

 

cifs control set

 

 

0 Kudos

VIVISIMOIT
‎2018-01-10 10:18 AM
In response to parkea2
22,401 Views

thanks.  per the release notes,  the command to disable smb v1 in 8.2.5 7mode is

 

filer> cifs control set smb1.enable no

 

in conjunction with this

 

filer> options cifs.smb2.enable on

 

and i can confirm that this allows nessus scans to pass for the cifs protocol

0 Kudos

Jim_Robertson
‎2018-11-19 01:59 PM
18,315 Views

Does anyone know of a way to track what clients are making SMB1 connections?  We would prefer to idetify them and remove them from the environment rather than just disabling SMB1 on the NetApp and breaking any old printers that are still using it.  The cifs session command shows the clients, but it is a point in time, so if they are not actively connected when the command is run, they will not show up.

 

cifs session show -protocol-version smb1 -fields address

I attempted to use the statistics command, but it only shows me numbers of connections (from what I could find), not the specific clients that the connections were coming from.

Any suggestions?

0 Kudos

cyberhic228
‎2019-07-02 06:11 PM
In response to Jim_Robertson
15,578 Views

If this is still an outstanding question, you can always perform a packet capture on a filer and review in wireshark.  This would answer that questions.  Check the knowledgebase on what the commands are to do this, but unless your using a really old OS, you should not have to worry about this.

0 Kudos
Announcements
All Community Forums
Public