Summary
Security scanners such as Tenable or Qualys may flag FlashArray or FlashBlade systems for SMB Signing Not Required.
Response
FlashArray and FlashBlade products set SMB signing to optional by default. This provides our customers with flexibility and optimized performance, balancing security needs with system efficiency based on their unique environments.
For customers seeking enhanced security, SMB signing can be enforced through Active Directory (AD) Policies. If a client requests signing, both FlashArray and FlashBlade will enforce signing of all requests. This allows customers flexibility to use their corporate policies in Active Directory to enforce signing within their environment for client devices. We encourage customers to review their security policies and enable client-side SMB signing where it aligns with their organization’s best practices.
FlashArray also supports enforcing SMB3 encryption for clients, which inherently includes signing as part of the encryption process. It is possible to enforce SMB signing on FlashArray, however, this will require a case with Everpure Technical Services.
FlashBlade Purity 4.3.x and later provide customers the ability to enforce SMB3 encryption, adding data confidentiality alongside message integrity.