Unexpected Traffic Seen from the User-ID Agent

Unexpected Traffic Seen from the User-ID Agent

46731
Created On 09/25/18 17:52 PM - Last Modified 06/15/23 20:33 PM


Resolution


Issue

Unexpected traffic is being seen from the User-ID agent over UDP ports 135 and 137.

  • The application is listed as incomplete, msrpc or netbios-ns.
  • The destination appears to be random public IP addresses.
  • There is a lot of event 10009 events DCOM events in the system log under the Event Viewer on the Agent.

 

Cause

This issue can occur if User-ID is enabled on the untrusted (public facing) zone and WMI probing is enabled on the User-ID Agent. The issue happens because any inbound connections sourcing from the public facing zone will likely be an unknown IP address, because User-ID is enabled on this zone, the Palo Alto Networks firewall will attempt to identify the user mapping for the source IP address. Since the mapping does not exist on the firewall or the User-ID Agent, the agent will attempt to resolve the IP user mapping through a WMI probe, which will most likely fail. This can cause performance issues on both the firewall and the agent.

One such example is shown below. Sometimes the traffic for the application msrpc  is seen as incomplete:

14.JPG

 

Resolution

Do not enable User-ID on the public facing zone. In most cases, User-ID should only be enabled on trusted or internal zones. If the User-ID is enabled on the public facing zone, then disable it by going to Network > Zones > and click on the Untrust Zone and Uncheck "Enable User Identification":

15.JPG

 

The final Zone Configuration should look like the example below:

16.JPG

 

owner: jteetsel
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLfCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language