Unexpected Traffic Seen from the User-ID Agent
Resolution
Issue
Unexpected traffic is being seen from the User-ID agent over UDP ports 135 and 137.
- The application is listed as incomplete, msrpc or netbios-ns.
- The destination appears to be random public IP addresses.
- There is a lot of event 10009 events DCOM events in the system log under the Event Viewer on the Agent.
Cause
This issue can occur if User-ID is enabled on the untrusted (public facing) zone and WMI probing is enabled on the User-ID Agent. The issue happens because any inbound connections sourcing from the public facing zone will likely be an unknown IP address, because User-ID is enabled on this zone, the Palo Alto Networks firewall will attempt to identify the user mapping for the source IP address. Since the mapping does not exist on the firewall or the User-ID Agent, the agent will attempt to resolve the IP user mapping through a WMI probe, which will most likely fail. This can cause performance issues on both the firewall and the agent.
One such example is shown below. Sometimes the traffic for the application msrpc is seen as incomplete:
Resolution
Do not enable User-ID on the public facing zone. In most cases, User-ID should only be enabled on trusted or internal zones. If the User-ID is enabled on the public facing zone, then disable it by going to Network > Zones > and click on the Untrust Zone and Uncheck "Enable User Identification":
The final Zone Configuration should look like the example below:
owner: jteetsel