https://live.paloaltonetworks.com/t5/advanced-threat-prevention/strange-tcp-traffic-from-pan-firewall-management-ip-going-to/m-p/197230#M182 <P>Hi All,</P><P>I've noticed an strange event in our network. We have PAN 5020 and other PAN firewalls. The issue is from the management IP from one of them there is TCP traffic going to a Japanese server on port 135 (MSRPC). One of our Sensors detects it as "possible infection". Some vendors have suggested it is nothing and may be related to this since we have user agent ID enabled: <A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/Unexpected-Traffic-Seen-from-the-User-ID-Agent/ta-p/62830" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/Unexpected-Traffic-Seen-from-the-User-ID-Agent/ta-p/62830</A></P><P>But I'm not sure. Will this event warrant further exploring?</P> Sat, 27 Jan 2018 14:13:06 GMT FR33BSD4LIFE 2018-01-27T14:13:06Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/strange-tcp-traffic-from-pan-firewall-management-ip-going-to/m-p/197230#M182 <P>Hi All,</P><P>I've noticed an strange event in our network. We have PAN 5020 and other PAN firewalls. The issue is from the management IP from one of them there is TCP traffic going to a Japanese server on port 135 (MSRPC). One of our Sensors detects it as "possible infection". Some vendors have suggested it is nothing and may be related to this since we have user agent ID enabled: <A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/Unexpected-Traffic-Seen-from-the-User-ID-Agent/ta-p/62830" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/Unexpected-Traffic-Seen-from-the-User-ID-Agent/ta-p/62830</A></P><P>But I'm not sure. Will this event warrant further exploring?</P> Sat, 27 Jan 2018 14:13:06 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/strange-tcp-traffic-from-pan-firewall-management-ip-going-to/m-p/197230#M182 FR33BSD4LIFE 2018-01-27T14:13:06Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/strange-tcp-traffic-from-pan-firewall-management-ip-going-to/m-p/197426#M183 <P>Just to err on the side of caution I recommend opening a case with our support team and uploading a tech support file from the device that is generating this behavior.&nbsp; Also, any log data relevant to this traffic would be helpful as well (traffic logs, etc. if available).</P> <P>&nbsp;</P> <P>Thank you.</P> Mon, 29 Jan 2018 15:58:14 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/strange-tcp-traffic-from-pan-firewall-management-ip-going-to/m-p/197426#M183 bvandivier 2018-01-29T15:58:14Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/strange-tcp-traffic-from-pan-firewall-management-ip-going-to/m-p/197454#M184 <P>Hello,</P><P>I would highly recommend you disable the user-id lookup on any untrusted/internet based zones. This can cause that type of traffic and leave the password for others to 'guess'. I would also recommend changing the user-id lookup password you use for wmi.</P><P>&nbsp;</P><P>Regards,</P> Mon, 29 Jan 2018 17:54:10 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/strange-tcp-traffic-from-pan-firewall-management-ip-going-to/m-p/197454#M184 OtakarKlier 2018-01-29T17:54:10Z