topic Re: SMB traffic identified as active-directory in General Topics

SMB traffic identified as active-directory

TerjeLundbo — Fri, 13 Apr 2018 11:54:10 GMT

From one of our management servers (Windows Server 2016) SMB traffic is identified as active-directory, but from user clients it's correctly identified as ms-ds-smbv2. Anyone come across this? We have several storage solutions (NetApp filer, iSCSI, DFS on Fibre Channel storage), and it seems to happen with all of them.

One more thing: this only happens when we look at the properties of a file or a folder, not when opening it or performing other operations.

We have two PA-5050 in HA (active-passive) running PAN-OS 7.1.15.

Re: SMB traffic identified as active-directory

s996kingsm — Tue, 24 Apr 2018 14:05:38 GMT

I am having the same issue.

Re: SMB traffic identified as active-directory

TerjeLundbo — Wed, 25 Apr 2018 10:00:11 GMT

I have opened a TAC case for this and have sent some packet captures and logs. Will report back when I hear back from them.

Re: SMB traffic identified as active-directory

TerjeLundbo — Wed, 09 May 2018 07:42:35 GMT

Update: TAC has not been able to replicate this problem, but it looks like it only affects DFS file shares.

Re: SMB traffic identified as active-directory

TerjeLundbo — Mon, 25 Jun 2018 12:54:21 GMT

Update: according to TAC this is expected behaviour. When you right-click on a file or a folder and select Properties the app-id on Palo Alto will change from ms-ds-smb to active-directory. So they adviced us to open for active-directory + ms-ds-smb in all applicable policies (mostly for our management servers). Of course, if I just add active-directory in the policies I get a bunch of warnings when I commit about active-directory depending on kerberos etc.

How does the rest of the community handle this?

Re: SMB traffic identified as active-directory

LindseyPerry — Thu, 18 May 2023 14:14:24 GMT

Edit: I did not see how old this thread was, I will open a TAC case and report.

Expected behavior is a BS answer! This started today at 12:50AM Arizona time. Was listed as ms-ds-smbv3 prior to that. How can we use applications in our security policies when they (Palo Alto) modify their decoders without notification.

I had to create an emergency change to allow that traffic.

Re: SMB traffic identified as active-directory

jmwilkinson — Wed, 07 Jun 2023 22:33:09 GMT

Agreed that this answer is BS. Clearly SMB works without 'active-directory-base,' so why does it kick off (plus 'ms-netlogon') when you look at the properties? It seems obvious that some sort of permissions is being check to view. Does anyone know if Microsoft have any documentation on this?