https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-odd-outbound-traffic-patterns/m-p/26100#M19051 <HTML><HEAD></HEAD><BODY><P>All,</P><P></P><P>We've noticed some strange traffic patterns coming from our Agent boxes and am curious why, and if others are seeing something similar... ?</P><P></P><P>Looking in our Monitoring logs I see our two Agents sending data to:</P><P></P><P>14.1.1.19</P><P>14.2.1.19</P><P>14.2.1.1</P><P></P><P>Via SMB ports 135,137,139</P><P></P><P>This appears to be something out of Australia</P><P></P><P>We're blocking this communication, and they're fresh boxes with Anti-Virus installed so it's really odd that we're seeing this..</P><P></P><P>Anyone?</P><P></P><P>Thanks!</P><P></P><P>-Steve</P></BODY></HTML> Wed, 09 May 2012 17:19:30 GMT steveo 2012-05-09T17:19:30Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-odd-outbound-traffic-patterns/m-p/26100#M19051 <HTML><HEAD></HEAD><BODY><P>All,</P><P></P><P>We've noticed some strange traffic patterns coming from our Agent boxes and am curious why, and if others are seeing something similar... ?</P><P></P><P>Looking in our Monitoring logs I see our two Agents sending data to:</P><P></P><P>14.1.1.19</P><P>14.2.1.19</P><P>14.2.1.1</P><P></P><P>Via SMB ports 135,137,139</P><P></P><P>This appears to be something out of Australia</P><P></P><P>We're blocking this communication, and they're fresh boxes with Anti-Virus installed so it's really odd that we're seeing this..</P><P></P><P>Anyone?</P><P></P><P>Thanks!</P><P></P><P>-Steve</P></BODY></HTML> Wed, 09 May 2012 17:19:30 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-odd-outbound-traffic-patterns/m-p/26100#M19051 steveo 2012-05-09T17:19:30Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-odd-outbound-traffic-patterns/m-p/26101#M19052 <HTML><HEAD></HEAD><BODY><P>What is your settings your of userid agents?</P><P></P><P>I think its recommended to disable netbios lookups but enable wmi lookups (if possible).</P><P></P><P>You can also in the menu enable debug log level and then watch the userid directory in program files and then copy the debug file as soon as you see this traffic (dont forget to change log level back to informational or such after you copied the debug log to not run out of disk).</P><P></P><P>Hopefully you can then find in the debuglog from where these ip addresses is pickedup (is it someone logging in to your exchange server or is it something else).</P></BODY></HTML> Wed, 09 May 2012 21:49:14 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-odd-outbound-traffic-patterns/m-p/26101#M19052 mikand 2012-05-09T21:49:14Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-odd-outbound-traffic-patterns/m-p/26102#M19053 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P> UserAgents have a feature that scans workstations via WMI/Netbios. If you firewall request informations about an IP to a UserAgent (even if that IP is on internet), it will scan it.</P><P></P><P> If you don't want internet addresses to be scanned or IDed, look at your zone User Identification configuration and UserID doc in general.</P></BODY></HTML> Thu, 10 May 2012 08:37:30 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-odd-outbound-traffic-patterns/m-p/26102#M19053 essnet 2012-05-10T08:37:30Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-odd-outbound-traffic-patterns/m-p/26103#M19054 <HTML><HEAD></HEAD><BODY><P>We did have our Agents set to use Netbios so I disabled it, and now it seems to have quited down.</P><P></P><P>As far as zone ID goes we're only checking for IDs on our Trusted segment, IE: Trusted (Inside) -&gt; Untrusted (Outside) -&gt; Internet and not the reverse..</P><P></P><P>It's strange that those couple hosts would keep coming up... Hmmm..</P><P></P><P>Thanks guys!</P><P></P><P>-Steve</P></BODY></HTML> Fri, 11 May 2012 17:48:26 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-odd-outbound-traffic-patterns/m-p/26103#M19054 steveo 2012-05-11T17:48:26Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-odd-outbound-traffic-patterns/m-p/26104#M19055 <HTML><HEAD></HEAD><BODY><P>If im not mistaken you can in the userid agent also filter which ip addresses it should lookup/handle.</P></BODY></HTML> Fri, 11 May 2012 19:02:01 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-odd-outbound-traffic-patterns/m-p/26104#M19055 mikand 2012-05-11T19:02:01Z