topic Re: UserID agent sessions to public IPs in General Topics

UserID agent sessions to public IPs

BigPalo — Fri, 11 Sep 2020 12:23:09 GMT

Hi,

We are detecting in Palo FW that there are sessions from UseriD-Agent servers to publics IPs. Our SOC confirmed that some of these public IPs are categorized like low reputation. Sessions are in port 135. I know the UserId agent uses this port but its reaching publics IPs.

We have GP enabled, and there are also connections port 135 to the public client IPs. But there are anothe sessions to low reputatio ips

Why its having this behaviour? Any way to avoid these sessions from UIA to public IPS?.

Re: UserID agent sessions to public IPs

Nikolay-Matveev — Fri, 11 Sep 2020 13:14:19 GMT

Start with disabling NetBIOS in TCP/IP parameters on the UID agents (Control Panel > Network Connections > your connection > Properties > TCP/IPv4 > Advanced > WINS > Disable NetBIOS over TCP/IP). Unless you do use it in your network of course... (but I cannot think of a good reason to do so these days to be honest).

Re: UserID agent sessions to public IPs

BigPalo — Sun, 13 Sep 2020 16:15:16 GMT

But NEtBIOS is not port 135.

I think it would have more convenient disabling WMI probing. This can be a risk in the normal behavior for UIA.

Anyway, i dont understand why UIA are starting sessions to public low reputation IPs

Re: UserID agent sessions to public IPs

Nikolay-Matveev — Mon, 14 Sep 2020 10:36:54 GMT

Good point about WMI probing... Perhaps I am too used to have it switched off in my environment 🙂

Do you have UserID switched off for the Internet zone on the firewalls?

Re: UserID agent sessions to public IPs

Nikolay-Matveev — Mon, 14 Sep 2020 10:38:54 GMT

(it should be off, otherwise, logically, the firewalls should be querying the agents for UserID info on public IPs too, which would produce WMI queries if the relevant option is enabled...)