https://live.paloaltonetworks.com/t5/general-topics/userid-agent-stating-connections-port-135/m-p/350447#M86964 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85066">@BigPalo</a>&nbsp;</P> <P>This sounds like you have Client Probing enabled, and if you've verified that User-ID is disabled on the untrust interface you'll also want to go through and verify that it isn't included in your Include Network listing.&nbsp;</P> Fri, 18 Sep 2020 16:49:04 GMT BPry 2020-09-18T16:49:04Z https://live.paloaltonetworks.com/t5/general-topics/userid-agent-stating-connections-port-135/m-p/350342#M86959 <P>Hi,</P><P>&nbsp;</P><P>We need to know why our UIAs are starting sessions to INTERNET in port 135.</P><P>&nbsp;</P><P>how can we mitigate this flow? WE disblae UIA in INTERNET zone but we still see these sessions.</P><P>&nbsp;</P><P>Here you can see the kind of&nbsp; sessions:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="UBE1.JPG" style="width: 720px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27802iB1456BFB364CF2D4/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="UBE1.JPG" alt="UBE1.JPG" /></span></P><P>&nbsp;</P><P>any idea?</P> Fri, 18 Sep 2020 07:50:25 GMT https://live.paloaltonetworks.com/t5/general-topics/userid-agent-stating-connections-port-135/m-p/350342#M86959 BigPalo 2020-09-18T07:50:25Z https://live.paloaltonetworks.com/t5/general-topics/userid-agent-stating-connections-port-135/m-p/350447#M86964 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85066">@BigPalo</a>&nbsp;</P> <P>This sounds like you have Client Probing enabled, and if you've verified that User-ID is disabled on the untrust interface you'll also want to go through and verify that it isn't included in your Include Network listing.&nbsp;</P> Fri, 18 Sep 2020 16:49:04 GMT https://live.paloaltonetworks.com/t5/general-topics/userid-agent-stating-connections-port-135/m-p/350447#M86964 BPry 2020-09-18T16:49:04Z https://live.paloaltonetworks.com/t5/general-topics/userid-agent-stating-connections-port-135/m-p/350478#M86968 <P>Thanks for your response Bpry</P><P>&nbsp;</P><P>So, you mean&nbsp; in UIA Agent config to add the LAN network in "incluted list of configured networks", right?</P><P>or you mean to disable WMI probing (this could cause impact)</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbkCAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbkCAC</A></P><P>&nbsp;</P><P>So we also should disable Probin in PA config? "<SPAN>Go to Device &gt;&gt; User Identification</SPAN><BR /><SPAN>On the "User Mapping" tab, in the "Palo Alto Networks User ID Agent" pane, view the "Enable Probing" check box. If it is selected, this is a finding.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 18 Sep 2020 19:16:10 GMT https://live.paloaltonetworks.com/t5/general-topics/userid-agent-stating-connections-port-135/m-p/350478#M86968 BigPalo 2020-09-18T19:16:10Z https://live.paloaltonetworks.com/t5/general-topics/userid-agent-stating-connections-port-135/m-p/350666#M86986 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85066">@BigPalo</a>,</P> <P>verify that you actually have an include network configured on the agent. Client Probing really isn't a recommended configuration anymore, and you definitely don't want to allow sending those probes externally.</P> Sun, 20 Sep 2020 03:51:18 GMT https://live.paloaltonetworks.com/t5/general-topics/userid-agent-stating-connections-port-135/m-p/350666#M86986 BPry 2020-09-20T03:51:18Z