topic Unusual traffic on port 135 in General Topics

Unusual traffic on port 135

mshihora — Sun, 05 Sep 2021 21:31:27 GMT

Hello, I have been facing an issue where I see lots of traffic toward internal serves on port 135. The source of the traffic is the firewall management IP. Its agentless user-id setup on the firewall. Previously WMI probing is enabled which cause the issue.

I can still see the same traffic on port 135 after disabling the WMI probing.

In server monitoring, there are only AD server

Re: Unusual traffic on port 135

TomYoung — Sun, 05 Sep 2021 22:13:48 GMT

Are the internal servers the ones you have configured for agentless User-ID? These are located under Device > User Identification > User Mapping > Server Monitoring. Agentless User-ID uses WMI Authentication. https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClGG

I see the same traffic on my network, but it is only to the servers I have configured.

Re: Unusual traffic on port 135

mshihora — Mon, 06 Sep 2021 13:31:59 GMT

Hi thanks for the reply but I have seen this traffic for other servers too. They are not added to server monitoring as well.

Re: Unusual traffic on port 135

TomYoung — Mon, 06 Sep 2021 16:08:00 GMT

Very interesting! Now I am curious as well. Could you take those other server destination IP addresses and put them in the Global Find magnifying glass in the upper right of your NGFW to see if they are in the config? If not, triple check that "Device > User Identification > User Mapping > Enable Probing" is unchecked and commit again? It stands to reason that if the management interface is sourcing the traffic it must be configured somewhere. Maybe also restart the management server with the command "debug software restart process management-server" on the CLI.