From one of our management servers (Windows Server 2016) SMB traffic is identified as active-directory, but from user clients it's correctly identified as ms-ds-smbv2. Anyone come across this? We have several storage solutions (NetApp filer, iSCSI, DFS on Fibre Channel storage), and it seems to happen with all of them.
One more thing: this only happens when we look at the properties of a file or a folder, not when opening it or performing other operations.
We have two PA-5050 in HA (active-passive) running PAN-OS 7.1.15.
I have opened a TAC case for this and have sent some packet captures and logs. Will report back when I hear back from them.
Update: according to TAC this is expected behaviour. When you right-click on a file or a folder and select Properties the app-id on Palo Alto will change from ms-ds-smb to active-directory. So they adviced us to open for active-directory + ms-ds-smb in all applicable policies (mostly for our management servers). Of course, if I just add active-directory in the policies I get a bunch of warnings when I commit about active-directory depending on kerberos etc.
How does the rest of the community handle this?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!