This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User-ID Agent odd outbound traffic patterns

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-ID Agent odd outbound traffic patterns

steveo
L3 Networker

‎05-09-2012 10:19 AM

All,

We've noticed some strange traffic patterns coming from our Agent boxes and am curious why, and if others are seeing something similar... ?

Looking in our Monitoring logs I see our two Agents sending data to:

14.1.1.19

14.2.1.19

14.2.1.1

Via SMB ports 135,137,139

This appears to be something out of Australia

We're blocking this communication, and they're fresh boxes with Anti-Virus installed so it's really odd that we're seeing this..

Anyone?

Thanks!

-Steve

Labels:
4 REPLIES 4

mikand
L6 Presenter

‎05-09-2012 02:49 PM

What is your settings your of userid agents?

I think its recommended to disable netbios lookups but enable wmi lookups (if possible).

You can also in the menu enable debug log level and then watch the userid directory in program files and then copy the debug file as soon as you see this traffic (dont forget to change log level back to informational or such after you copied the debug log to not run out of disk).

Hopefully you can then find in the debuglog from where these ip addresses is pickedup (is it someone logging in to your exchange server or is it something else).

0 Likes Likes

essnet
L4 Transporter
In response to mikand

‎05-10-2012 01:37 AM

Hello,

UserAgents have a feature that scans workstations via WMI/Netbios. If you firewall request informations about an IP to a UserAgent (even if that IP is on internet), it will scan it.

If you don't want internet addresses to be scanned or IDed, look at your zone User Identification configuration and UserID doc in general.

0 Likes Likes

steveo
L3 Networker
In response to essnet

‎05-11-2012 10:48 AM

We did have our Agents set to use Netbios so I disabled it, and now it seems to have quited down.

As far as zone ID goes we're only checking for IDs on our Trusted segment, IE: Trusted (Inside) -> Untrusted (Outside) -> Internet and not the reverse..

It's strange that those couple hosts would keep coming up... Hmmm..

Thanks guys!

-Steve

0 Likes Likes

mikand
L6 Presenter
In response to steveo

‎05-11-2012 12:02 PM

If im not mistaken you can in the userid agent also filter which ip addresses it should lookup/handle.

0 Likes Likes
  • 2916 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks