Strange TCP traffic from PAN Firewall management IP going to Japan

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Strange TCP traffic from PAN Firewall management IP going to Japan

L0 Member

Hi All,

I've noticed an strange event in our network. We have PAN 5020 and other PAN firewalls. The issue is from the management IP from one of them there is TCP traffic going to a Japanese server on port 135 (MSRPC). One of our Sensors detects it as "possible infection". Some vendors have suggested it is nothing and may be related to this since we have user agent ID enabled: https://live.paloaltonetworks.com/t5/Configuration-Articles/Unexpected-Traffic-Seen-from-the-User-ID...

But I'm not sure. Will this event warrant further exploring?

2 REPLIES 2

L5 Sessionator

Just to err on the side of caution I recommend opening a case with our support team and uploading a tech support file from the device that is generating this behavior.  Also, any log data relevant to this traffic would be helpful as well (traffic logs, etc. if available).

 

Thank you.

Cyber Elite
Cyber Elite

Hello,

I would highly recommend you disable the user-id lookup on any untrusted/internet based zones. This can cause that type of traffic and leave the password for others to 'guess'. I would also recommend changing the user-id lookup password you use for wmi.

 

Regards,

  • 3515 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!