SMB traffic identified as active-directory

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SMB traffic identified as active-directory

L3 Networker

From one of our management servers  (Windows Server 2016) SMB traffic is identified as active-directory, but from user clients it's correctly identified as ms-ds-smbv2. Anyone come across this? We have several storage solutions (NetApp filer, iSCSI, DFS on Fibre Channel storage), and it seems to happen with all of them.

 

One more thing: this only happens when we look at the properties of a file or a folder, not when opening it or performing other operations.

 

We have two PA-5050 in HA (active-passive) running PAN-OS 7.1.15.

6 REPLIES 6

L1 Bithead

I am having the same issue.  

I have opened a TAC case for this and have sent some packet captures and logs. Will report back when I hear back from them.

Update: TAC has not been able to replicate this problem, but it looks like it only affects DFS file shares.

Update: according to TAC this is expected behaviour. When you right-click on a file or a folder and select Properties the app-id on Palo Alto will change from ms-ds-smb to active-directory. So they adviced us to open for active-directory + ms-ds-smb in all applicable policies (mostly for our management servers). Of course, if I just add active-directory in the policies I get a bunch of warnings when I commit about active-directory depending on kerberos etc.

 

How does the rest of the community handle this?

 

L1 Bithead

Edit:  I did not see how old this thread was, I will open a TAC case and report.

 

Expected behavior is a BS answer!  This started today at 12:50AM Arizona time.  Was listed as ms-ds-smbv3 prior to that.  How can we use applications in our security policies when they (Palo Alto) modify their decoders without notification.

 

I had to create an emergency change to allow that traffic.

Agreed that this answer is BS. Clearly SMB works without 'active-directory-base,' so why does it kick off (plus 'ms-netlogon') when you look at the properties? It seems obvious that some sort of permissions is being check to view. Does anyone know if Microsoft have any documentation on this?

- J
  • 4145 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!