- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-13-2018 04:54 AM
From one of our management servers (Windows Server 2016) SMB traffic is identified as active-directory, but from user clients it's correctly identified as ms-ds-smbv2. Anyone come across this? We have several storage solutions (NetApp filer, iSCSI, DFS on Fibre Channel storage), and it seems to happen with all of them.
One more thing: this only happens when we look at the properties of a file or a folder, not when opening it or performing other operations.
We have two PA-5050 in HA (active-passive) running PAN-OS 7.1.15.
04-24-2018 07:05 AM
I am having the same issue.
04-25-2018 03:00 AM
I have opened a TAC case for this and have sent some packet captures and logs. Will report back when I hear back from them.
05-09-2018 12:42 AM
Update: TAC has not been able to replicate this problem, but it looks like it only affects DFS file shares.
06-25-2018 05:54 AM
Update: according to TAC this is expected behaviour. When you right-click on a file or a folder and select Properties the app-id on Palo Alto will change from ms-ds-smb to active-directory. So they adviced us to open for active-directory + ms-ds-smb in all applicable policies (mostly for our management servers). Of course, if I just add active-directory in the policies I get a bunch of warnings when I commit about active-directory depending on kerberos etc.
How does the rest of the community handle this?
05-18-2023 07:12 AM - edited 05-18-2023 07:14 AM
Edit: I did not see how old this thread was, I will open a TAC case and report.
Expected behavior is a BS answer! This started today at 12:50AM Arizona time. Was listed as ms-ds-smbv3 prior to that. How can we use applications in our security policies when they (Palo Alto) modify their decoders without notification.
I had to create an emergency change to allow that traffic.
06-07-2023 03:33 PM
Agreed that this answer is BS. Clearly SMB works without 'active-directory-base,' so why does it kick off (plus 'ms-netlogon') when you look at the properties? It seems obvious that some sort of permissions is being check to view. Does anyone know if Microsoft have any documentation on this?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!