This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

strange connection from PA - help me please

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

strange connection from PA - help me please

_slv_
L4 Transporter

‎02-26-2014 05:50 AM

Hello

Today I recognised that one of my security policy droppping trafiic from IP 192.168.1.1 adddress from one of my subinterfaces to IP adersses to port 135 from other subnets.

2014-02-26_103117.png

I'm using CaptivePortal but not in that zone where is 192.168.1.1, I'm using AD integration but with agents not on 192.168.1.1.

How to investigate what PAN process is doing that? Please give me some tips how to troubleshoot it.

With regards

SLawek

Labels:
0 Likes Likes
9 REPLIES 9

kdd
L4 Transporter

‎02-26-2014 06:00 AM

Hi slv,

port 135 is netbios please look whether netbios is allowed in the rule Lan_A....

Cheers Klaus

0 Likes Likes

_slv_
L4 Transporter
In response to kdd

‎02-27-2014 09:49 AM

netbios isn't allowed in rules from Lan_A, 192.168.1.1 is a gateway in Lan_A. I have routing between my local networks so it couldn't be a traffic from other LAN network (I think).

Have You any new sugestions?

Regards

SLawek

0 Likes Likes

kdd
L4 Transporter

‎02-28-2014 12:33 AM

Hi slv,

this paket isn't allowed by the rule "Lan_A - blokowanie". If you want the data to go through then there should be a rule to allow this traffic.

Port 135 belongs to MSRPC  (Netbios 137-139) . Let me know how ends.

Regards Klaus

0 Likes Likes

_slv_
L4 Transporter
In response to kdd

‎03-02-2014 09:01 AM

Hi kdd

I know that netbios isn't alloved - this is my intention. I'm looking for source of this traffic.

Gateway 192.168.1.1 in my opinion shouldn't generate such traffic (MSRPC). How to find real source of this traffic?

Any idea?

With regrds

SLawek

0 Likes Likes

prb
L3 Networker
In response to _slv_

‎03-05-2014 02:19 PM

Do you have user-identification enabled on the zone?

0 Likes Likes

_slv_
L4 Transporter

‎03-06-2014 12:43 AM

Yes I have. I'm using user identyfiaction by agents on AD controller installed.

Regards

SLawek

0 Likes Likes

pulukas
L7 Applicator
In response to _slv_

‎03-06-2014 12:54 PM

Do you have any nat interface for this zone?

If so, check the nat logs screening by this port.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

prb
L3 Networker
In response to _slv_

‎03-06-2014 01:09 PM

Connected to the 192.168.1.1 interface?

If it is connecting to a different interface, you can uncheck user-identification from the zone in question.

0 Likes Likes

kdd
L4 Transporter

‎03-10-2014 02:16 AM

Hi slv,

i don't know if this is still an issue for you if so please check the router config for NAT. Maybe this is a reason to let appear the router a source towards to PA.

Regards Klaus

0 Likes Likes
  • 3543 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks