strange connection from PA - help me please

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

strange connection from PA - help me please

L4 Transporter

Hello

Today I recognised that one of my security policy droppping trafiic from IP 192.168.1.1 adddress from one of my subinterfaces to IP adersses to port 135 from other subnets.

2014-02-26_103117.png

I'm using CaptivePortal but not in that zone where is 192.168.1.1, I'm using AD integration but with agents not on 192.168.1.1.

How to investigate what PAN process is doing that? Please give me some tips how to troubleshoot it.

With regards

SLawek

9 REPLIES 9

L4 Transporter

Hi slv,

port 135 is netbios please look whether netbios is allowed in the rule Lan_A....

Cheers Klaus

L4 Transporter

netbios isn't allowed in rules from Lan_A, 192.168.1.1 is a gateway in Lan_A. I have routing between my local networks so it couldn't be a traffic from other LAN network (I think).

Have You any new sugestions?

Regards

SLawek

L4 Transporter

Hi slv,

this paket isn't allowed by the rule "Lan_A - blokowanie". If you want the data to go through then there should be a rule to allow this traffic.

Port 135 belongs to MSRPC  (Netbios 137-139) . Let me know how ends.

Regards Klaus

L4 Transporter

Hi kdd

I know that netbios isn't alloved - this is my intention. I'm looking for source of this traffic.

Gateway 192.168.1.1 in my opinion shouldn't generate such traffic (MSRPC). How to find real source of this traffic?

Any idea?

With regrds

SLawek

Do you have user-identification enabled on the zone?

L4 Transporter

Yes I have. I'm using user identyfiaction by agents on AD controller installed.

Regards

SLawek

Do you have any nat interface for this zone?

If so, check the nat logs screening by this port.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Connected to the 192.168.1.1 interface?

If it is connecting to a different interface, you can uncheck user-identification from the zone in question.

L4 Transporter

Hi slv,

i don't know if this is still an issue for you if so please check the router config for NAT. Maybe this is a reason to let appear the router a source towards to PA.

Regards Klaus

  • 3553 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!