Unusual traffic on port 135

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Unusual traffic on port 135

L1 Bithead

Hello, I have been facing an issue where I see lots of traffic toward internal serves on port 135. The source of the traffic is the firewall management IP. Its agentless user-id setup on the firewall. Previously WMI probing is enabled which cause the issue.

 

I can still see the same traffic on port 135 after disabling the WMI probing. 

 

In server monitoring, there are only AD server 

3 REPLIES 3

Cyber Elite
Cyber Elite

Are the internal servers the ones you have configured for agentless User-ID?  These are located under Device > User Identification > User Mapping > Server Monitoring.  Agentless User-ID uses WMI Authentication.  https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClGG

 

I see the same traffic on my network, but it is only to the servers I have configured.

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi thanks for the reply but I have seen this traffic for other servers too. They are not added to server monitoring as well.

Very interesting!  Now I am curious as well.  Could you take those other server destination IP addresses and put them in the Global Find magnifying glass in the upper right of your NGFW to see if they are in the config?  If not, triple check that "Device > User Identification > User Mapping > Enable Probing" is unchecked and commit again?  It stands to reason that if the management interface is sourcing the traffic it must be configured somewhere.  Maybe also restart the management server with the command "debug software restart process management-server" on the CLI.

Help the community: Like helpful comments and mark solutions.
  • 3470 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!