Hello, I have been facing an issue where I see lots of traffic toward internal serves on port 135. The source of the traffic is the firewall management IP. Its agentless user-id setup on the firewall. Previously WMI probing is enabled which cause the issue.
I can still see the same traffic on port 135 after disabling the WMI probing.
In server monitoring, there are only AD server
Are the internal servers the ones you have configured for agentless User-ID? These are located under Device > User Identification > User Mapping > Server Monitoring. Agentless User-ID uses WMI Authentication. https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClGG
I see the same traffic on my network, but it is only to the servers I have configured.
Very interesting! Now I am curious as well. Could you take those other server destination IP addresses and put them in the Global Find magnifying glass in the upper right of your NGFW to see if they are in the config? If not, triple check that "Device > User Identification > User Mapping > Enable Probing" is unchecked and commit again? It stands to reason that if the management interface is sourcing the traffic it must be configured somewhere. Maybe also restart the management server with the command "debug software restart process management-server" on the CLI.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!