04-21-2015 02:51 AM
Hi everybody,
does everyone have this situation on your PA-FW on the ports 137, 139 and 445 with country's: CN, US, MY, IN ...
We have a lot of outgoing traffic with this situation and find out, that the PaloAlto "User-ID Agent" is the causer.
A lot of the external (outside) addresses are in case of "WebBot" - very curiosity.
04-21-2015 03:16 AM
Hi,
do you use WMI probing and did you activate user-id on your external zone? Maybe you should read this KB: Customer advisory: Security Impact of User-ID Misconfiguration
If you activate user id on your external zone the user id agent doesn't know the user for the public IPs and tries to learn the user via wmi probing.
04-21-2015 03:16 AM
Hi,
do you use WMI probing and did you activate user-id on your external zone? Maybe you should read this KB: Customer advisory: Security Impact of User-ID Misconfiguration
If you activate user id on your external zone the user id agent doesn't know the user for the public IPs and tries to learn the user via wmi probing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
