UserID agent sessions to public IPs

Reply
Highlighted
L4 Transporter

UserID agent sessions to public IPs

 Hi,

 

We are detecting in Palo FW that there are sessions from UseriD-Agent servers to publics IPs. Our SOC confirmed that some of these public IPs are categorized like low reputation. Sessions are in port 135. I know the UserId agent uses this port but its reaching publics IPs.

We have GP enabled, and there are also connections port 135 to the public client IPs. But there are anothe sessions to low reputatio ips

 

Why its having this behaviour? Any way to avoid these sessions from UIA to public IPS?

L2 Linker

Start with disabling NetBIOS in TCP/IP parameters on the UID agents (Control Panel > Network Connections > your connection >  Properties > TCP/IPv4 > Advanced > WINS > Disable NetBIOS over TCP/IP). Unless you do use it in your network of course... (but I cannot think of a good reason to do so these days to be honest).

Highlighted
L4 Transporter

But NEtBIOS is not port 135.

 

I think it would have more convenient disabling WMI probing. This can be a  risk in the normal behavior for UIA.

 

Anyway, i dont understand why UIA are starting sessions to public low reputation IPs

Highlighted
L2 Linker

Good point about WMI probing... Perhaps I am too used to have it switched off in my environment

Do you have UserID switched off for the Internet zone on the firewalls? 

Highlighted
L2 Linker

(it should be off, otherwise, logically, the firewalls should be querying the agents for UserID info on public IPs too, which would produce WMI queries if the relevant option is enabled...)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!