UserID agent sessions to public IPs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

UserID agent sessions to public IPs

L4 Transporter

 Hi,

 

We are detecting in Palo FW that there are sessions from UseriD-Agent servers to publics IPs. Our SOC confirmed that some of these public IPs are categorized like low reputation. Sessions are in port 135. I know the UserId agent uses this port but its reaching publics IPs.

We have GP enabled, and there are also connections port 135 to the public client IPs. But there are anothe sessions to low reputatio ips

 

Why its having this behaviour? Any way to avoid these sessions from UIA to public IPS?

4 REPLIES 4

L2 Linker

Start with disabling NetBIOS in TCP/IP parameters on the UID agents (Control Panel > Network Connections > your connection >  Properties > TCP/IPv4 > Advanced > WINS > Disable NetBIOS over TCP/IP). Unless you do use it in your network of course... (but I cannot think of a good reason to do so these days to be honest).

But NEtBIOS is not port 135.

 

I think it would have more convenient disabling WMI probing. This can be a  risk in the normal behavior for UIA.

 

Anyway, i dont understand why UIA are starting sessions to public low reputation IPs

Good point about WMI probing... Perhaps I am too used to have it switched off in my environment 🙂

Do you have UserID switched off for the Internet zone on the firewalls? 

(it should be off, otherwise, logically, the firewalls should be querying the agents for UserID info on public IPs too, which would produce WMI queries if the relevant option is enabled...)

  • 2686 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!