We are detecting in Palo FW that there are sessions from UseriD-Agent servers to publics IPs. Our SOC confirmed that some of these public IPs are categorized like low reputation. Sessions are in port 135. I know the UserId agent uses this port but its reaching publics IPs.
We have GP enabled, and there are also connections port 135 to the public client IPs. But there are anothe sessions to low reputatio ips
Why its having this behaviour? Any way to avoid these sessions from UIA to public IPS?.
Start with disabling NetBIOS in TCP/IP parameters on the UID agents (Control Panel > Network Connections > your connection > Properties > TCP/IPv4 > Advanced > WINS > Disable NetBIOS over TCP/IP). Unless you do use it in your network of course... (but I cannot think of a good reason to do so these days to be honest).
But NEtBIOS is not port 135.
I think it would have more convenient disabling WMI probing. This can be a risk in the normal behavior for UIA.
Anyway, i dont understand why UIA are starting sessions to public low reputation IPs
(it should be off, otherwise, logically, the firewalls should be querying the agents for UserID info on public IPs too, which would produce WMI queries if the relevant option is enabled...)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!