UserId Agent stating connections port 135

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

UserId Agent stating connections port 135

L4 Transporter

Hi,

 

We need to know why our UIAs are starting sessions to INTERNET in port 135.

 

how can we mitigate this flow? WE disblae UIA in INTERNET zone but we still see these sessions.

 

Here you can see the kind of  sessions:

 

UBE1.JPG

 

any idea?

3 REPLIES 3

Cyber Elite
Cyber Elite

@BigPalo 

This sounds like you have Client Probing enabled, and if you've verified that User-ID is disabled on the untrust interface you'll also want to go through and verify that it isn't included in your Include Network listing. 

Thanks for your response Bpry

 

So, you mean  in UIA Agent config to add the LAN network in "incluted list of configured networks", right?

or you mean to disable WMI probing (this could cause impact)

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbkCAC

 

So we also should disable Probin in PA config? "Go to Device >> User Identification
On the "User Mapping" tab, in the "Palo Alto Networks User ID Agent" pane, view the "Enable Probing" check box. If it is selected, this is a finding.

 

 

@BigPalo,

verify that you actually have an include network configured on the agent. Client Probing really isn't a recommended configuration anymore, and you definitely don't want to allow sending those probes externally.

  • 2564 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!