UserId Agent stating connections port 135

Reply
Highlighted
L4 Transporter

UserId Agent stating connections port 135

Hi,

 

We need to know why our UIAs are starting sessions to INTERNET in port 135.

 

how can we mitigate this flow? WE disblae UIA in INTERNET zone but we still see these sessions.

 

Here you can see the kind of  sessions:

 

UBE1.JPG

 

any idea?

Highlighted
Cyber Elite

@jesuscano 

This sounds like you have Client Probing enabled, and if you've verified that User-ID is disabled on the untrust interface you'll also want to go through and verify that it isn't included in your Include Network listing. 

L4 Transporter

Thanks for your response Bpry

 

So, you mean  in UIA Agent config to add the LAN network in "incluted list of configured networks", right?

or you mean to disable WMI probing (this could cause impact)

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbkCAC

 

So we also should disable Probin in PA config? "Go to Device >> User Identification
On the "User Mapping" tab, in the "Palo Alto Networks User ID Agent" pane, view the "Enable Probing" check box. If it is selected, this is a finding.

 

 

Highlighted
Cyber Elite

@jesuscano,

verify that you actually have an include network configured on the agent. Client Probing really isn't a recommended configuration anymore, and you definitely don't want to allow sending those probes externally.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!