09-18-2020 12:50 AM
Hi,
We need to know why our UIAs are starting sessions to INTERNET in port 135.
how can we mitigate this flow? WE disblae UIA in INTERNET zone but we still see these sessions.
Here you can see the kind of sessions:
any idea?
09-18-2020 09:49 AM
This sounds like you have Client Probing enabled, and if you've verified that User-ID is disabled on the untrust interface you'll also want to go through and verify that it isn't included in your Include Network listing.
09-18-2020 12:05 PM - edited 09-18-2020 12:16 PM
Thanks for your response Bpry
So, you mean in UIA Agent config to add the LAN network in "incluted list of configured networks", right?
or you mean to disable WMI probing (this could cause impact)
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbkCAC
So we also should disable Probin in PA config? "Go to Device >> User Identification
On the "User Mapping" tab, in the "Palo Alto Networks User ID Agent" pane, view the "Enable Probing" check box. If it is selected, this is a finding.
09-19-2020 08:51 PM
verify that you actually have an include network configured on the agent. Client Probing really isn't a recommended configuration anymore, and you definitely don't want to allow sending those probes externally.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
