I've noticed an strange event in our network. We have PAN 5020 and other PAN firewalls. The issue is from the management IP from one of them there is TCP traffic going to a Japanese server on port 135 (MSRPC). One of our Sensors detects it as "possible infection". Some vendors have suggested it is nothing and may be related to this since we have user agent ID enabled: https://live.paloaltonetworks.com/t5/Configuration-Articles/Unexpected-Traffic-Seen-from-the-User-ID...
But I'm not sure. Will this event warrant further exploring?
Just to err on the side of caution I recommend opening a case with our support team and uploading a tech support file from the device that is generating this behavior. Also, any log data relevant to this traffic would be helpful as well (traffic logs, etc. if available).
I would highly recommend you disable the user-id lookup on any untrusted/internet based zones. This can cause that type of traffic and leave the password for others to 'guess'. I would also recommend changing the user-id lookup password you use for wmi.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!