Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
219
Views
0
Helpful
2
Replies

Threat Response Protected Hosts

jhanchey
Level 1
Level 1

‎11-15-2004 01:36 PM - edited ‎03-09-2019 09:27 AM

I have a Threat Response server setup and configured. All seems to be working fine with the exception of running agents on protected hosts when an event occurs. The agents do not run or error on all protected hosts that are out on our DMZ. The CTR server is on the LAN side of the inside interface. The protected hosts have a local address on the DMZ segment and also have a NAT'd address on the Pix. Connectivity is fine from both the internet and inside. Agents run fine when run on protected hosts on the LAN. Are there some ports that need to be opened on the pix between the CTR server and hosts on the DMZ so that the agents can log in to the protected hosts? I haven't found any documentation for this or anything in the User Guide. Or do I just add another ethernet interface to the server and hook it up to the DMZ with an address on that segment. Would that even work? I am not sure how CTR would react being on a multi-homed box? Any pointers are appreciated. Please advise.

Thanks.

Labels:
0 Helpful
2 Replies 2

p.mckay
Level 1
Level 1

‎11-17-2004 08:23 AM

I thought I would add this it may or may not be useful as I am in the process of tuning the ctr also. I have noticed that when the ctr tries to investigate an event that it tries lots of ports.

This from a post that I have looking for an answer as to what is the ctr trying to do when it investigates and event.

see the following in my ACL logs

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(2301)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(32771)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(106)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(935)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(1480)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(6000)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(121)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(1480)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(252)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(113)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(13)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(7005)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(6050)

Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(1520)

0 Helpful

cskipper
Level 1
Level 1

‎11-17-2004 01:30 PM

You have some options here.

Option 1: CTR does work fine on a multi-homed box. It has been tested this way as well. This will work rather well for you.

Option 2: CTR uses the SMB protocol to investigate hosts via Level 2 investigation. You will need to open up ports 445 for W2k and 137-139 for NT.

From my standpoint, instead of opening up more ports on your pix, I suggest multi-homing the box.

Hope this helps

0 Helpful
Customers Also Viewed These Support Documents