11-15-2004 01:36 PM - edited 03-09-2019 09:27 AM
I have a Threat Response server setup and configured. All seems to be working fine with the exception of running agents on protected hosts when an event occurs. The agents do not run or error on all protected hosts that are out on our DMZ. The CTR server is on the LAN side of the inside interface. The protected hosts have a local address on the DMZ segment and also have a NAT'd address on the Pix. Connectivity is fine from both the internet and inside. Agents run fine when run on protected hosts on the LAN. Are there some ports that need to be opened on the pix between the CTR server and hosts on the DMZ so that the agents can log in to the protected hosts? I haven't found any documentation for this or anything in the User Guide. Or do I just add another ethernet interface to the server and hook it up to the DMZ with an address on that segment. Would that even work? I am not sure how CTR would react being on a multi-homed box? Any pointers are appreciated. Please advise.
Thanks.
11-17-2004 08:23 AM
I thought I would add this it may or may not be useful as I am in the process of tuning the ctr also. I have noticed that when the ctr tries to investigate an event that it tries lots of ports.
This from a post that I have looking for an answer as to what is the ctr trying to do when it investigates and event.
see the following in my ACL logs
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(2301)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(32771)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(106)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(935)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(1480)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(6000)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(121)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(1480)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(252)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(113)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(13)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(7005)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(6050)
Denied tcp 192.168.131.12 (59109) - > 192.168.175.30(1520)
11-17-2004 01:30 PM
You have some options here.
Option 1: CTR does work fine on a multi-homed box. It has been tested this way as well. This will work rather well for you.
Option 2: CTR uses the SMB protocol to investigate hosts via Level 2 investigation. You will need to open up ports 445 for W2k and 137-139 for NT.
From my standpoint, instead of opening up more ports on your pix, I suggest multi-homing the box.
Hope this helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide