It is in WSA Identity

its · ‎03-23-2017

Our security systems detect a network attack from your server. Web Security Appliance S170
On our internal domain controllers on port 445 (TCP). What could be the reason for this behavior and why this particular port of the Web Security Appliance S170?

Tao Yang · ‎03-23-2017

In general, WSA needs to connect to the configured AD servers over port 445 for proxy authentication. Enable surrogate in WSA identity setting could normally reduce such connections.

its · ‎03-23-2017

What is meant by "Enable surrogate in WSA identity setting could normally " ? Timeout change (see pic.) ? Or other settings via SSH ?

its · ‎03-27-2017

Increasing this parameter did not help. Maybe there are other suggestions?

Thank you

Tao Yang · ‎03-28-2017

It is in WSA Identity settings>Authentication Surrogates.

pepiscop · ‎03-31-2017

Hey this should be the answer -

Your security system is likely flagging a FP for an attack from the S170's IP address because the WSA is sending traffic over port 445 at high rates to authenticate your users.

As a suggestion -

1)I would run the cli command 'testauthconfig' to confirm my S170 utilizes netbios

2)whitelist port 445 from the security sensor

Please let me know if I have answered your question or if you have additional questions.

Best,

Peter

Our security systems detect a network attack from your server - Web Security Appliance S170.