03-23-2017 12:07 AM
Our security systems detect a network attack from your server. Web Security Appliance S170
On our internal domain controllers on port 445 (TCP). What could be the reason for this behavior and why this particular port of the Web Security Appliance S170?
03-23-2017 01:12 PM
In general, WSA needs to connect to the configured AD servers over port 445 for proxy authentication. Enable surrogate in WSA identity setting could normally reduce such connections.
03-23-2017 11:24 PM
03-27-2017 02:28 AM
Increasing this parameter did not help. Maybe there are other suggestions?
Thank you
Maybe there are other suggestions?
03-28-2017 11:24 PM
03-31-2017 02:35 PM
Hey this should be the answer -
Your security system is likely flagging a FP for an attack from the S170's IP address because the WSA is sending traffic over port 445 at high rates to authenticate your users.
As a suggestion -
1)I would run the cli command 'testauthconfig' to confirm my S170 utilizes netbios
2)whitelist port 445 from the security sensor
Please let me know if I have answered your question or if you have additional questions.
Best,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide