I have a support ticket open but not getting much progress. I am going to post here in hopes I get more details.
Goal
We have a Polling Engine and NCM behind a firewall in a secure segment of the network. They communicate with NPM, Web, MSSQL DB, and nodes through the firewall. In analyzing the firewall logs, both of these devices generate a ton of NETBIOS (Port 137) traffic. This is a PCI environment and we need to limit all insecure and unneeded protocols as much as possible. We need assistance in reaching that goal.
--------------------------------------------------------------------------------------------------------------------
I have already read the document at http://www.solarwinds.com/documentation/Orion/docs/SolarWindsPortRequirements.pdf
I have attached a pdf that contains a log of the firewall rule that is allowing the traffic.
- 10.10.249.39 is the Solarwinds Polling Engine
- 10.10.249.79 is the Solarwinds NCM server
The destinations that end in .251, .252, and .6 are Cisco devices. In other words, they are not windows devices. The Solarwinds applications are the only thing installed on those servers. The Solarwinds apps are the only apps that would be aware of the network device addresses. Therefore, it is my assumption that the Solarwinds apps are generating the traffic I am seeing in the firewall log.
I don’t know why any Solarwinds app would be using NETBIOS name resolution. I can disable “NETBIOS over TCP/IP in the operating system, but I want to know what is causing this traffic and fix it. Is there some setting in the application that will stop this traffic?
