6 Replies Latest reply on Dec 28, 2010 3:53 PM by mavturner

    NTA 3.6 - NetBIOS flooding firewall

    BryanBecker

      I opened a case on this but here is my issue :

             

      We have recently discovered that Orion NTA 3.6, with NetBIOS turned on, is flooding our juniper firewall with port 137 NetBIOS requests. The firewall can handle over 500K connections and Orion was using over 356K at one time. Some of it was legit 161/1433 but the majority was 137 trying to resolve host names coming in on NetFlow. I need guidance on tuning this to reduce the requests. Right now I habe NetBIOS turned off on NTA.

      How do other customers have this set up in their environment?  Thanks.

      BB

        • Re: NTA 3.6 - NetBIOS flooding firewall

          Hi Bryan--

          I've marked this for Chris the PM to see.

          M

          • Re: NTA 3.6 - NetBIOS flooding firewall
            ecklerwr1

            I think it's all or nothing.  NTA is just trying to resolve the names it doesn't know.  At least after NetBIOS name resolution was added they later added a feature to turn it off.

            Re: Is NetFlow 3.1 Application Passive or Active???

            1 of 1 people found this helpful
              • Re: NTA 3.6 - NetBIOS flooding firewall
                chris.lapoint

                That's correct.  It's either on or off right now.  

                  • Re: NTA 3.6 - NetBIOS flooding firewall
                    BryanBecker

                    I turned it off as well and that really helped.  Thanks.

                    • Re: NTA 3.6 - NetBIOS flooding firewall
                      ttyson

                      Chris,

                      I'm running NTA 3.7 and recently turned off the NetBios resolution feature for the same reason the others reported.  This drastically reduced the amount of lookups blocked by our firewalls.  However, even with the setting disabled, we're still seeing some NetBios activity generated by our Orion box (see log snip below).

                      Is this expected behavior?

                      Thanks,

                      Tom

                      ec 28 21:10:20 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->74.125.154.80/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:20 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->115.248.225.61/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:20 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->207.218.71.8/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:21 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->207.218.71.9/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:21 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->202.59.231.35/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:21 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->72.14.212.80/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 16:10:21 fwsm01-london02-contextA.infra.247realmedia.com Dec: 28 2010 21:10:20 ContextA : %FWSM-4-106023: Deny udp src inside206:10.72.52.52/137 dst dmz500:10.1.0.22/137 by access-group "inside206_access_in" [0x0, 0x0]
                      Dec 28 16:10:21 fwsm01-london02-contextA.infra.247realmedia.com Dec: 28 2010 21:10:20 ContextA : %FWSM-4-106023: Deny udp src inside206:10.72.52.52/137 dst dmz500:10.1.0.20/137 by access-group "inside206_access_in" [0x0, 0x0]
                      Dec 28 16:10:21 fwsm01-london02-contextA.infra.247realmedia.com Dec: 28 2010 21:10:20 ContextA : %FWSM-4-106023: Deny udp src inside206:10.72.52.52/137 dst dmz500:10.1.0.3/137 by access-group "inside206_access_in" [0x0, 0x0]
                      Dec 28 16:10:21 fwsm01-london02-contextA.infra.247realmedia.com Dec: 28 2010 21:10:20 ContextA : %FWSM-4-106023: Deny udp src inside206:10.72.52.52/137 dst dmz500:10.1.0.21/137 by access-group "inside206_access_in" [0x0, 0x0]
                      Dec 28 21:10:21 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->202.59.231.1/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:21 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->74.125.154.80/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:21 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->115.248.225.61/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:22 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->207.218.71.9/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:22 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->207.218.71.8/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:22 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->72.14.212.80/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:22 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->202.59.231.35/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 16:10:22 fwsm01-london02-contextA.infra.247realmedia.com Dec: 28 2010 21:10:21 ContextA : %FWSM-4-106023: Deny udp src inside206:10.72.52.52/137 dst dmz500:10.1.0.22/137 by access-group "inside206_access_in" [0x0, 0x0]
                      Dec 28 16:10:22 fwsm01-london02-contextA.infra.247realmedia.com Dec: 28 2010 21:10:21 ContextA : %FWSM-4-106023: Deny udp src inside206:10.72.52.52/137 dst dmz500:10.1.0.20/137 by access-group "inside206_access_in" [0x0, 0x0]
                      Dec 28 16:10:22 fwsm01-london02-contextA.infra.247realmedia.com Dec: 28 2010 21:10:21 ContextA : %FWSM-4-106023: Deny udp src inside206:10.72.52.52/137 dst dmz500:10.1.0.3/137 by access-group "inside206_access_in" [0x0, 0x0]
                      Dec 28 16:10:22 fwsm01-london02-contextA.infra.247realmedia.com Dec: 28 2010 21:10:21 ContextA : %FWSM-4-106023: Deny udp src inside206:10.72.52.52/137 dst dmz500:10.1.0.21/137 by access-group "inside206_access_in" [0x0, 0x0]
                      Dec 28 21:10:22 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->202.59.231.1/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:23 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->74.125.154.80/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:10:23 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->115.248.225.61/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:14:32 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->121.242.80.73/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:14:33 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->121.242.80.73/137 junos-nbname 17(0) default-deny trust untrust
                      Dec 28 21:14:35 10.72.2.3 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.72.52.52/137->121.242.80.73/137 junos-nbname 17(0) default-deny trust untrust

                        • Re: NTA 3.6 - NetBIOS flooding firewall
                          mavturner

                          ttyson,

                          It could be another process or product that is generating these name requests. When you run 'netstat -bo' from the command line of your Orion server, do you see these requests attached to a specific process?

                          What SolarWinds products are you running on this server besides NPM and NTA? Also, I assume you aren't running any other products in general that are querying these devices right?

                          Mav