When using Advanced Threat Protection (ATP) in Inline or TAP mode, you note that NETBIOS traffic coming from the management port of the ATP appliance is going to destinations external to your network.

• ATP with Inline or TAP Mode enabled
• No "Internal Networks" configured
• No "Enterprise Proxy" configured

When ATP monitors a connection, it attempts to resolve the hostname of the internal client using reverse DNS.  If reverse DNS fails to resolve the hostname of the internal client, then ATP attempts to obtain the hostname via NETBIOS. 

ATP uses the "Internal Network Configuration" and/or "Enterprise Proxy" settings to determine which clients are internal to the network.  If no "Internal Network Configuration" or "Enterprise Proxy" are configured, then ATP assumes that the host that initiated the connection (the host that sent the TCP SYN packet) is "internal". 

Broadcom Engineering has resolved this issue in EDR version 4.7.0. Please update to EDR 4.7.0 to receive this fix.  If you are unable to upgrade to EDR 4.7.0 please use the workaround listed below.

Workaround for EDR versions prior to 4.7.0:

Configure the "Internal Network Configuration" and/or "Enterprise Proxy" settings within the ATP appliance.