When using Advanced Threat Protection (ATP) in Inline or TAP mode, you note that NETBIOS traffic coming from the management port of the ATP appliance is going to destinations external to your network.
When ATP monitors a connection, it attempts to resolve the hostname of the internal client using reverse DNS. If reverse DNS fails to resolve the hostname of the internal client, then ATP attempts to obtain the hostname via NETBIOS.
ATP uses the "Internal Network Configuration" and/or "Enterprise Proxy" settings to determine which clients are internal to the network. If no "Internal Network Configuration" or "Enterprise Proxy" are configured, then ATP assumes that the host that initiated the connection (the host that sent the TCP SYN packet) is "internal".
Configure the "Internal Network Configuration" and/or "Enterprise Proxy" settings within the ATP appliance.