ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

NETBIOS traffic is noted when using Advanced Threat Protection

book

Article ID: 172704

calendar_today

Updated On:

Products

Advanced Threat Protection Platform

Issue/Introduction

When using Advanced Threat Protection (ATP) in Inline or TAP mode, you note that NETBIOS traffic coming from the management port of the ATP appliance is going to destinations external to your network.

Cause

When ATP monitors a connection, it attempts to resolve the hostname of the internal client using reverse DNS.  If reverse DNS fails to resolve the hostname of the internal client, then ATP attempts to obtain the hostname via NETBIOS. 

ATP uses the "Internal Network Configuration" and/or "Enterprise Proxy" settings to determine which clients are internal to the network.  If no "Internal Network Configuration" or "Enterprise Proxy" are configured, then ATP assumes that the host that initiated the connection (the host that sent the TCP SYN packet) is "internal". 

Environment

  • ATP with Inline or TAP Mode enabled
  • No "Internal Networks" configured
  • No "Enterprise Proxy" configured

Resolution

Configure the "Internal Network Configuration" and/or "Enterprise Proxy" settings within the ATP appliance.