NetBIOS Broadcasts normal

Dave, it sounds like you have a firewall rule like 'Internal (Network) -> Any -> Any' and the traffic is being masqueraded with the IP of "External (Address)."  You should be able to look in Reporting on the 'Bandwidth Usage' tab to see which client is sending those requests out to the Internet.

Cheers - Bob

Hi Bob, hope you are well.

Thanks very much for the reply.

I am pretty tight with the firewall configuration so unlikely wouldn't have been a rule like this, but I did double check that the other person with access to the UTM hadn't configured any rule that may have allowed this. There is no masquerading rules configured, just a few NAT rules, but all are locked down with no Any -> Any service configuration. There is also no rules that are using the NetBIOS-NS protocol. The only part of the configuration that I would think it was coming from was something to do with the Active Directory Authentication Services.

If I check the reporting and look at the "Bandwidth Usage" and choose the option top services in say the last 30 days, then I can see NETBIOS-NS with 0.6 KB in and 81.7 MB out. If I click on the service, it changes the report to "Top clients by service" for NETBIOS-NS but doesn't display any IP Addresses to investigate.

My thoughts is that the traffic is spawning from the underlying Linux of the UTM.

Regards

Dave

Hi Bob, hope you are well.

Thanks very much for the reply.

I am pretty tight with the firewall configuration so unlikely wouldn't have been a rule like this, but I did double check that the other person with access to the UTM hadn't configured any rule that may have allowed this. There is no masquerading rules configured, just a few NAT rules, but all are locked down with no Any -> Any service configuration. There is also no rules that are using the NetBIOS-NS protocol. The only part of the configuration that I would think it was coming from was something to do with the Active Directory Authentication Services.

If I check the reporting and look at the "Bandwidth Usage" and choose the option top services in say the last 30 days, then I can see NETBIOS-NS with 0.6 KB in and 81.7 MB out. If I click on the service, it changes the report to "Top clients by service" for NETBIOS-NS but doesn't display any IP Addresses to investigate.

My thoughts is that the traffic is spawning from the underlying Linux of the UTM.

Regards

Dave

Dave, I'm pretty sure that he UTM doesn't do WINS/NETBIOS, so this must be devices that, for some reason, aren't showing up in Reporting.  What does Sophos Support say?  Tell them that you don't want them to re-initialize your data bases.

Cheers - Bob

Hi Bob, hope you are well.

I have raised a support ticket with Sophos now so hopefully they can advise.

What does "re-initializing the databases" do, and why would I tell them not to do that.

Apologies if that was a stupid question.

Regards,

Dave

The data bases used in  Reporting are PostgreSQL.  The quick first step to fixing/analyzing similar issues is to re-initialize the Reporting data bases.

Cheers - Bob

Hi Again Bob, thanks for the info.

After some further investigation using packet captures, I can see the source of the NetBIOS Name Service traffic is coming from the External Interface of the UTM. It is broadcasting queries out to the internet for a Windows Domain that is an Internal one.

The UTM has been joined to DOMAIN_A

There is a trust relationship between DOMAIN_A and DOMAIN_B

The UTM is sending broadcast NetBIOS Query traffic out of the external interface for the domain controllers of DOMAIN_B

I don't think this is a good idea as it appears to be leaking company information about internal systems to the internet, so I have disabled the Interface while I wait for support to assist.

Regards,

Dave

Hmmm.  Could it be that it's your Domain Controller initiating the traffic and that the issue may be one of DNS configuration and/or the lack of an adequate VPN configuration?

Cheers - Bob

I am not sure to be honest, the packet captures I see show that the source MAC address is the external Interface of the UTM. If it was traffic initiating from an internal Domain Controller, my question would be how is it possible for the broadcast traffic to be passed out from the internal to the external network via the UTM.

Its very strange.

My feeling is its coming from a process in the underlying Linux OS of the UTM and that's why the reporting is not showing any Client/Server IP Addresses and also only showing MB's of traffic going out but zero coming in.

Regards,

Dave

TrotterD said:

I am not sure to be honest, the packet captures I see show that the source MAC address is the external Interface of the UTM. If it was traffic initiating from an internal Domain Controller, my question would be how is it possible for the broadcast traffic to be passed out from the internal to the external network via the UTM.

Its very strange.

My feeling is its coming from a process in the underlying Linux OS of the UTM and that's why the reporting is not showing any Client/Server IP Addresses and also only showing MB's of traffic going out but zero coming in.

Regards,

Dave

Dave, did you have any result? Or find the source of this traffic?

Best

Alex

Hi Alex, hope you are well.

Actually no is the short answer.

Sophos Platinum Support could see the traffic but didn't understand where it was leaking out from (Or rather what process on the UTM and why it was doing it). They put a DNAT rule on the firewall to redirect NedBIOS-NS traffic coming from the external interface, destined for the broadcast address, then redirected to the internal Sophos IP Address. I guess that is just to bend broadcast traffic inwards instead of outbound.

I ended up adding the network ranges and configure the DNS Request Routing to the partner company's Windows Domains so that they were resolvable by the Sophos UTM and so it could route the correct way.

It feels like the UTM had visibility of the Active Directory trust relationships that the domain it's joined to is configured with, but because I never configured the UTM to see the networks or resolve the server in that other domain it was trying to find them via the external default gateway using a broadcast.  There is no requirement for the other systems in the trusted domain to use Sophos UTM as they have there own proxy server and internet connection.

Regards,

Dave

Hi Dave,

thanks for your extensive explanation. I can surely confirm this behavior. We have some trusted AD-domains as well, but these are not used in UTM.

After I implemented the DNS request routing to the trusted windows domains NetBIOS Broadcasts vanished. I implemented this short after 8 pm, the result can't be more clear:

So this should be in the documentation, if you have any AD-Trusts made the DNS resolution available to the UTM.

Best regards,

Alex

Hi Alex, hope you are well.

Thanks for the update on your scenario. I was thinking it may have just been a bug or a configuration issue of the system I implemented.

I don't really like the idea of adding network definitions and DNS configuration for the customers partner company, just for a work around. I am a bit OCD but think that if its not required, it shouldn't be configured on the firewall as it allows more access and bigger footprint than need be. This is frowned upon in firewall configurations.

But rather that than have this kind of traffic and internal system information being visible on the outside.

Regards,

Dave