Why am I seeing traffic on port 137-139 coming from my RA server trying to exit my firewall?

Document ID : KB000021726
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem: 

Traffic is seen on the network or trying to leave the network on port 137-139 coming from the RA master/standalone server, and may be deemed a security risk.

 

Cause: 

This is NetBIOS traffic that occurs when RA is unable to resolve an IP seen in NetFlow through DNS. When a name does not resolve via DNS, RA tries to connect using NetBIOS to get the machine name of the host.

 

Resolution:

It could be a security risk if NetBIOS traffic is going out externally so this functionality can be disabled.

  1. Remote desktop to the RA master console

  2. Open up Control Panel --> Network Connections

  3. Right click on the NIC and select Properties

  4. Select Internet Protocol (TCP/IP) in the list of items and click Properties.

  5. Click on Advanced

  6. Go to the WINS tab

  7. In the NetBIOS setting box, select Disable NetBIOS over TCP/IP

RA will still try to lookup hosts seen in NetFlow traffic via DNS but will not have the option for NetBIOS if DNS fails. These hosts will show as IP addresses in the data instead of names.

 

Additional Information: 

Please note that RA 9.0 is end of life and you should consider upgrading to ensure that you are running a supported environment.

https://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/status/support-life-cycle/ca-network-flow-analysis-r9_1-sp1-r9_1-ca-netqos-reporteranalyzer-r9_0-sp1-r9_0-eos-announcement.html