Smbv3 and insightIDR

I am working to setup two domain controllers as active directory event sources. I’ve done this many times, however, these specific domain controllers are behind a pao firewall.
As of today, I have rules to allow connections from the collectors inbound to the DCs on ports tcp 445 & 636, plus predefined applications in Palo called smb-base, smbv3, ssl and wmi.
However, I still cannot connect to my AD event sources.
Our engineers sent me screenshots of smbv2 dropped traffic. SMBv2 was deprecated when SMBv3 came out via Server 2008. And we don’t allow old SMB calls.
Has anyone witnessed this before? Why is their product is using a 15-year-old deprecated SMB version?

Do I have other options for collecting data from these domain controllers?


For Active Directory via WMI, you will also need port 135 and 139 opened. However, I would recommend using the Insight Agent for AD log collection. You can find instructions here midway down the page: Active Directory | InsightIDR Documentation

Thanks Hannah, I was thinking of the agent also. What are the benefits and requirements?

I also read here that the agent is “Not recommended for Domain Controllers that generate a high number of events”

The main benefit is that you don’t need to use WMI, which imo is a pretty nice benefit. Other benefit would be that the agent can talk directly to the Insight Platform and you don’t necessarily have it route to the Collector which takes away some of the networking complexity.

The requirements are just that the OS the server your DC is running on can support the agent (which it almost certainly can Operating Systems Support | Insight Agent Documentation).

A high number of events would really be if it’s generating over 100s of events per second.

Also to answer your original question, I have not seen that specifically, and if it’s the DC sending smbv2, I would imagine that it may be a setting on that DC, as it should be able to support smbv3. And in that case, if you do still decide to go the WMI route you’ll need to open port 135 as well.