- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Getting lots of NetBios NBTSTAT Queries after upg...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting lots of NetBios NBTSTAT Queries after upgrading to MR3 not having this issue prior.
Getting lots of NetBios NBTSTAT Queries after upgrading to MR3 not having this issue prior.
I have 2x 110c on MR3. I have a IPSEC VPN Tunnel between the 2 offices. I have a DC Svr2k3r2 each side. I have rescently upgraded both to MR3. Now I have this problem ---> Solids for few days now.
2011-03-30 11:57:06 10.0.10.10 10.0.0.10 137/udp netbios: NBTStat.Query, repeated 3 times
2011-03-30 11:56:58 10.0.10.10 10.0.0.10 137/udp netbios: NBTStat.Query
2011-03-30 11:56:57 10.0.10.10 10.0.0.10 137/udp netbios: NBTStat.Query
2011-03-30 11:56:55 10.0.10.10 10.0.0.10 137/udp netbios: NBTStat.Query
2011-03-30 11:44:51 10.0.10.10 10.0.0.10 137/udp netbios: NBTStat.Query, repeated 3 times
I have spam and virus scanned both servers, rebooted them, and cleaned out profiles and temp files, with multiple programs (adware, spybot, McAfee Stinger, and Norton as far as scanners and specific use items not full on programs). Noting found.
So either I am missing something that changed between MR2 Patch 2 to MR3 and need to make a few changes, or I now have a new problem that just happen to come up with in a few days of upgrading and never had this issue before.
Any input would be greatly appreciated.
Wesside-KTM
60D-110c-WiFi80cm-300-300a-200a-WiFi60-60-50b-fl400
Wesside-KTM 60D-110c-WiFi80cm-300-300a-200a-WiFi60-60-50b-fl400
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i would say Application Control,
are you logging in the application control ?
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmmmmm Dam I love when there is no course of action. I men I cuold block it i guess.
NBTStat.QueryRelease Date Sep 11, 2006
Severity Info
Impact Attackers can gain sensitive information about the network in preparation for future attacks.
Description It indicates detection of an NBTStat query.
NBTStat can display NetBIOS statistics, name tables for both local and remote systems and the name cache. A remote attacker can use this information to prepare for further attacks.
Affected Products Any unprotected Microsoft Windows system running NetBIOS is vulnerable.
Recommended Actions N/A
Wesside-KTM
60D-110c-WiFi80cm-300-300a-200a-WiFi60-60-50b-fl400
Wesside-KTM 60D-110c-WiFi80cm-300-300a-200a-WiFi60-60-50b-fl400
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Device 10.0.10.10 and 10.0.0.10 are both NETBIOS enabled machines. If they are not in a domain and you use dns or a host file for resolving names then just disable NETBIOS on both machines. If you are in a domain then review your network and decide if NETBIOS is necessary. We do not use WINS or NETBIOS. We are 100% DNS. We also do not use link-layer or mdns but that is a different topic. NBTSTAT queries are simply Microsoft and IBM’s why of finding machines on the same subnet so that networking is simple and easy. For example if you have a home network and NETBIOS enabled then it will continuously send out NBTSTAT queries to find computers on the net to talk too. So when you go to Network Neighborhood you see your computers on the network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Isn' t there a Windows feature called ' Network Awareness' or such which relies on constant network browsing? I think it has been around since XP and can be disabled. You configure it in Folder Options, Advanced, uncheck " Automatically Search for Network Folders and Printers" , or the corresponding GP.
Yes, I know that it is automatically disabled if you' re in a domain or if more than 32 devices are found during the scan. So maybe you' ve got a non-domain PC on your network now...
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ede..
Well explained. Outstanding.
But... Both of those IPs are my 10.0.0.10=DC/GC and 10.0.10.10 2nd DC/exchange @ a small corp office with 10 pcs and I can see all of them.
2 DCs doing lots of NBTSTAT queries back and fourth has nothing to do with fortigates there selves. This would be 2 servers having a heavy conversation. I was stating in logging and looking at old logs i have sitting around i dont see these line items anywhere period before the day I upgraded to MR3.
By the way i have not taken the time to read about the forum itself. How do you score?
Wesside-KTM
60D-110c-WiFi80cm-300-300a-200a-WiFi60-60-50b-fl400
Wesside-KTM 60D-110c-WiFi80cm-300-300a-200a-WiFi60-60-50b-fl400
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m certainly not the expert for Server2003R2 but...as DCs they might query not because of themselves but on behalf of a domain member. So maybe it is not so far fetched to think of a recent change on your network.
Apart from the annoyance, do these queries amount to a huge part of your bandwidth? Where do you see the log entries you gave us in your first post, just the Traffic Log?
I' m more than happy if you fellow forum members dig what I contribute - I get plenty back when someone (finally) says it helped to solve his problem. After all, this is fun! If you even want to score a post you can click the " Rate this post!" link in the leftmost column.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not a firewall issue it is a server config. You need to read up on DC to DC traffic and configure based on your networks needs. If you are wondering why you were not see the traffic before the upgrade then you need to compare the firewall config file for anything that has changed. You never stated if this is from the app logs or IPS log. If IPS log note that they did change amount of IPS signatures that are logged and enabled. It is in the release notes. Basically it is not a firewall issue and needs to be resolve at the server level.
Related Posts
- Fortigate Firewall firmware upgradation query 325 Views
- Upgrade from 7.0.12 to 7.0.13 query... 612 Views
- slow processing of rules by API... 3409 Views
Labels
-
FortiGate
6,525 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.