100s of DNS Requests/sec to MS Services from non-existent user
My traffic monitor is showing 100s of DNS requests/sec from our PDC to what appears to be Microsoft services from a user which no longer exists (as I deleted it out of frustration). The user was deleted months ago but still the entries persist (see attached).
What would be causing these? Telemetry? Intune? How can they originate from a user that no longer exits?
Thanks in advance
0
Sign In to comment.
Comments
Hi @Red_Man
You'll want to check your Authentication List tab in traffic monitor to see if that user is still logged in. That should tell you where the authentication came from (like Single Sign on, Authentication Portal, VPN, etc.)
-If it's from Single Sign On (SSO) it'll depend on what method you're using to determine what user is logged in. If you're using event log monitor there might simply not be another log to show that user ever logged out, or they may have never logged out to generate an event SSO would use.
-you can select and click to force log off the user from there.
-James Carson
WatchGuard Customer Support
Hi James,
Thank you for your fast response. I checked the Authentication List and that user was indeed logged in there. I've been using the web interface so didn't realise how much more information was available in WSM.
After logging out that user, I'm still getting lots of entries per second in the log, only now they are from a different user. I've noticed this user is the "Searching User" in SSO configuration Tools and also shows as the being authenticated as ELM user. Given this information is it normal to have so many entries per second in for traffic monitor still? It appears to be Microsoft related services.
Thanks
ELM does do some authentication in order to get those logs. I'd suggest making sure you're on the latest version of the SSO Authentication Gateway (latest version is 12.10.2.)
You can find the SSO Authentication Gateway under the downloads section for each firewall at https://software.watchguard.com/
If you continue to have that issue, I'd suggest opening a support case so that one of our reps can take a look at the issue with you and determine what is causing that.
-James Carson
WatchGuard Customer Support
Thanks again, James