Hide this message
Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.
This article describes the topic about how Orion server uses Netbios (UDP 137) port to reach out to all the devices that are monitored by the Orion. There is an option to disable NetBios Over TCP/IP protocol and write an LMHOSTS file for the servers that need to be resolved using NB names. By doing so, it prevents NetBios Lookup Query to try and go through your firewall.
**Note NetBios lookups will happen from the Orion engine before a DNS lookup. Also note DNS lookups will only reach out to the first DNS server (Primary DNS) it can reach. This is important to note in case DNS replication is not setup properly and some hosts will not resolve via the primary DNS server.
That's pretty much what I expected with NTA. NTA will take any netflow data that is being sent to it from your layer 3 devices, record the Source and Destination IPs in the flow data, then attempt to resolve the names of those IPs (whether they are valid or not) through DNS and NetBios for display in the web console. It doesn't attempt to confirm whether the IPs are real or not, only that it is seeing it within the flow packets themselves.
The correction to a point however pertains to this: NTA must be configured to allow the NetBios requests to be initiated and for it to be concurrent, it must be set to Persistent name resolution in the NTA settings. Easiest way to confirm is to go to NTA Settings, scroll down to DNS and NetBIOS Resolution and see if Enable
NetBIOS resolution of endpoints is checked. Likely as well, the setting for DNS Resolution Option is set to Persistent as well.
Collects flow packets > parses source\destination IPs in convos > stores the IPs > queues them for name resolution > issues resolution through DNS\LLMNR for everything configured on the server (DNS servers, etc) > issues netbios lookup to whatever it can reach to resolve naming through that method (if enabled) > awaits response > stores name upon return.
We unfortunately do not have any white sheet documentation stating this exact process, at least nothing that we can release, but if it comes into question whether this is intended design I can confirm and I can indicate in the admin guide that NTA can and does attempt naming resolution through NetBIOS.
I'd say your next method to test is to check the NTA Settings page, disable NetBios resolution if it's enabled, then see what happens when you restart the service.
All versions of NPM
Check NTA Settings to make sure NetBIOS is disabled:
For more details, see the Thwack post below: