https://live.paloaltonetworks.com/t5/custom-signatures/x-com-website-api-calls-classified-as-twitter-messaging/m-p/1240062#M725 <P>Starting a week or two ago one of my customers started experiencing website issues with x.com. Their current environment allows application "twitter-base" but not "twitter-messaging". It appears that with a recent content update Palo now classifies the internal x.com website api calls as "twitter-messaging" which my customer blocks causing the page to not load. My customer has been blocking "twitter-messaging" for years with no issues. Not until a week or two did the access to x.com break.</P> <P>&nbsp;</P> <P>Anyone else have this issue and resolution?</P> Wed, 15 Oct 2025 14:43:56 GMT MikeSchrader 2025-10-15T14:43:56Z https://live.paloaltonetworks.com/t5/custom-signatures/x-com-website-api-calls-classified-as-twitter-messaging/m-p/1240062#M725 <P>Starting a week or two ago one of my customers started experiencing website issues with x.com. Their current environment allows application "twitter-base" but not "twitter-messaging". It appears that with a recent content update Palo now classifies the internal x.com website api calls as "twitter-messaging" which my customer blocks causing the page to not load. My customer has been blocking "twitter-messaging" for years with no issues. Not until a week or two did the access to x.com break.</P> <P>&nbsp;</P> <P>Anyone else have this issue and resolution?</P> Wed, 15 Oct 2025 14:43:56 GMT https://live.paloaltonetworks.com/t5/custom-signatures/x-com-website-api-calls-classified-as-twitter-messaging/m-p/1240062#M725 MikeSchrader 2025-10-15T14:43:56Z https://live.paloaltonetworks.com/t5/custom-signatures/x-com-website-api-calls-classified-as-twitter-messaging/m-p/1240126#M727 <P>You can make a custom app signature based on the host url and a new rule before the blocking rule that allows the custom app limiting the rule to only allowed source ip and the destination servers that host the&nbsp;<SPAN>&nbsp;internal x.com website. Have you seen my article&nbsp;<A href="https://live.paloaltonetworks.com/t5/general-articles/how-to-write-palo-alto-networks-custom-vulnerability-and/ta-p/1228494" target="_blank" rel="noopener">How to Write Palo Alto Networks Custom Vulnerability and Application Signatures with Examples</A>&nbsp;?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Outside of that there are other ways as well as allowing traffic for&nbsp;"twitter-messaging" based on the destination url/fqdn and again only for the needed source and destination IP addresses or even App bypass that I don't recommend as that is final solution <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0" target="_blank">Tips &amp; Tricks: How to Create an Application Override - Knowledge Base - Palo Alto Networks</A>&nbsp;Maybe you can try to place app overide after the twitter base rule as to stop the app identification for "twitter-messaging" as there should be application shift for palo alto to identify again the traffic from base to messaging but it could have mixed results. For app shift see :</SPAN></P> <P>&nbsp;</P> <P><SPAN><A href="https://live.paloaltonetworks.com/t5/next-generation-firewall/application-shift-and-how-to-allow-linkedin-but-block-specific/td-p/577599" target="_blank">Application Shift and How to allow linkedIn but block specific linkedin-posting application</A></SPAN></P> <P>&nbsp;</P> <P><SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1aCAC" target="_blank">How to Prevent Application Shift - Knowledge Base - Palo Alto Networks</A></SPAN></P> <P>&nbsp;</P> <P><SPAN><A href="https://live.paloaltonetworks.com/t5/general-articles/tips-amp-tricks-app-id-debugging/ta-p/1232109" target="_blank">Tips &amp; Tricks: App-ID Debugging</A></SPAN></P> Thu, 16 Oct 2025 07:04:40 GMT https://live.paloaltonetworks.com/t5/custom-signatures/x-com-website-api-calls-classified-as-twitter-messaging/m-p/1240126#M727 nikoolayy1 2025-10-16T07:04:40Z