https://live.paloaltonetworks.com/t5/next-generation-firewall/management-interface-connection-to-sucuri-net/m-p/565624#M2088 <P>Thank you for your response. One thing that might be related is that we recently installed a device certificate from Palo Alto following their recent advisory: <A href="https://live.paloaltonetworks.com/t5/customer-advisories/emergency-update-required-pan-os-root-and-default-certificate/ta-p/564672" target="_blank">https://live.paloaltonetworks.com/t5/customer-advisories/emergency-update-required-pan-os-root-and-default-certificate/ta-p/564672</A></P> <P>&nbsp;</P> Tue, 14 Nov 2023 15:49:27 GMT adminglu 2023-11-14T15:49:27Z https://live.paloaltonetworks.com/t5/next-generation-firewall/management-interface-connection-to-sucuri-net/m-p/565546#M2083 <P>Hello,</P> <P>&nbsp;</P> <P>The management interface from our PA-3260 suddenly tries to connect to 192.124.249.36 on port 80 web-browsing. 192.124.249.36 seems to be part of a CDN registered to Sucuri.net. Is this expected behavior, what service is this for?</P> Tue, 14 Nov 2023 10:16:28 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/management-interface-connection-to-sucuri-net/m-p/565546#M2083 adminglu 2023-11-14T10:16:28Z https://live.paloaltonetworks.com/t5/next-generation-firewall/management-interface-connection-to-sucuri-net/m-p/565584#M2087 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/84605">@adminglu</a> ,</P> <P>&nbsp;</P> <P>Looking at <A href="https://securitytrails.com/list/ip/192.124.249.36" target="_blank">Reverse IP lookup for 192.124.249.36 - SecurityTrails</A></P> <P>it looks like this is a CRL/OCSP URL for GoDaddy. <BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="aleksandarastardzhiev_0-1699971091818.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55162i2AD4ECD3BC493E1E/image-size/medium?v=v2&amp;px=400" role="button" title="aleksandarastardzhiev_0-1699971091818.png" alt="aleksandarastardzhiev_0-1699971091818.png" /></span></P> <P>&nbsp;</P> <P>It is expected firewall to make connections to public CRL and OCSP URLs to validate the status of public certificates. I can think of few reason from top of my head:</P> <P>- Lots of Palo Alto cloud services are using GoDaddy certificates, like update servers, telemetry servers (for AIOps), Data Lake logging</P> <P>- Decryption rule (no matter if decrypt or no-decrypt) applying decryption profile, which block connection when server cert is revoked.</P> <P>- Syslog Server using syslog over TLS.</P> <P>&nbsp;</P> Tue, 14 Nov 2023 14:20:28 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/management-interface-connection-to-sucuri-net/m-p/565584#M2087 A_Astardzhiev 2023-11-14T14:20:28Z https://live.paloaltonetworks.com/t5/next-generation-firewall/management-interface-connection-to-sucuri-net/m-p/565624#M2088 <P>Thank you for your response. One thing that might be related is that we recently installed a device certificate from Palo Alto following their recent advisory: <A href="https://live.paloaltonetworks.com/t5/customer-advisories/emergency-update-required-pan-os-root-and-default-certificate/ta-p/564672" target="_blank">https://live.paloaltonetworks.com/t5/customer-advisories/emergency-update-required-pan-os-root-and-default-certificate/ta-p/564672</A></P> <P>&nbsp;</P> Tue, 14 Nov 2023 15:49:27 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/management-interface-connection-to-sucuri-net/m-p/565624#M2088 adminglu 2023-11-14T15:49:27Z