topic Re: Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy in Next-Generation Firewall Discussions

Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy

RoneyRajan123 — Sun, 22 Dec 2024 08:14:51 GMT

Hi Team,

I’m experiencing an unusual issue with my Palo Alto firewall. This problem started about a week ago. Prior to that, the website in question was functioning properly and being handled by the appropriate security policy.

Currently, a public website is being blocked by a specific security policy in the firewall. Upon reviewing this policy, I couldn’t find the website’s address in any of the destination address groups.

Here are the details of the policy:

Source Zone: Any
Source Address: Any
Destination Zone: Any
Destination Address: Static Address Object
Policy Action: Deny

Website: https://********.org

Websites IPs do not appear to be part of the static address objects in the destination address lists.

Interestingly, if we remove the static address object from the policy, the website works fine and is processed by the appropriate security policy.

Please advise on how to resolve this issue.

@kiwi @ahameed @mshamamulla @paloalto

Re: Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy

RoneyRajan123 — Sun, 22 Dec 2024 08:18:05 GMT

We also tried to find out those IPs in the CLI as well, however, we couldn't find it. is it a bug.

Re: Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy

Rahul.Balan — Mon, 23 Dec 2024 07:48:40 GMT

I am also facing the same issue for website https://arabglobalscholars.org/ . it is getting blocked by the object group that does not contain the ip address of the website

Re: Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy

Adrian_Jensen — Mon, 23 Dec 2024 16:13:05 GMT

I don't know exactly what @RoneyRajan123's website is, but @Rahul.Balan's website resolves to a Cloudflare proxy frontend. The indicated Security Policies blocks solely based on the destination IP address matching one included or resolved in the Address list (which may be both IP address and FQDNs which are resolved to IPs). It does not match based on the FQDN name itself.

Cloudflare proxies act as the front end for many different FQDNs resolved to the same IP addresses. There may be a completely different FQDN address object that is resolving to the same IP as the site you are trying to access. Therefore, both destinations get blocked because both resolve to the same IP(s).

Unfortunately, if you have a large Address list using FQDNs, there is no good way to quickly filter to objects matching a certain IP address, but you can browse through them using the following command on the CLI:

show dns-proxy fqdn all

This will show all FQDN address objects currently monitored and their resolved IP address(es). You can also quickly search for a particular IP using a match filter, but unfortunately, do to the way the list is formatted, it doesn't show the FQDN, you have to review the entire list manually for that.

show dns-proxy fqdn all | match <IP address>

If you have a large number of address objects to be blocked, or FQDNs that resolve to a Cloudflare IP, consider if using a URL filter is a better option to prevent false positive blocking.

Re: Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy

RoneyRajan123 — Mon, 23 Dec 2024 17:07:36 GMT

Hi @ADR,

I’m experiencing the same issue with the URL:

https://arabglobalscholars.org/

as mentioned by @Rahul.Balan above.

This issue is occurring across multiple customers.

The URL is being blocked by a deny policy applied to an address object group containing multiple blacklisted static IP addresses. However, upon reviewing the blacklist, we cannot find the website's IP address within this group.

If we remove the object group, the policy instead hits a specified rule.

Could you please assist in resolving this?

Re: Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy

Adrian_Jensen — Mon, 23 Dec 2024 17:41:52 GMT

Does the address group contain just IP addresses? Or does it also contain FQDN address objects?

The arabglobalscholars.org FQDN resolves to 7 different Cloudflare IPs that are widely used for other FQDNs as well:

104.21.16.1

104.21.32.1

104.21.48.1

104.21.64.1
104.21.80.1

104.21.96.1

104.21.112.1

These IPs are widely used for other websites as well. I recently had a known malware FQDN switch from one IP to Cloudflare proxy on these IPs which caused a block of unrelated websites in our filtering rules.

Re: Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy

mshamamulla — Tue, 24 Dec 2024 07:03:25 GMT

Hi @RoneyRajan123

1. Make sure the right Security rule is above the security rule which is blocking the website.
2. Even after step-1 if still the right security rule is bypassed and wrong security rule is hit then take Debug logs to understand the root cause.

https://live.paloaltonetworks.com/t5/general-articles/tips-amp-tricks-flow-basic-debugging/ta-p/545999

Mohammed Shamamulla
Technical Partner Manager | Palo Alto Networks
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Re: Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy

RoneyRajan123 — Tue, 24 Dec 2024 07:08:16 GMT

Hi @Adrian_Jensen

Thank you so much for your support.
I got in the solution for my issue. Actually customer also using a malicious FQDN on their address object group which was also resolved to the same IP address.

Re: Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy

RoneyRajan123 — Mon, 11 Aug 2025 18:15:53 GMT

Hi Adrian,

Another customer has reported that the FQDN "frameset.app" is being blocked by the firewalls, even though it is not listed in our blocked IPs or FQDN list.

Details:

FQDN: frameset.app
IP Address: 76.76.21.21

This IP and domain are not part of our blocked lists; however, they appear to be getting blocked.

Could you please help confirm whether this IP/FQDN is associated with any other malicious domains or categorized under another block list?

Re: Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy

Adrian_Jensen — Thu, 02 Oct 2025 19:29:10 GMT

Sorry Roney, I haven't been during PaloAlto stuff for a couple months, been busy with over issues. I can not find any conflicts with "frameset.app" on my side, but we may have completely different blocklists and data sources.

When tracking these problems down, one thing you can try is to look at the PaloAlto DNS-Proxy cache and FQDN for matching IPs in other Address Objects. So frameset.app currently resolves to 76.76.21.21 for me. From the PaloAlto CLI you can run the following commands and see if there are any matches:

show dns-proxy cache all | match 76\.76\.21\.21

show dns-proxy fqdn all | match 76\.76\.21\.21

If you have a match then there is at least one object that the PaloAlto knows about that matches the IP. Unfortunately, the CLI output is a bit messy (particularly if you have a large number of objects), but if you can find the name then you can start searching that name to learn where it may exist in the config.