Google-Search display captcha

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Google-Search display captcha

L0 Member

Hello all

 

Our users getting more and more captcha-messages on google-search with the following explanation:
https://support.google.com/websearch/answer/86640?hl=en

 

After entering the captcha, google-search works for a while an then the same message is displayed again.

 

We have a NAT pool of several public ip addresses and configured outgoing ssl-decryption.
Does anybody have solution to block this 'unusal traffic' or at least to detect it with palo?

3 REPLIES 3

L0 Member

we are using Virtual Wire configuration 

Cyber Elite
Cyber Elite

Hi

 

Have you made sure the security policy used by your outbound traffic has been configured to use a full set of security profiles?

 

If no malicious outbound traffic is being detected, it may be good to take a look at the botnet reports, these may containt reports on traffic that can be considered suspicious but not necessarily malicious. The botnet report is generated using a set of heuristics to match odd behavior, commonly seen by a botnet command&control network. This may help shed some light on why google is reporting

 

2015-09-21_10-38-25.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L7 Applicator

Hi @Ketchup

 

Try to check in your logs if you have incomplete sessions to google ip ranges. Actually we have the same issue, and also no solution till now but I am now trying to verify why there are these incomplete sessions. Maybe this is the next step to get to a solution.

With this filter you should find the session I mean:

((addr.dst in 64.18.0.0/20) or (addr.dst in 64.233.160.0/19) or (addr.dst in 66.102.0.0/20) or (addr.dst in 66.249.80.0/20) or (addr.dst in 72.14.192.0/18) or (addr.dst in 74.125.0.0/16) or (addr.dst in 108.177.8.0/21) or (addr.dst in 173.194.0.0/16) or (addr.dst in 207.126.144.0/20) or (addr.dst in 209.85.128.0/17) or (addr.dst in 216.58.192.0/19) or (addr.dst in 216.239.32.0/19)) and (app eq incomplete)

 

Regards,

Remo

  • 3948 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!