- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-19-2024 01:23 PM
Hi all, I am having trouble whitelisting a site and wanted to see what I can do about it. The website I am whitelisting is https://www.pahealthwellness.com/login.html. When you make some selections on the page, it redirects to https://sso.entrykeyid.com . I have a rule set to allow both those URL's with wildcards, but the bigger problem is that the traffic is hitting cloudfront and getting blocked based on that. I dont want to whitelist all of cloudfront, but I cant figure out a way around this. I can give more detail if needed, I just want to see if I am missing something basic here.
07-30-2024 09:37 AM
I have a similar problem and I can't even get things to work after whitelisting *.cloudfront.net. It's as if the laptop's DNS is resolving to an IP address different than the Palo Alto. I have the Minimum FQDN refresh time set to zero in Device > Setup > Services but it still won't match the policy.
07-30-2024 02:08 PM - edited 07-30-2024 02:10 PM
It sounds (and after a quick check of pahealthwellness.com confirmed) that website is using fast-flux DNS. The DNS resolution is constantly changing over a range of IPs, so the firewall and client DNS responses will diverge, and hence the firewall doesn't know the IP the client browser is currently connecting to is actually the same as the FQDN in the firewall. There are really only 2 options if you want to whitelist this server and block other traffic. See my previous thread here:
https://www.paloaltonetworks.com/cyberpedia/what-is-a-fast-flux-network
Note: The PA minimum FQDN refresh time will never drop below 30sec (regardless of the config setting) as that is hardcoded to prevent the firewall from thrashing on invalid/extremely short TTL FQDNs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!