For details on cookie usage on our site, read our Privacy Policy
High loads by scanner
- LIVEcommunity
- Discussions
- General Topics
- High loads by scanner
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
High loads by scanner
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-14-2022 03:23 AM
Good afternoon. At 11:57:26 (9:57:26 GMT), there was a log entry which said this company was scanning our VPS. This made it unresponsive with extremely high load for us until I had restarted the HTTPD service. The traffic was also coming from a lot of different IP addresses all by Microsoft. Is this normal?
Log entry:
198.235.24.150 - - [14/Jun/2022:11:57:26 +0200] "GET / HTTP/1.1" 200 275 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com"
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-14-2022 05:13 AM
Hey yes that is totally normal, as soon as you put any public IP online you will get scanned by different scanner not just Palo Alto. I would suggest you to secure your external facing ip by adding strict security profile group to block or reset it at firewall.
To prevent it further you can add deny rule on top with EDL You can also add your custom EDL with this to add one off IP.
Palo Alto Networks - Known malicious IP addresses
Palo Alto Networks - Bulletproof IP addresses
Palo Alto Networks - High risk IP addresses
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-14-2022 05:24 AM
Thank you for your response. Unfortunately, I'm not sure if I can do that, because we're not part of the Palo Alto's network. That's the thing. We're renting our VPS-es at a webhosting company called TransIP, and we manage the servers ourselves. I'll probably have to ask with them in that case, but I'd still like to know if there is a way to prevent situations like these, where I'm running up to a forum for a company I've never heard of until now, and asking help for this topic. Is there any way to prevent this situation in the future?
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-14-2022 05:28 AM
In that case your best bet is to send email to scaninfo@paloaltonetworks.com with your IP subnet to exclude from scan.
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-14-2022 08:33 AM - edited 06-14-2022 08:35 AM
How do you know that PaloAlto made your website unresponsive? You have a single log of a request of your index page, something hundreds or thousands of other bots are doing every day, and the PaloAlto bot is explicitly telling you who/what it is in the client header. It is part of PaloAlto's website categorization for threats/malware prevention and typically happens about once a day from one of a handful of PaloAlto IP blocks. It is annoying, but nothing about the request should slow down your website.
I would be looking at those hundreds of other requests and what they were access/trying to PUT.
- XSOAR Cisco Secure Cloud Analytics (stealthwatch) integration in Cortex XSOAR Discussions
- Palo Alto Networks PAN-OS 8.1.x / 9.0.x / 9.1.x / 10.0.x Improper Input Validation in Threat & Vulnerability Discussions
- SYSTEM ALERT : high : Not enough space to load conent to SHM after upgrading PA820 to PanOS 10.0.3 in General Topics
- Traffic hitting policy rule it shouldn't in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
