High loads by scanner

Showing results for 
Show  only  | Search instead for 
Did you mean: 

High loads by scanner

L1 Bithead

Good afternoon. At 11:57:26 (9:57:26 GMT), there was a log entry which said this company was scanning our VPS. This made it unresponsive with extremely high load for us until I had restarted the HTTPD service. The traffic was also coming from a lot of different IP addresses all by Microsoft. Is this normal?


Log entry: - - [14/Jun/2022:11:57:26 +0200] "GET / HTTP/1.1" 200 275 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com"


L2 Linker

Hey yes that is totally normal, as soon as you put any public IP online you will get scanned by different scanner not just Palo Alto. I would suggest you to secure your external facing ip by adding strict security profile group to block or reset it at firewall.

To prevent it further you can add deny rule on top with EDL You can also add your custom EDL with this to add one off IP. 
Palo Alto Networks - Known malicious IP addresses
Palo Alto Networks - Bulletproof IP addresses
Palo Alto Networks - High risk IP addresses

Thank you for your response. Unfortunately, I'm not sure if I can do that, because we're not part of the Palo Alto's network. That's the thing. We're renting our VPS-es at a webhosting company called TransIP, and we manage the servers ourselves. I'll probably have to ask with them in that case, but I'd still like to know if there is a way to prevent situations like these, where I'm running up to a forum for a company I've never heard of until now, and asking help for this topic. Is there any way to prevent this situation in the future?

In that case your best bet is to send email to  scaninfo@paloaltonetworks.com with your IP subnet to exclude from scan. 

How do you know that PaloAlto made your website unresponsive? You have a single log of a request of your index page, something hundreds or thousands of other bots are doing every day, and the PaloAlto bot is explicitly telling you who/what it is in the client header. It is part of PaloAlto's website categorization for threats/malware prevention and typically happens about once a day from one of a handful of PaloAlto IP blocks. It is annoying, but nothing about the request should slow down your website.


I would be looking at those hundreds of other requests and what they were access/trying to PUT.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!