Incoming Traffic from Palo Alto IP Address

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

Incoming Traffic from Palo Alto IP Address

I have a customer who asked about traffic which he saw on his Firewall.

I looked in firewall logs from several others customers and find the same IP address. It is always a HTTP oder HTTPS connection.

 

The traffic is coming from the 70.42.131.170. According to several internet sources this IP address belongs to PaloAlto Networks

https://whatismyipaddress.com/ip/70.42.131.170

 

Because neither the PaloAlto Website or Google could gave me an answer on this and this not really worth a support case, i thought to place this question here.  I think this might be a web crawler or something like this?!

 

I hope someone can clearfy this

 

Regards.

 

 


Accepted Solutions
Highlighted
L2 Linker

Hello Matthias,


It's indeed a IP address belonging to Palo Alto Networks. We crawl on a regular basis URLs from a variety of different sources to better identify and prevent potentially malicious content.


HTH

View solution in original post


All Replies
Highlighted
L2 Linker

Hello Matthias,


It's indeed a IP address belonging to Palo Alto Networks. We crawl on a regular basis URLs from a variety of different sources to better identify and prevent potentially malicious content.


HTH

View solution in original post

Highlighted
L2 Linker

@khuynh

 

This IP Address has been spamming my network, 4.5 million events since early october~~. This is setting off IDS alerts and taking away time from our team to research. This seems really excessive for a web crawler does it not? It's constant 35,000 - 39,000 events per day.

 

Can you stop, or do we just blacklist you? 

Highlighted
L2 Linker

image.PAN4.PNG

Highlighted
L2 Linker

Would it be reasonable to ask PAN to release the IP Range of IPs that they use for web crawling/scanning? We could create our own security policy so these events won't log and note that it is our security vendor crawling us. 

 

Thanks, Rags

Highlighted
L0 Member

thats an interesting idea. 

A bit more transperncy with this ip addresses or lets say "services" would be nice. 

Highlighted
L2 Linker

@Rags

If you have any inquiries related to that traffic, please open a support ticket and our support team will help you and figure out how to make it more convenient for you.

Regards,

 

Highlighted
L2 Linker

@khuynh That's a really laxed response for a security related incident that you're responsible for. Why would I need to make a TAC when you're the person who is apparently involved in the scanning/web crawling activity? PAN should have this published to customers so we do not have to use resouces to researching a potentional security issue. 

 

Thanks I will make a TAC, and I have changed my mind and removed you from my friends list. 

 

Regards,

Highlighted
L2 Linker

@Rags

I didn't mean to be rude, sorry if you feel that.

I do work for Palo Alto as a SE, but I'm not responsible for the scanning of our internal teams. I have in my region several customers who have the same concerns as you, and I want you to have the most detailed answer and the best solution for you. The best way to figure out a good solution for your environnement is to go through our TAC, who will be able to deliver the best solution that fits you, depending on your architecture, devices, licenses, and so on.

 

A little bit sad to hear that we are not friend anymore on Live ;), but I will still go on and try to help people here to the best of my knowledge.

 

Regards,

 

PS: Feel free to drop me an email if you want to continue this discussion.

Highlighted
L2 Linker

Thanks for the additional information @khuynh

 

>I have in my region several customers who have the same concerns as you

 

At this point what solutions do you provide for them? If you have previously asked them to open a TAC was there any resolution found that you can share? I really just want to know if this is a single 1-off IP Address, or if this web crawling traffic will be coming from an entire PAN IP Address subnet. We can then create our own settings that would be best to mitigate this traffic.

 

Thanks, -Rags

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!