I have a customer who asked about traffic which he saw on his Firewall.
I looked in firewall logs from several others customers and find the same IP address. It is always a HTTP oder HTTPS connection.
The traffic is coming from the 126.96.36.199. According to several internet sources this IP address belongs to PaloAlto Networks
Because neither the PaloAlto Website or Google could gave me an answer on this and this not really worth a support case, i thought to place this question here. I think this might be a web crawler or something like this?!
I hope someone can clearfy this
This IP Address has been spamming my network, 4.5 million events since early october~~. This is setting off IDS alerts and taking away time from our team to research. This seems really excessive for a web crawler does it not? It's constant 35,000 - 39,000 events per day.
Can you stop, or do we just blacklist you?
@khuynh That's a really laxed response for a security related incident that you're responsible for. Why would I need to make a TAC when you're the person who is apparently involved in the scanning/web crawling activity? PAN should have this published to customers so we do not have to use resouces to researching a potentional security issue.
Thanks I will make a TAC, and I have changed my mind and removed you from my friends list.
I didn't mean to be rude, sorry if you feel that.
I do work for Palo Alto as a SE, but I'm not responsible for the scanning of our internal teams. I have in my region several customers who have the same concerns as you, and I want you to have the most detailed answer and the best solution for you. The best way to figure out a good solution for your environnement is to go through our TAC, who will be able to deliver the best solution that fits you, depending on your architecture, devices, licenses, and so on.
A little bit sad to hear that we are not friend anymore on Live ;), but I will still go on and try to help people here to the best of my knowledge.
PS: Feel free to drop me an email if you want to continue this discussion.
Thanks for the additional information @khuynh
>I have in my region several customers who have the same concerns as you
At this point what solutions do you provide for them? If you have previously asked them to open a TAC was there any resolution found that you can share? I really just want to know if this is a single 1-off IP Address, or if this web crawling traffic will be coming from an entire PAN IP Address subnet. We can then create our own settings that would be best to mitigate this traffic.
I provided to my customers the same solution I provided to you: to open a ticket.
The TAC will then be able to share with you the specific IPs and ranges we use (I cannot list them in a public forum and you will easily guess why), so you can indeed block them. Another possibility the TAC would offer is to give us a list of your URLs/domains/IPs, so we can exclude them from analysis/scan. They will also be able to share with you what are our plans to be less intrusive in the future. Again, you will understand that these kind of information cannot be share like that in a public forum but again, our TAC will be happy to help you & share with you those internal information.
Thanks for the information, will do.
>give us a list of your URLs/domains/IPs, so we can exclude them from analysis/scan.
The reason I don't want to do this is because we often have developers creating new domain names. If your crawlers do not crawl our network for these newly hosted domains, then they will be listed as unknown and the blocked since we have that category set to block.
Take care, -Rags
We received a decent response from PAN, butI don't believe these issues are related. This traffic started months ago and is still active, while the response indicates it has been resolved.
On Tuesday, February 6th, 2018 we became aware of IPS events being triggered in some customer environments with source IP addresses attributable to Palo Alto Networks. We determined these events were related to benign scanning by the Palo Alto Networks URL Filtering service. Please note, this did not pose any risk to your organization's security.
PAN-DB relies on a set of systems designed to automatically identify, crawl, and categorize content on the web. For these IPS events, we observed HTTP activity in some customer environments generated lookups to URL Filtering systems for 'unknown' URL's. Based on this information, our crawlers visited systems with IP addresses associated with those URL lookups.
These routine attempts to visit and categorize URLs unknown to the cloud triggered some IPS systems to inadvertently identify the traffic as command-and-control activity, based on a unique hardcoded string in the request.
On Thursday, Feb 8 at 1:30PM PST we implemented a fix to prevent lookups from our PAN-DB web crawlers from triggering IPS signatures in the future.
We regret any inconvenience caused by these false-positives and thank you for your patience as we worked to resolve the issue. Please be assured that this did not pose any risk to your organization's security and these events were not related to any attacks from Palo Alto Networks.
Due to this issue, they have now changed the matric (matric?? metric?) crawlers so that it should only be going out on 188.8.131.52. This would be the IP they can look for.
Let us know if there is anything else or if we may close the case.
So, based on the above, PAN is only scanning from 184.108.40.206, so you are seeing traffic that can be expected. At least now we have an official response from Palo Alto on the issue and they have confirmed that it is indeed them doing the scanning from 220.127.116.11.
At this point I'm still not sure of which action to take. I kind of don't want to block the IP if it is categorizing our newly hosted URLs. At least we know what it is now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!