I provided to my customers the same solution I provided to you: to open a ticket.
The TAC will then be able to share with you the specific IPs and ranges we use (I cannot list them in a public forum and you will easily guess why), so you can indeed block them. Another possibility the TAC would offer is to give us a list of your URLs/domains/IPs, so we can exclude them from analysis/scan. They will also be able to share with you what are our plans to be less intrusive in the future. Again, you will understand that these kind of information cannot be share like that in a public forum but again, our TAC will be happy to help you & share with you those internal information.
Thanks for the information, will do.
>give us a list of your URLs/domains/IPs, so we can exclude them from analysis/scan.
The reason I don't want to do this is because we often have developers creating new domain names. If your crawlers do not crawl our network for these newly hosted domains, then they will be listed as unknown and the blocked since we have that category set to block.
Take care, -Rags
We received a decent response from PAN, butI don't believe these issues are related. This traffic started months ago and is still active, while the response indicates it has been resolved.
On Tuesday, February 6th, 2018 we became aware of IPS events being triggered in some customer environments with source IP addresses attributable to Palo Alto Networks. We determined these events were related to benign scanning by the Palo Alto Networks URL Filtering service. Please note, this did not pose any risk to your organization's security.
PAN-DB relies on a set of systems designed to automatically identify, crawl, and categorize content on the web. For these IPS events, we observed HTTP activity in some customer environments generated lookups to URL Filtering systems for 'unknown' URL's. Based on this information, our crawlers visited systems with IP addresses associated with those URL lookups.
These routine attempts to visit and categorize URLs unknown to the cloud triggered some IPS systems to inadvertently identify the traffic as command-and-control activity, based on a unique hardcoded string in the request.
On Thursday, Feb 8 at 1:30PM PST we implemented a fix to prevent lookups from our PAN-DB web crawlers from triggering IPS signatures in the future.
We regret any inconvenience caused by these false-positives and thank you for your patience as we worked to resolve the issue. Please be assured that this did not pose any risk to your organization's security and these events were not related to any attacks from Palo Alto Networks.
Due to this issue, they have now changed the matric (matric?? metric?) crawlers so that it should only be going out on 220.127.116.11. This would be the IP they can look for.
Let us know if there is anything else or if we may close the case.
So, based on the above, PAN is only scanning from 18.104.22.168, so you are seeing traffic that can be expected. At least now we have an official response from Palo Alto on the issue and they have confirmed that it is indeed them doing the scanning from 22.214.171.124.
At this point I'm still not sure of which action to take. I kind of don't want to block the IP if it is categorizing our newly hosted URLs. At least we know what it is now.
Matrix! What TAC was trying to say was that they changed the matrix ;)
I would treat this IP as every other external IP. But if there is again something strange coming from there in the future, you directly know where to go/ask.
And: thank you for sharing this information here.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!