Incoming Traffic from Palo Alto IP Address

MatthiasBehn · ‎01-21-2018

I have a customer who asked about traffic which he saw on his Firewall.

I looked in firewall logs from several others customers and find the same IP address. It is always a HTTP oder HTTPS connection.

The traffic is coming from the 70.42.131.170. According to several internet sources this IP address belongs to PaloAlto Networks

https://whatismyipaddress.com/ip/70.42.131.170

Because neither the PaloAlto Website or Google could gave me an answer on this and this not really worth a support case, i thought to place this question here. I think this might be a web crawler or something like this?!

I hope someone can clearfy this

Regards.

khuynh · ‎01-22-2018

Hello Matthias,

It's indeed a IP address belonging to Palo Alto Networks. We crawl on a regular basis URLs from a variety of different sources to better identify and prevent potentially malicious content.

HTH

View solution in original post

khuynh · ‎01-22-2018

Hello Matthias,

It's indeed a IP address belonging to Palo Alto Networks. We crawl on a regular basis URLs from a variety of different sources to better identify and prevent potentially malicious content.

HTH

Rags · ‎02-06-2018

@khuynh

This IP Address has been spamming my network, 4.5 million events since early october~~. This is setting off IDS alerts and taking away time from our team to research. This seems really excessive for a web crawler does it not? It's constant 35,000 - 39,000 events per day.

Can you stop, or do we just blacklist you?

Rags · ‎02-06-2018

image.

Rags · ‎02-06-2018

Would it be reasonable to ask PAN to release the IP Range of IPs that they use for web crawling/scanning? We could create our own security policy so these events won't log and note that it is our security vendor crawling us.

Thanks, Rags

MatthiasBehn · ‎02-06-2018

thats an interesting idea.

A bit more transperncy with this ip addresses or lets say "services" would be nice.

khuynh · ‎02-06-2018

@Rags

If you have any inquiries related to that traffic, please open a support ticket and our support team will help you and figure out how to make it more convenient for you.

Regards,

Rags · ‎02-06-2018

@khuynh That's a really laxed response for a security related incident that you're responsible for. Why would I need to make a TAC when you're the person who is apparently involved in the scanning/web crawling activity? PAN should have this published to customers so we do not have to use resouces to researching a potentional security issue.

Thanks I will make a TAC, and I have changed my mind and removed you from my friends list.

Regards,

khuynh · ‎02-06-2018

@Rags

I didn't mean to be rude, sorry if you feel that.

I do work for Palo Alto as a SE, but I'm not responsible for the scanning of our internal teams. I have in my region several customers who have the same concerns as you, and I want you to have the most detailed answer and the best solution for you. The best way to figure out a good solution for your environnement is to go through our TAC, who will be able to deliver the best solution that fits you, depending on your architecture, devices, licenses, and so on.

A little bit sad to hear that we are not friend anymore on Live ;), but I will still go on and try to help people here to the best of my knowledge.

Regards,

PS: Feel free to drop me an email if you want to continue this discussion.

Rags · ‎02-06-2018

Thanks for the additional information @khuynh

>I have in my region several customers who have the same concerns as you

At this point what solutions do you provide for them? If you have previously asked them to open a TAC was there any resolution found that you can share? I really just want to know if this is a single 1-off IP Address, or if this web crawling traffic will be coming from an entire PAN IP Address subnet. We can then create our own settings that would be best to mitigate this traffic.

Thanks, -Rags

khuynh · ‎02-06-2018

I provided to my customers the same solution I provided to you: to open a ticket.

The TAC will then be able to share with you the specific IPs and ranges we use (I cannot list them in a public forum and you will easily guess why), so you can indeed block them. Another possibility the TAC would offer is to give us a list of your URLs/domains/IPs, so we can exclude them from analysis/scan. They will also be able to share with you what are our plans to be less intrusive in the future. Again, you will understand that these kind of information cannot be share like that in a public forum but again, our TAC will be happy to help you & share with you those internal information.

HTH

Rags · ‎02-06-2018

Thanks for the information, will do.

>give us a list of your URLs/domains/IPs, so we can exclude them from analysis/scan.

The reason I don't want to do this is because we often have developers creating new domain names. If your crawlers do not crawl our network for these newly hosted domains, then they will be listed as unknown and the blocked since we have that category set to block.

Take care, -Rags

Rags · ‎02-15-2018

We received a decent response from PAN, butI don't believe these issues are related. This traffic started months ago and is still active, while the response indicates it has been resolved.

On Tuesday, February 6th, 2018 we became aware of IPS events being triggered in some customer environments with source IP addresses attributable to Palo Alto Networks. We determined these events were related to benign scanning by the Palo Alto Networks URL Filtering service. Please note, this did not pose any risk to your organization's security.

PAN-DB relies on a set of systems designed to automatically identify, crawl, and categorize content on the web. For these IPS events, we observed HTTP activity in some customer environments generated lookups to URL Filtering systems for 'unknown' URL's. Based on this information, our crawlers visited systems with IP addresses associated with those URL lookups.

These routine attempts to visit and categorize URLs unknown to the cloud triggered some IPS systems to inadvertently identify the traffic as command-and-control activity, based on a unique hardcoded string in the request.

On Thursday, Feb 8 at 1:30PM PST we implemented a fix to prevent lookups from our PAN-DB web crawlers from triggering IPS signatures in the future.

We regret any inconvenience caused by these false-positives and thank you for your patience as we worked to resolve the issue. Please be assured that this did not pose any risk to your organization's security and these events were not related to any attacks from Palo Alto Networks.

Rags · ‎02-15-2018

@MatthiasBehn

Has the traffic subsided for your customer?

Thanks, -Rags

Rags · ‎02-27-2018

Due to this issue, they have now changed the matric (matric?? metric?) crawlers so that it should only be going out on 70.42.131.170. This would be the IP they can look for.

Let us know if there is anything else or if we may close the case.

So, based on the above, PAN is only scanning from 70.42.131.170, so you are seeing traffic that can be expected. At least now we have an official response from Palo Alto on the issue and they have confirmed that it is indeed them doing the scanning from 70.42.131.170.

At this point I'm still not sure of which action to take. I kind of don't want to block the IP if it is categorizing our newly hosted URLs. At least we know what it is now.

Thanks, -Rags

Incoming Traffic from Palo Alto IP Address

Incoming Traffic from Palo Alto IP Address

Show your appreciation!