Incoming Traffic from Palo Alto IP Address

cancel
Showing results for 
Search instead for 
Did you mean: 

Incoming Traffic from Palo Alto IP Address

L1 Bithead

I have a customer who asked about traffic which he saw on his Firewall.

I looked in firewall logs from several others customers and find the same IP address. It is always a HTTP oder HTTPS connection.

 

The traffic is coming from the 70.42.131.170. According to several internet sources this IP address belongs to PaloAlto Networks

https://whatismyipaddress.com/ip/70.42.131.170

 

Because neither the PaloAlto Website or Google could gave me an answer on this and this not really worth a support case, i thought to place this question here.  I think this might be a web crawler or something like this?!

 

I hope someone can clearfy this

 

Regards.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

L2 Linker

Hello Matthias,


It's indeed a IP address belonging to Palo Alto Networks. We crawl on a regular basis URLs from a variety of different sources to better identify and prevent potentially malicious content.


HTH

View solution in original post

15 REPLIES 15

L2 Linker

Hello Matthias,


It's indeed a IP address belonging to Palo Alto Networks. We crawl on a regular basis URLs from a variety of different sources to better identify and prevent potentially malicious content.


HTH

@khuynh

 

This IP Address has been spamming my network, 4.5 million events since early october~~. This is setting off IDS alerts and taking away time from our team to research. This seems really excessive for a web crawler does it not? It's constant 35,000 - 39,000 events per day.

 

Can you stop, or do we just blacklist you? 

image.PAN4.PNG

Would it be reasonable to ask PAN to release the IP Range of IPs that they use for web crawling/scanning? We could create our own security policy so these events won't log and note that it is our security vendor crawling us. 

 

Thanks, Rags

thats an interesting idea. 

A bit more transperncy with this ip addresses or lets say "services" would be nice. 

@Rags

If you have any inquiries related to that traffic, please open a support ticket and our support team will help you and figure out how to make it more convenient for you.

Regards,

 

@khuynh That's a really laxed response for a security related incident that you're responsible for. Why would I need to make a TAC when you're the person who is apparently involved in the scanning/web crawling activity? PAN should have this published to customers so we do not have to use resouces to researching a potentional security issue. 

 

Thanks I will make a TAC, and I have changed my mind and removed you from my friends list. 

 

Regards,

@Rags

I didn't mean to be rude, sorry if you feel that.

I do work for Palo Alto as a SE, but I'm not responsible for the scanning of our internal teams. I have in my region several customers who have the same concerns as you, and I want you to have the most detailed answer and the best solution for you. The best way to figure out a good solution for your environnement is to go through our TAC, who will be able to deliver the best solution that fits you, depending on your architecture, devices, licenses, and so on.

 

A little bit sad to hear that we are not friend anymore on Live ;), but I will still go on and try to help people here to the best of my knowledge.

 

Regards,

 

PS: Feel free to drop me an email if you want to continue this discussion.

Thanks for the additional information @khuynh

 

>I have in my region several customers who have the same concerns as you

 

At this point what solutions do you provide for them? If you have previously asked them to open a TAC was there any resolution found that you can share? I really just want to know if this is a single 1-off IP Address, or if this web crawling traffic will be coming from an entire PAN IP Address subnet. We can then create our own settings that would be best to mitigate this traffic.

 

Thanks, -Rags

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!