First I would like to say that we are pursuing this with CarbonBlack and we have worked with PAN support already to see what our options are. This is as much an informative post as it is to see what other people think and are doing.
For the record PAN support suggested changing the DNS entry from a lookup to a FTP file check. We would prefer to correct the actual problem rather than do this and use the three cron jobs I created (if I die/quit/etc they don't want to have to figure it out, I don't blame them).
On to post #2 and the topic!
There is a solution. See below.
Solved! Go to Solution.
This is the rule that is sometimes allowing access and other times denying based on whether or not the PA knows about the IP being used.
Then - as far as I know PaloAlto - there must be something else that prevents the access, because when you allow access based on a URL the firewall does not care about the IP behind the domainname/URL. In this case the firewall only checks the http host header or SNI extension / certificate CN in a TLS connection.
The logs that you posted: Are these logs all from the same security policy rule? Do you may be specify sourceaddresses in that rule that does not allow the access for all servers that need to connect to that URL? I am asking this because there are multiple IP addresses that are both allowed and blocked and so far I am not (and never was) aware of a bug that results in such a behaviour. Here are some IPs that are allowed and blocked in your log:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!