IP address being blocked by PAN Malicious IP Feeds Inbound on PA820

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IP address being blocked by PAN Malicious IP Feeds Inbound on PA820

L2 Linker

Hello,

 

IP address 74.102.229.126  is being blocked by Palo Alto's Malicious IP Feeds Inbound rule. However this is a network that should be allowed on customer s company.

 

We cannot see a way of submitting an IP address to whitelist.

 

on below link we have:

https://urlfiltering.paloaltonetworks.com/query/

 

  URL: 74.102.229.126

  Categories: Unknown

  Risk Level: Medium-Risk

  Category: Unknown

  Description: Sites that have not yet been identified by URL Filtering. If availability is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts or reach out to PANW Support teams

  • Risk Level: Medium-Risk
  • Description: Sites confirmed to be malicious but have displayed benign activity for at least 60 days. All sites in the "Online Storage and Backup" category will be medium risk by default

Is it enough to request change ? otherwise, how can we allow this IP ?

 

Thanks in advance for your reply.

 

Best regards.

1 accepted solution

Accepted Solutions

L6 Presenter

I am a bit confused as to what is being blocked. It is said this is being blocked by the PaloAlto Malicious IP feed, but looking at that EDL I do not currently see the IP listed. Then a test of the IP in the URL Filtering is done and the IP comes up as "Unknown" (which it should because it is a bare IP, not a specific domain/FQDN/URL).

 

If this is internal users reaching out to a web address that is an IP address instead of a FQDN (ie. https://74.102.229.126 vs. https://example.com ), then as @OtakarKlier said you can create a custom URL Filtering rule to allow that. I don't think PaloAlto would be likely to add an IP to the URL filters.

 

If this is incoming traffic to your servers from that customer IP and it is being blocked by one of the EDL feeds, then you can open the EDL feed (Objects->External Dynamic Lists->Palo Alto Networks - Known malicious IP addresses->List Entries And Exceptions) and enter an exception address in the "Manual Exceptions" list.

 

Or perhaps it is being blocked by something that is neither of these cases?

 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

How are users accessing the site, it looks like via a web browser. I would put the request through via the url filtering portal like you have above. If you need it sooner, you can put in a security policy to allow it and dont apply url filtering to that policy.

 

Regards,

L6 Presenter

I am a bit confused as to what is being blocked. It is said this is being blocked by the PaloAlto Malicious IP feed, but looking at that EDL I do not currently see the IP listed. Then a test of the IP in the URL Filtering is done and the IP comes up as "Unknown" (which it should because it is a bare IP, not a specific domain/FQDN/URL).

 

If this is internal users reaching out to a web address that is an IP address instead of a FQDN (ie. https://74.102.229.126 vs. https://example.com ), then as @OtakarKlier said you can create a custom URL Filtering rule to allow that. I don't think PaloAlto would be likely to add an IP to the URL filters.

 

If this is incoming traffic to your servers from that customer IP and it is being blocked by one of the EDL feeds, then you can open the EDL feed (Objects->External Dynamic Lists->Palo Alto Networks - Known malicious IP addresses->List Entries And Exceptions) and enter an exception address in the "Manual Exceptions" list.

 

Or perhaps it is being blocked by something that is neither of these cases?

 

L2 Linker

Hello,

 

Thank you for your replies.

 

Finally, it was a bad modification done by one colleague as he added the IP address to a custom EDL which is also apart of the ‘PAN Malicious IP Feeds Inbound’ ruleset. After removing the IP address and waiting for the firewall to scrape the EDL, the traffic is working as expected.

 

Thanks again for your assistance.

 

Have a nice day ahead.

 

Best regards.

 

 

  • 1 accepted solution
  • 331 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!