Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Public Website IPs that is not a part of the address object group specified in destination is being blocked by Deny security policy

L2 Linker

Hi Team,

I’m experiencing an unusual issue with my Palo Alto firewall. This problem started about a week ago. Prior to that, the website in question was functioning properly and being handled by the appropriate security policy.

 

Currently, a public website is being blocked by a specific security policy in the firewall. Upon reviewing this policy, I couldn’t find the website’s address in any of the destination address groups.

 

Here are the details of the policy:

  • Source Zone: Any
  • Source Address: Any
  • Destination Zone: Any
  • Destination Address: Static Address Object
  • Policy Action: Deny

Website: https://********.org

 

Websites  IPs do not appear to be part of the static address objects in the destination address lists.

 

Interestingly, if we remove the static address object from the policy, the website works fine and is processed by the appropriate security policy.

Please advise on how to resolve this issue.

@kiwi @ahameed @mshamamulla @paloalto 

 

 

 

1 accepted solution

Accepted Solutions

L6 Presenter

Does the address group contain just IP addresses? Or does it also contain FQDN address objects?

 

The arabglobalscholars.org FQDN resolves to 7 different Cloudflare IPs that are widely used for other FQDNs as well:

104.21.16.1

104.21.32.1

104.21.48.1

104.21.64.1
104.21.80.1

104.21.96.1

104.21.112.1

 

These IPs are widely used for other websites as well. I recently had a known malware FQDN switch from one IP to Cloudflare proxy on these IPs which caused a block of unrelated websites in our filtering rules.

View solution in original post

7 REPLIES 7

L2 Linker

We also tried to find out those IPs in the CLI as well, however, we couldn't find it. is it a bug. 

L1 Bithead

I am also facing the same issue for website https://arabglobalscholars.org/ . it is getting blocked by the object group that does not contain the ip address of the website

L6 Presenter

I don't know exactly what @RoneyRajan123's website is, but @Rahul.Balan's website resolves to a Cloudflare proxy frontend. The indicated Security Policies blocks solely based on the destination IP address matching one included or resolved in the Address list (which may be both IP address and FQDNs which are resolved to IPs). It does not match based on the FQDN name itself.

 

Cloudflare proxies act as the front end for many different FQDNs resolved to the same IP addresses. There may be a completely different FQDN address object that is resolving to the same IP as the site you are trying to access. Therefore, both destinations get blocked because both resolve to the same IP(s).

 

Unfortunately, if you have a large Address list using FQDNs, there is no good way to quickly filter to objects matching a certain IP address, but you can browse through them using the following command on the CLI:

show dns-proxy fqdn all

 

This will show all FQDN address objects currently monitored and their resolved IP address(es). You can also quickly search for a particular IP using a match filter, but unfortunately, do to the way the list is formatted, it doesn't show the FQDN, you have to review the entire list manually for that.

show dns-proxy fqdn all | match <IP address>

 

If you have a large number of address objects to be blocked, or FQDNs that resolve to a Cloudflare IP, consider if using a URL filter is a better option to prevent false positive blocking. 

L2 Linker

Hi @ADR,

I’m experiencing the same issue with the URL:

https://arabglobalscholars.org/

as mentioned by @Rahul.Balan above.

This issue is occurring across multiple customers.

The URL is being blocked by a deny policy applied to an address object group containing multiple blacklisted static IP addresses. However, upon reviewing the blacklist, we cannot find the website's IP address within this group.

If we remove the object group, the policy instead hits a specified rule.

Could you please assist in resolving this?

L6 Presenter

Does the address group contain just IP addresses? Or does it also contain FQDN address objects?

 

The arabglobalscholars.org FQDN resolves to 7 different Cloudflare IPs that are widely used for other FQDNs as well:

104.21.16.1

104.21.32.1

104.21.48.1

104.21.64.1
104.21.80.1

104.21.96.1

104.21.112.1

 

These IPs are widely used for other websites as well. I recently had a known malware FQDN switch from one IP to Cloudflare proxy on these IPs which caused a block of unrelated websites in our filtering rules.

L5 Sessionator

Hi @RoneyRajan123 

 

1. Make sure the right Security rule is above the security rule which is blocking the website.
2. Even after step-1 if still the right security rule is bypassed and wrong security rule is hit then take Debug logs to understand the root cause.

https://live.paloaltonetworks.com/t5/general-articles/tips-amp-tricks-flow-basic-debugging/ta-p/5459...

Mohammed Shamamulla
Technical Partner Manager | Palo Alto Networks
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

 

Hi @Adrian_Jensen 

 

Thank you so much for your support.
I got in the solution for my issue. Actually customer also using a malicious FQDN on their address object group which was also resolved to the same IP address.

  • 1 accepted solution
  • 313 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!