12-21-2024 11:55 PM - edited 12-22-2024 12:14 AM
Hi Team,
I’m experiencing an unusual issue with my Palo Alto firewall. This problem started about a week ago. Prior to that, the website in question was functioning properly and being handled by the appropriate security policy.
Currently, a public website is being blocked by a specific security policy in the firewall. Upon reviewing this policy, I couldn’t find the website’s address in any of the destination address groups.
Here are the details of the policy:
Website: https://********.org
Websites IPs do not appear to be part of the static address objects in the destination address lists.
Interestingly, if we remove the static address object from the policy, the website works fine and is processed by the appropriate security policy.
Please advise on how to resolve this issue.
@kiwi @ahameed @mshamamulla @paloalto
12-23-2024 09:41 AM
Does the address group contain just IP addresses? Or does it also contain FQDN address objects?
The arabglobalscholars.org FQDN resolves to 7 different Cloudflare IPs that are widely used for other FQDNs as well:
104.21.16.1
104.21.32.1
104.21.48.1
104.21.64.1
104.21.80.1
104.21.96.1
104.21.112.1
These IPs are widely used for other websites as well. I recently had a known malware FQDN switch from one IP to Cloudflare proxy on these IPs which caused a block of unrelated websites in our filtering rules.
12-22-2024 12:18 AM
We also tried to find out those IPs in the CLI as well, however, we couldn't find it. is it a bug.
12-22-2024 11:48 PM
I am also facing the same issue for website https://arabglobalscholars.org/ . it is getting blocked by the object group that does not contain the ip address of the website
12-23-2024 08:13 AM
I don't know exactly what @RoneyRajan123's website is, but @Rahul.Balan's website resolves to a Cloudflare proxy frontend. The indicated Security Policies blocks solely based on the destination IP address matching one included or resolved in the Address list (which may be both IP address and FQDNs which are resolved to IPs). It does not match based on the FQDN name itself.
Cloudflare proxies act as the front end for many different FQDNs resolved to the same IP addresses. There may be a completely different FQDN address object that is resolving to the same IP as the site you are trying to access. Therefore, both destinations get blocked because both resolve to the same IP(s).
Unfortunately, if you have a large Address list using FQDNs, there is no good way to quickly filter to objects matching a certain IP address, but you can browse through them using the following command on the CLI:
show dns-proxy fqdn all
This will show all FQDN address objects currently monitored and their resolved IP address(es). You can also quickly search for a particular IP using a match filter, but unfortunately, do to the way the list is formatted, it doesn't show the FQDN, you have to review the entire list manually for that.
show dns-proxy fqdn all | match <IP address>
If you have a large number of address objects to be blocked, or FQDNs that resolve to a Cloudflare IP, consider if using a URL filter is a better option to prevent false positive blocking.
12-23-2024 09:07 AM
Hi @ADR,
I’m experiencing the same issue with the URL:
https://arabglobalscholars.org/
as mentioned by @Rahul.Balan above.
This issue is occurring across multiple customers.
The URL is being blocked by a deny policy applied to an address object group containing multiple blacklisted static IP addresses. However, upon reviewing the blacklist, we cannot find the website's IP address within this group.
If we remove the object group, the policy instead hits a specified rule.
Could you please assist in resolving this?
12-23-2024 09:41 AM
Does the address group contain just IP addresses? Or does it also contain FQDN address objects?
The arabglobalscholars.org FQDN resolves to 7 different Cloudflare IPs that are widely used for other FQDNs as well:
104.21.16.1
104.21.32.1
104.21.48.1
104.21.64.1
104.21.80.1
104.21.96.1
104.21.112.1
These IPs are widely used for other websites as well. I recently had a known malware FQDN switch from one IP to Cloudflare proxy on these IPs which caused a block of unrelated websites in our filtering rules.
12-23-2024 11:03 PM
1. Make sure the right Security rule is above the security rule which is blocking the website.
2. Even after step-1 if still the right security rule is bypassed and wrong security rule is hit then take Debug logs to understand the root cause.
12-23-2024 11:08 PM
Thank you so much for your support.
I got in the solution for my issue. Actually customer also using a malicious FQDN on their address object group which was also resolved to the same IP address.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
