03-31-2017 02:43 PM
One of my customers has asked if it is possible to block and/or alert upon HTTP or HTTPS connections that are made directly to an IP address instead of a dns name. The specific IP addresses or DNS name is not defined, they would just like to alert upon this behavior any time it is seen since some malware can be hard-coded with IP addresses and users can potentially use this to bypass URL filtering.
I opened a case with support and was told this is not supported but I wanted to double check, as I vaguely remember this being discussed in a previous training that I attended.
Assuming no encryption has been applied to simplify the use case, is there any way to block or alert upon such behavior? Can a Regex string be used to match the URI in an HTTP header or something of the sort? Or is this not possible with Palo Alto firewalls?
Thanks.
