cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

L6 Presenter

I don't know exactly what @RoneyRajan123's website is, but @Rahul.Balan's website resolves to a Cloudflare proxy frontend. The indicated Security Policies blocks solely based on the destination IP address matching one included or resolved in the Address list (which may be both IP address and FQDNs which are resolved to IPs). It does not match based on the FQDN name itself.

 

Cloudflare proxies act as the front end for many different FQDNs resolved to the same IP addresses. There may be a completely different FQDN address object that is resolving to the same IP as the site you are trying to access. Therefore, both destinations get blocked because both resolve to the same IP(s).

 

Unfortunately, if you have a large Address list using FQDNs, there is no good way to quickly filter to objects matching a certain IP address, but you can browse through them using the following command on the CLI:

show dns-proxy fqdn all

 

This will show all FQDN address objects currently monitored and their resolved IP address(es). You can also quickly search for a particular IP using a match filter, but unfortunately, do to the way the list is formatted, it doesn't show the FQDN, you have to review the entire list manually for that.

show dns-proxy fqdn all | match <IP address>

 

If you have a large number of address objects to be blocked, or FQDNs that resolve to a Cloudflare IP, consider if using a URL filter is a better option to prevent false positive blocking. 

Who rated this post