I have the same issue, I tested @jlieberman 's hypothesis about opening too much. A little wiresharking and I can confirm the FQDN below, search-api-disney.svcs.dssott.com, IS used for delivering the Disney+ service. The domain is owned by Disney as well. After adding an exception using threat-id 109001001 to the Anti-Spyware -> DNS Signatures -> Exceptions, service to the site was restored, but I now bypass the DNS security completely it seems, note the test that is supposed to be blocked is now open as well: Resolves correctly and service is restored: fb@GREYSMB ~ % dig @184.108.40.206 search-api-disney.svcs.dssott.com +short search-api-disney.bamgrid.com. dgel2a5rs1evz.cloudfront.net. 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 Testing URL provided by Palo Alto- This should fail and point to sinkhole, but instead resolves. fb@GREYSMB ~ % dig @188.8.131.52 test-dnstun.testpanw.com +short 184.108.40.206 Normally the test URL looks like this and gets "sinkholed": fb@GREYSMB ~ % dig @220.127.116.11 test-dnstun.testpanw.com +short sinkhole.paloaltonetworks.com. Faulty Rule catching the legitimate domain FQDN: fb@GREYSMB ~ % dig @18.104.22.168 search-api-disney.svcs.dssott.com +short sinkhole.paloaltonetworks.com.
... View more