Report Prisma Access Website Access Issues
Focus
Focus

Report Prisma Access Website Access Issues

Table of Contents

Report Prisma Access Website Access Issues

Some websites such as stubhub.com, ticketmaster.com, or dollartree.com, block traffic from the AWS cloud IP address range. When users who are secured by Prisma Access attempt to access these websites, they can be denied access with the following message on the web browser:
Access Denied.

You don't have permission to access "http://www.dollartree.com/" on this server. Reference #18.7f955b8.1509600370.44eb7c8
To report this problem, enter https://reportasite.gpcloudservice.com/ from a web browser and provide the URL of the website that is inaccessible. After 24-48 hours, return to https://reportasite.gpcloudservice.com/ and enter the same URL to see its status.
Palo Alto Networks provides you with the IP address that is used by the URL; in some cases, you must add this IP address to your organization’s allow lists so that this traffic is not blackholed. If you have URLs that get redirected, add these IP addresses to your allow lists:
  • 65.154.226.160
  • 154.59.126.110
  • 66.232.36.110
Prisma Access URL Redirect Process
Some websites block traffic from a cloud IP address range. When users who are secured by Prisma Access attempt to access these websites, they can be denied access. In order to ensure that access to these websites is restored, Palo Alto Networks reviews all such reported sites and, if an access issue is found, categorizes the site and adds an egress policy that NATs the IP address to one that can be accessed. Palo Alto Networks thoroughly reviews the sites to determine their reputation and only websites with a pristine reputation are added to the egress rule, while the others are rejected, using this process:
  1. You notify us of the URL with access issues using https://reportasite.gpcloudservice.com/.
  2. Site Reliability Engineering (SRE) automation reviews the URL.
  3. If SRE determines the URL to be safe, a policy-based forwarding (PBF) rule is applied to the URL and its parent domain.
  4. The traffic is routed via Prisma Access from the GlobalProtect gateway or remote network to a URL processing hub, where the PBF rule is applied to the domain, and from the hub to a Palo Alto Networks data center.
  5. As traffic egresses from the data center, the URL is source NATted to the IP address of the data center.
As a result of these actions, traffic to and from the SaaS applications is not dropped because the data center IP address has a clean reputation.