Report Mobile User Site Access Issues

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Activation & Onboarding
Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

View User to IP Address or User Groups Mappings

Enable Mobile Users to Authenticate to Prisma Access

Report Mobile User Site Access Issues

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	Prisma Access license

Some websites such as stubhub.com, ticketmaster.com, or dollartree.com, block traffic from the AWS cloud IP address range. When users who are secured by Prisma Access attempt to access these websites, they can be denied access with the following message on the web browser:

Access Denied.

You don't have permission to access "http://www.dollartree.com/" on this server. Reference #18.7f955b8.1509600370.44eb7c8

To report this problem, enter https://reportasite.gpcloudservice.com/ from a web browser and provide the URL of the website that is inaccessible. After 24-48 hours, return to https://reportasite.gpcloudservice.com/ and enter the same URL to see its status.

Palo Alto Networks provides you with the IP address that is used by the URL; in some cases, you must add this IP address to your organization’s allow lists so that this traffic is not blackholed. If you have URLs that get redirected, add these IP addresses to your allow lists:

65.154.226.160
154.59.126.110
66.232.36.110

Prisma Access URL Redirect Process

Some websites block traffic from a cloud IP address range. When users who are secured by Prisma Access attempt to access these websites, they can be denied access. In order to ensure that access to these websites is restored, Palo Alto Networks reviews all such reported sites and, if an access issue is found, categorizes the site and adds an egress policy that NATs the IP address to one that can be accessed. Palo Alto Networks thoroughly reviews the sites to determine their reputation and only websites with a pristine reputation are added to the egress rule, while the others are rejected, using this process:

You notify us of the URL with access issues using https://reportasite.gpcloudservice.com/.
Site Reliability Engineering (SRE) automation reviews the URL.
If SRE determines the URL to be safe, a policy-based forwarding (PBF) rule is applied to the URL and its parent domain.
The traffic is routed via Prisma Access from the GlobalProtect gateway or remote network to a URL processing hub, where the PBF rule is applied to the domain, and from the hub to a Palo Alto Networks data center.
As traffic egresses from the data center, the URL is source NATted to the IP address of the data center.

As a result of these actions, traffic to and from the SaaS applications is not dropped because the data center IP address has a clean reputation.

View User to IP Address or User Groups Mappings

Enable Mobile Users to Authenticate to Prisma Access

Prisma Access Docs

Report Mobile User Site Access Issues

Prisma Access Docs

Report Mobile User Site Access Issues

Activation & Onboarding

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner