Some websites such as stubhub.com, ticketmaster.com,
or dollartree.com, block traffic from the AWS cloud IP address range.
When users who are secured by Prisma Access attempt to access these
websites, they can be denied access with the following message on
the web browser:
You don't have permission to access "http://www.dollartree.com/" on this server. Reference #18.7f955b8.1509600370.44eb7c8
Palo Alto Networks provides you with the IP address that is used
by the URL; in some cases, you must add this IP address to your
organization’s allow lists so that this traffic is not blackholed.
If you have URLs that get redirected, add these IP addresses to
your allow lists:
Prisma Access URL Redirect Process
Some websites block traffic from a cloud IP address range. When
users who are secured by Prisma Access attempt to access these websites,
they can be denied access. In order to ensure that access to these
websites is restored, Palo Alto Networks reviews all such reported
sites and, if an access issue is found, categorizes the site and
adds an egress policy that NATs the IP address to one that can be
accessed. Palo Alto Networks thoroughly reviews the sites to determine
their reputation and only websites with a pristine reputation are
added to the egress rule, while the others are rejected, using this process:
Site Reliability Engineering (SRE) automation reviews the
If SRE determines the URL to be safe, a policy-based forwarding
(PBF) rule is applied to the URL and its parent domain.
The traffic is routed via Prisma Access from the GlobalProtect
gateway or remote network to a URL processing hub, where the PBF
rule is applied to the domain, and from the hub to a Palo Alto Networks
As traffic egresses from the data center, the URL is source
NATted to the IP address of the data center.
As a result of these actions, traffic to and from the SaaS applications
is not dropped because the data center IP address has a clean reputation.