What Will Cause a URL to be Categorized as 'private-ip-address'?
Symptom
Traffic is determined to be in the 'private-ip-address' URL category and it is being blocked by URL Filtering.
Environment
PAN-OS >= 6.0
Cause
The URL Filtering Category 'private-ip-address' is set to block.
Resolution
The recommendation is instead of blocking the private-ip-address category in URL Filtering, to move these controls to Security Policies. Define an IP Address Group with the RFC1918 subnets, and one with the Link-Local subnets, and set a rule on top of the Security Policy set to discard any traffic to Untrust if the destination IP address is in the RFC1918 IP Address Group and in the Link-Local IP Address Group.
Note: The reason for creating separate RFC1918 and Link-Local IP Address Groups is that you may want to reutilize the RFC1918 object for other purposes. |
Additional Information
The category 'private-ip-address' is used for IP addresses defined in RFC 1918:
- 10.0.0.0 - 10.255.255.255 (10/8 prefix)
- 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
- 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
- 169.254.0.0 - 169.254.255.255 (169.254/16 prefix)
The PAN-DB cloud, first determines if the URL is an IP. If not an IP, it will find out if there is a TLD. If there is no TLD, then the cloud would return "private IP address".
The private-ip-address category is also used for top-level domains that are not publicly registered, such as, .local.
This also includes URLs that use short names that do not include top-level domains. See the following for examples:
Routing-wise, any traffic to a private IP address that is not defined in the LAN will route to the default gateway, and in many cases will be sent to Untrust (internet).This often happens with mobile devices that change networks (for example, a laptop that is put into sleep mode at home and is then awaken at work, may take a few moments to realize the network change, and may continue to beacon out to the home network). This can also happen during connection/disconnection transitions to a VPN.
The upstream ISP router would likely discard the traffic, but it is understandable that you wouldn’t want internal traffic, which may contain identifiable information, to leak out to Untrust.