What Will Cause a URL to be Categorized as 'private-ip-address'?

What Will Cause a URL to be Categorized as 'private-ip-address'?

55817
Created On 09/26/18 19:16 PM - Last Modified 04/19/24 19:30 PM


Symptom


Traffic is determined to be in the 'private-ip-address' URL category and it is being blocked by URL Filtering.

Environment


PAN-OS >= 6.0

Cause


The URL Filtering Category 'private-ip-address' is set to block.

Resolution


The recommendation is instead of blocking the private-ip-address category in URL Filtering, to move these controls to Security Policies. Define an IP Address Group with the RFC1918 subnets, and one with the Link-Local subnets, and set a rule on top of the Security Policy set to discard any traffic to Untrust if the destination IP address is in the RFC1918 IP Address Group and in the Link-Local IP Address Group.
 

Note: The reason for creating separate RFC1918 and Link-Local IP Address Groups is that you may want to reutilize the RFC1918 object for other purposes.


 

Additional Information


The category 'private-ip-address' is used for IP addresses defined in RFC 1918:

  • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
If a Link-Local (RFC 3927) IP address is found in the destination IP address, it will also result in a 'private-ip-address' category.
  • 169.254.0.0 - 169.254.255.255 (169.254/16 prefix)


The PAN-DB cloud, first determines if the URL is an IP. If not an IP, it will find out if there is a TLD. If there is no TLD, then the cloud would return "private IP address".

The private-ip-address category is also used for top-level domains that are not publicly registered, such as, .local.

This also includes URLs that use short names that do not include top-level domains. See the following for examples:

Routing-wise, any traffic to a private IP address that is not defined in the LAN will route to the default gateway, and in many cases will be sent to Untrust (internet). 

This often happens with mobile devices that change networks (for example, a laptop that is put into sleep mode at home and is then awaken at work, may take a few moments to realize the network change, and may continue to beacon out to the home network). This can also happen during connection/disconnection transitions to a VPN.

The upstream ISP router would likely discard the traffic, but it is understandable that you wouldn’t want internal traffic, which may contain identifiable information, to leak out to Untrust.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3wCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language