PaloAlto firewalls initiate traffic to GoDaddy IP addresses

• The firewall interface sends HTTP traffic to below GoDaddy URLs.

certificates[.]godaddy[.]com
ocsp[.]godaddy[.]com

• The traffic is using port 80 and can be seen in a packet capture for the IP addresses shown below.

192.124.249.31
192.124.249.36
192.124.249.24
192.124.249.41

• Any Palo Alto devices
• Supported PAN-OS

• Certain Palo Alto services have their certificate issued by GoDaddy. Notable examples include:

wildfire[.]paloaltonetworks[.]com
updates[.]paloaltonetworks[.]com
ace[.]hawkeye[.]services-edge[.]paloaltonetworks[.]com

• When the firewall communicates to these services, it initiates an SSL handshake. A majority of these certificates are equipped with OCSP checks, enabling the validation of these certificates.
• The screenshot provided below illustrates that the certificate for 'updates[.]paloaltonetworks[.]com' was issued by GoDaddy CA. Additionally, the certificate's 'authority information access' field contains the OCSP URL details.
• Consequently, the traffic directed towards GoDaddy sites is an integral component of this OSCP check.
   

1. The observed traffic is anticipated and forms a crucial part of the OCSP check.
2. In the event of any apprehensions, customers can stop this traffic  by disabling the 'Verify update server identity' check in the Firewall/Panorama settings.
3. This can be done at GUI: Device/Panorama > SetUp > Services > Global > 'Uncheck' Verify Update Server Identity,  and then commit the changes.