Route53 HealthChecks are dropped when Region Based Blocking feature is enabled with source-region US

Route53 HealthChecks are dropped when Region Based Blocking feature is enabled with source-region US

3262
Created On 12/29/22 07:14 AM - Last Modified 04/09/25 13:06 PM


Symptom


  • Starting from Prisma Access 3.1.2, Block Incoming Connections from Specific Countries feature has been supported.

"Block Incoming Connections from Specific Countries for GlobalProtect, Explicit Proxy, and Remote Network Deployments"

  • When we enable this with source-region US, Route53 HealthCheck packets from AWS will be also dropped by the security policy.

Environment


  • Prisma Access
  • Route53 HealthChecks

Cause


As per the current design, we cannot accept only HealthChecks while blocking other all access attempts from US.

Resolution


This feature should be used only for blocking traffic from certain risky countries.

Additional Information


Block Incoming Connections from Specific Countries
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kFvtCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language