当启用基于区域的阻止功能且源区域为美国时,Route53 健康检查将被丢弃
2728
Created On 12/29/22 07:14 AM - Last Modified 04/09/25 13:06 PM
Symptom
- 从 Prisma Access 3.1.2 开始,已经支持阻止来自特定国家/地区的传入连接功能。
“阻止来自特定国家/地区的 GlobalProtect、显式代理和远程网络部署的传入连接”
- 当我们使用源区域美国启用此功能时,来自 AWS 的 Route53 HealthCheck 数据包也将被安全策略丢弃。
Environment
- Prisma 访问
- Route53 健康检查
Cause
When we configured a security policy for Region Based Blocking following the document, the rule will be inserted at the top of security policies in the cloud FWs.
> show running security-policy
"Mobile_User_EMBG_Source_Countries; index: 1" {
from untrust;
source 0.0.0.0;
source-region US;
to any;
destination any;
destination-region none;
user any;
source-device any;
destinataion-device any;
category any;
application/service 0:any/any/any/app-default;
action drop;
icmp-unreachable: no
terminal no;
If we configure it with source-region US, Route53 HealthCheck packets from AWS will be also dropped by this rule.
> show log traffic direction equal backward
Time App From Src Port Source
Rule Action To Dst Port Destination
Src User Dst User End Reason
Rule_UUid
====================================================================================================
2022/12/26 17:20:02 not-applicable untrust 51528 15.177.2.98
Mobile_User_EMBG_So drop untrust 443 208.127.163.207
policy-deny
f4ba1dd3-825f-4450-aca2-f51b2fadb103
2022/12/26 17:19:58 not-applicable untrust 27640 15.177.18.96
Mobile_User_EMBG_So drop untrust 443 208.127.163.207
policy-deny
f4ba1dd3-825f-4450-aca2-f51b2fadb103
2022/12/26 17:19:57 not-applicable untrust 51528 15.177.2.98
Mobile_User_EMBG_So drop untrust 443 208.127.163.207
policy-deny
IPGeoLocation shows that these addresses(15.177.x.x) belong to Amazon Technologies Inc. (ROUTE53_HEALTHCHECKS, Global)Resolution
根据目前的设计,我们不能只接受健康检查,而阻止来自美国的所有访问尝试。
此功能仅应用于阻止来自某些危险国家的流量。