Users unable to access certain websites hosted in Cloudfare when connected to Prisma Access Gateways in AWS using Global Protect

Users unable to access certain websites hosted in Cloudfare when connected to Prisma Access Gateways in AWS using Global Protect

772
Created On 09/23/25 16:41 PM - Last Modified 10/29/25 22:08 PM


Symptom


  • Users cannot access the websites in Cloudfare.
  • The access was working before and users are unable to access the websites now.
  • The logs from the Cloudfare show that the traffic is sourced from a different IP address.
  • This happens only when user connects to the Prisma Access Gateways in AWS cloud. 

Environment


  • Global Protect
  • Prisma Access(SASE) 
  • Amazon Web Service(AWS)
  • Cloudflare

Cause


  • The Traffic to the websites should have been sent directly from Prisma access gateways to internet.
  • During the issue, Prisma Access Gateways in AWS routes the traffic to the Palo Alto Hub location and the packet gets NAT to one of the Palo Alto Hub IP addresses before being sent out to the website located in Cloudfare
  • As the traffic to these websites are restricted only to the Prisma Gateway IP addresses, the traffic is dropped on the Cloudfare side. 
  • When any websites block certain IPs from cloud provider(AWS in this case) Palo Alto move that traffic through our Palo Alto Hub (Clean IP) and then that traffic is not blocked on the end websites. 
  • In some cases, the website itself might not be blocking the IP address of the Prisma Gateways. Please refer to the example below
    • The website is example.com which resolves to 1.1.1.1 in Cloudfare
    • A different website which is unknown.com (resolves to 2.2.2.2) which is hosted in Cloudfare as well, blocks the traffic from the Prisma Access Gateway IP address in AWS
    • So, as expected the traffic in the Prisma Access to unknown.com (2.2.2.2) is routed to PA Hub to allow traffic. 
    • But, the website unknown.com started to resolve to the same IP address 1.1.1.1 as the website example.com. This is expected because the Cloudfare uses same IP address for multiple websites
    • So, the IP address 1.1.1.1 is added to the route in Prisma Gateway to send traffic to the PA hub. Then the users lose access to the website example.com. 

Resolution


  1. If the Cloudfare log shows that the traffic is being sourced from a different IP address, open a TAC case so that the TAC engineer can analyze the Prisma Access Gateways make sure that the traffic is indeed routed through the Palo Alto Hub.
  2. Once it is confirmed, there are few solutions/workaround as below
    • Allowing the PA hub IP addresses to the allowed list at the destination (or)
    • Creating a traffic steering rule to send the traffic to the websites directly to the internet from Prisma Gateways.
       
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000kAIMKA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail