Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 1997 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cloudflare Incorrectly Blocked

actts
Hello everyone,

For the last few days, numerous XG firewalls at several of our clients have been experienced a strange issue when filtering sites hosted behind Cloudflare. I'm posting to see if anyone else has come across this issue and ask if anyone knows why it may be happening.

This issue seems to have started this past Sunday (8/29) as that is when users began noticing the issue. Basically, what has been happening is if a site is hosted behind Cloudflare, or utilizes Cloudflare services, the site(s) are blocked in the packet filter. We have Country Blocking configured but all of the affected sites were resolving as USA in the logs which is not part of our block.

The fix was to create a rule allowing all HTTP/HTTPS to any Cloudflare IP subnets (https://www.cloudflare.com/ips/) and leaving all other protections in place (Web proxy, App Control, IPS). After the fix, all of the affected sites were still stating USA as the destination country, but showing as the traffic was passing and connecting fine.

Everything was functioning normally prior to Sunday. That's the most puzzling part and why we're wondering if anyone else has experienced this issue.

Thank you.


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    .

    DO you have your new rule above your country bock rule? Please advise the date of your GEOPIP database update. Mine show 30/8 ver 2.0.006

    Which IP range is failing, I will check on my system?

    Ian

  • 0 in reply to rfcat_vk

    Hi rfcat_vk

    Yes, the new rule is above the country block rule.  I checked two client firewalls today that experienced this issue last week and they are currently running version 2.0.006 of the Geoip database, last updated August 30th.    

    On the same two firewalls, I temporarily disabled the Cloudflare exception we created and tested several sites that were failing to load last week.  Of the ones I tried, two sites fail to load today.  

    The sites that are failing to load are canva.com and go-retire.com.  The sites are currently resolving to the following IPs:

    canva.com
    104.17.115.17

    go-retire.com
    104.18.13.63

    The two sites that are loading today (but not last week), punchbowl.com and redtailtechnology.com resolve to the following IPs:  

    punchbowl.com
    34.202.182.172

    redtailtechnology.com
    198.1.28.215

    I'll be curious to see if they load correctly on your end.

    Thanks!

  • 0 in reply to actts

    Hi acts,

    I am hitting the Australian servers with those FQDNs and IP addresses for both canva.com and go-retire.com.

    Whereas punchbowl.com  gets lost out of Australia. redtailtechnology.com goes all the way.

    Ian

Reply Children
No Data