As you may be aware, CUNY’s Internet Edge firewall blocks DNS and URL requests to sites that are deemed by Palo Alto to be “parked” (not in active use) or that use dynamic DNS registration providers. These are best practices from Palo Alto, and blocking these additional categories were among changes put into place to tighten our overall posture. Palo Alto doesn’t always get it right, however, and some legitimate sites are mis-categorized and blocked inappropriately. We’ve also seen sites that don’t have a web presence and only use email be blocked as “parked.”To help address this, I wanted to share that anyone can request that Palo Alto reconsider a mis-categorized site, there are no privileges needed. Go tohttps://urlfiltering.paloaltonetworks.com/and enter the URL of the site to test it. If it shows as parked, etc., click on the “Request Change” link (circled in red in the illustration below). A form asks for the corrected category (categories) to which the site should be changed. (Of course, don’t select Dynamic DNS, Parked, Malware, Phishing, Ransomware, Hacking, or Command-and-control because those are the blocked categories). Once the form is submitted you’ll get a confirmation email, and then a second email when a decision is made by Palo on re-categorization. Palo Alto says a decision is typically made within one business day, but I’ve seen it happen as quickly as within 5 minutes. After re-categorization the site may unblock almost immediately or it could take up to a day for the change to propagate. Anyone can do this without CIS involvement. Of course, if recategorizing doesn’t work, if Palo Alto doesn’t accept the change request, or if a site needs to be unblocked urgently, please raise a ticket with CIS.