Additional Configuration - Palo Alto

Overview

Palo Alto Networks services often employ deep packet inspection and strict protocol blocking (such as the QUIC protocol) that can interfere with simulated phishing traffic. To ensure your programme runs smoothly, you must exempt Secure Schools' domains and IP addresses from these security filters.

Prerequisites

You will need the following information from the Secure Schools Domains and IP Addresses KB article:

• Sending IP Address: 185.250.239.80

• Infrastructure IP Address: 35.190.80.1 (commonly seen in firewall logs for simulation links)

• Primary Domains: secureschools.com, emaildistributionhub.co.uk, notificationdistributionhub.co.uk, emaildistributionhub.com, notificationdistributionhub.com, emaildispersalhub.co.uk, emaildispersalhub.com, maildispersalhub.com, notificationdispersalhub.co.uk, notificationdispersalhub.com

Step 1: Create a Custom URL Category

To allow access to simulation websites, you first need to define them within your Palo Alto objects.

1. Log in to your PAN-OS or Panorama console.

2. Navigate to Objects > Custom Objects > URL Category.

3. Click Add to create a new category (e.g., "Secure Schools Phishing Domains").

4. Add the domains listed in the prerequisites above, using wildcards where appropriate (e.g., *.notificationdistributionhub.co.uk).

5. Click OK.

Step 2: Configure the URL Filtering Profile

Next, ensure that your filtering profile does not block these URLs or treat them as malicious.

1. Navigate to Objects > Security Profiles > URL Filtering.

2. Select the profile used by your users.

3. Locate the custom category you created in Step 1.

4. Set the Site Access to allow.

5. Crucial: If your simulation includes a credential harvest, set User Credential Submission to allow. If this is set to block, the firewall will prevent users from entering information on the simulation page.

Step 3: Resolve the "Block-Quic-Port" Issue

Palo Alto firewalls frequently block the QUIC protocol (UDP port 443) to force browsers to fall back to standard TLS/HTTPS, which the firewall can decrypt and inspect. If this rule is active, users may see an ERR_CONNECTION_CLOSED error when clicking simulation links.

To resolve this without disabling your global QUIC block:

1. Navigate to Policies > Security.

2. Create a new security rule and place it above your existing "Block-Quic-Port" or "Deny-QUIC" rules.

3. Source: Your internal user zones.

4. Destination: Create a new Address Object for the Secure Schools IPs (185.250.239.80 and 35.190.80.1).

5. Service/Application: Set to any or specifically allow quic and ssl for these destinations.

6. Action: Set to allow.

7. Commit the changes.

FAQ & Troubleshooting

Why don’t links work after the simulation ends?

By design, simulation links are deactivated once a campaign has finished. This is a security feature to ensure that "live" phishing pages are not available indefinitely on your network. If a user clicks a link after the simulation window has closed, the page may fail to load or display a generic message.

Does Secure Schools need to make changes on its side?

No. Security blocks occurring at the firewall level are specific to your local network environment. Our technical team cannot modify your firewall rules or bypass internal network security from our side. Your local network or IT security team must implement these changes.

The link works on a mobile hotspot, but not the school network?

This confirms that the issue is not with the link itself or Microsoft 365, but rather a local network restriction (such as a Palo Alto security policy) blocking the traffic. Following the safelisting steps above will resolve this.