Overview
Many CDN providers—such as Cloudflare, Akamai, and AWS—use Anycast IP addresses, where multiple domains are served from the same IP address. In such scenarios, it is possible that one domain hosted on the shared IP is malicious, while the other domains hosted on the same IP remain legitimate.
Traditional IP Filtering evaluates only the IP reputation. Therefore, if the shared IP is classified as malicious due to one domain, all traffic to that IP may be blocked—even when the accessed domain is safe.
This article explains how Versa enables you to prioritize URL reputation over IP reputation to avoid such unintended blocks.
Root Cause
IP Filtering is not URL-aware and evaluates only the reputation of the destination IP.
When multiple UTM modules (IP Filtering, URL Filtering, IDS/IPS, AV, DNS Filtering, CASB, DLP, RBI, ATP) are attached to a policy, each module independently evaluates traffic.
If any module returns a reject/block verdict, the entire session is blocked.
This can result in false positives when multiple domains share a single IP address.
Solution: Prioritize URL Reputation in IP Filtering
Versa provides an option to prioritize URL reputation when both URL Filtering and IP Filtering are applied in a policy.
How it Works
When the “Prioritize URL Reputation” option is enabled in an IP Filtering profile:
The URL Filtering verdict overrides the IP Filtering verdict.
Legitimate domains hosted on a shared/Anycast IP are permitted, even if the IP reputation is poor.
Where to Enable
Concerto:
Enable checkbox “Prioritize URL Reputation” in the IP Filtering profile configuration.
Director
The same option is available in the IP Filtering profile settings in Director:
Important Consideration: DNS Filtering Behavior
Enabling Prioritize URL Reputation does not resolve filtering conflicts during DNS resolution.
If IP filtering verdict is block, DNS queries gets blocked.
Fix for DNS Filtering Conflicts
To ensure proper behavior, configure User-Defined DNS Filtering that relies on URL categories.
Step 1 — Identify Required Categories
Review the categories marked as Reject or Alert in your IP Filtering profile.
In Concerto, these can be found under:
Internet or Private Protection Policies → Security Enforcement → Security Profiles → IP Filtering Profile
Step 2 — Create a User-Defined URL Filtering Profile
Create a custom URL Filtering profile that defines appropriate actions for the categories you want DNS Filtering to reference.
Director
Concerto
Step 3 — Attach the URL-Based Profile to DNS Filtering
Director
Attach the custom URL category profile under the DNS Filtering settings.
Concerto
Similarly, attach the user-defined URL category profile under DNS Filtering.
Step 4 — Apply DNS Filtering to Policies
Finally, attach the updated DNS Filtering profile to the relevant security policies.
Director:
Concerto:
Conclusion
By enabling Prioritize URL Reputation in IP Filtering and correctly configuring URL-based DNS Filtering, Versa ensures accurate filtering for services using Anycast or shared IP addresses. This approach helps avoid unnecessary session blocks while maintaining a strong and consistent security posture.