Why is this happening? Do you have Super Bot Fight Mode configure?
Can you check the Security Events and find any entries with User Agent Contains “PayPal” and see why is it being blocked?
If it’s being blocked by a WAF rule, PayPal is a Know Bot. You can create a rule allowing Known Bots, or if you want you can create a rule Bypass for Known Bots with UA containing PayPal to be more specific.
Another option I used before PayPal was accepted into Known Bots was to create an IP list and use that in a WAF rules:
The duplicates does however seem very consistent with the ones posted in e.g.:
That being said, -
In addition (or as an alternative) to that, you can also use PayPal’s AS numbers to attempt to approve their access:
Until now, I don’t believe having seen PayPal’s IPN requests originating from other AS numbers than AS 17012.
PayPal currently has the following AS numbers that are visible in the global routing table:
PayPal also have the following AS numbers, but these are not currently visible in the global routing table:
With AS 1449 being given the name "PAYPAL-CORP", it sounds like that one may be useless, and only for their corporate offices.
AS 59065 seems to be from their operations in China and Singapore, and several of the others are held by them, as a result of their acquisition of Braintree.
If you choose to decide to go more “lenient” from the security protocol, based on AS numbers (perhaps for less (recurring) maintenance), I would personally be tempted with starting to allow AS 17012 alone, and see how that goes.
Based on the above Custom Rule, you could also mix the Known Bots and AS numbers validation, … like this:
Personally, I would likely also add even further Hostname, or URI related fields to verify that PayPal is only extraordinarily allowed on e.g. https://paypal-ipn.example.com, or within addresses starting with https://example.com/paypal-payments/, or something similar, depending on the place where you have the IPN scripts.