https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/163888#M27382 <P>Hello friends,</P><P>Nice to greet you all.</P><P>I need your help. I have the following problem. I need to access the website "usage.projectcalico.org" I have enabled it by regex and by fqdn, and the log also shows the domain *r.cloudfront.net, which I have also enabled by wildcard regex "*r.cloudfront .net" .... but the lock remains. It can be seen in the "SNI" column that contains the domain that I want to enable. Also, I have enabled a bypass rule in SSL inspection, but the blocking persists. Has anyone else had this problem and know how to fix it? I attach the evidence image.</P> Thu, 01 Dec 2022 15:24:08 GMT Pvalderrama 2022-12-01T15:24:08Z https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/163888#M27382 <P>Hello friends,</P><P>Nice to greet you all.</P><P>I need your help. I have the following problem. I need to access the website "usage.projectcalico.org" I have enabled it by regex and by fqdn, and the log also shows the domain *r.cloudfront.net, which I have also enabled by wildcard regex "*r.cloudfront .net" .... but the lock remains. It can be seen in the "SNI" column that contains the domain that I want to enable. Also, I have enabled a bypass rule in SSL inspection, but the blocking persists. Has anyone else had this problem and know how to fix it? I attach the evidence image.</P> Thu, 01 Dec 2022 15:24:08 GMT https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/163888#M27382 Pvalderrama 2022-12-01T15:24:08Z https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/163919#M27387 <P>Can you try by allowing custom app site and try *projectcalico* and also bypass that in https inspection policy.</P> Fri, 02 Dec 2022 01:29:40 GMT https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/163919#M27387 the_rock 2022-12-02T01:29:40Z https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/164037#M27392 <P>What version/JHF level are you running?<BR />We only use Verified SNI if you’re on R80.40 or above.<BR />In R80.30 or R80.20, you need to be on a specific JHF level AND have HTTPS Inspection enabled.&nbsp;</P> Fri, 02 Dec 2022 23:40:11 GMT https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/164037#M27392 PhoneBoy 2022-12-02T23:40:11Z https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/164045#M27396 <P>Did you try creating a domain object/FQDN Object? and keeping same dns on firewall which is kept at user level?</P> Sat, 03 Dec 2022 05:41:54 GMT https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/164045#M27396 Blason_R 2022-12-03T05:41:54Z https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/164177#M27405 <P>Hi, friend. Thank you very much for the reply. I have version r81.10</P> Mon, 05 Dec 2022 14:33:16 GMT https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/164177#M27405 Pvalderrama 2022-12-05T14:33:16Z https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/164183#M27406 <P>&nbsp;</P> <P><SPAN>usage.projectcalico.org is not available in firefox also without CP GW:</SPAN></P> <P>&nbsp;</P> <DIV class="tab-panel headers"> <DIV class="headersPanelBox tab-panel-inner"> <DIV class="toolbar">Headers:</DIV> </DIV> </DIV> <DIV class="netInfoHeadersTable"> <DIV class="netHeadersGroup">&nbsp;</DIV> </DIV> <DIV class="netHeadersGroup"> <TABLE cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="netInfoParamName"><SPAN title="Connection">Connection</SPAN></TD> <TD class="netInfoParamValue">keep-alive</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Content-Length">Content-Length</SPAN></TD> <TD class="netInfoParamValue">23</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Content-Type">Content-Type</SPAN></TD> <TD class="netInfoParamValue">application/json</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Date">Date</SPAN></TD> <TD class="netInfoParamValue">Mon, 05 Dec 2022 14:41:39 GMT</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Via">Via</SPAN></TD> <TD class="netInfoParamValue">1.1 42c9dddb4e518a9ed3248bf50565b120.cloudfront.net (CloudFront)</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="X-Amz-Cf-Id">X-Amz-Cf-Id</SPAN></TD> <TD class="netInfoParamValue">zk4XqztmW584JeeKX51WBO5Umsg8Jmn1oJT4RPQUFHKWu8oY8CiG3w==</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="X-Amz-Cf-Pop">X-Amz-Cf-Pop</SPAN></TD> <TD class="netInfoParamValue">VIE50-C2</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="X-Cache">X-Cache</SPAN></TD> <TD class="netInfoParamValue">Error from cloudfront</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="x-amz-apigw-id">x-amz-apigw-id</SPAN></TD> <TD class="netInfoParamValue">crVtpFdMNjMFoYg=</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="x-amzn-ErrorType">x-amzn-ErrorType</SPAN></TD> <TD class="netInfoParamValue">ForbiddenException</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="x-amzn-RequestId">x-amzn-RequestId</SPAN></TD> <TD class="netInfoParamValue">7af7c8f5-4dde-40bd-b8e4-ad09ae2f7c11</TD> </TR> </TBODY> </TABLE> </DIV> <DIV class="netHeadersGroup">&nbsp;</DIV> <TABLE cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD class="netInfoParamName"><SPAN title="Accept">Accept</SPAN></TD> <TD class="netInfoParamValue">text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Accept-Encoding">Accept-Encoding</SPAN></TD> <TD class="netInfoParamValue">gzip, deflate, br</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Accept-Language">Accept-Language</SPAN></TD> <TD class="netInfoParamValue">de,en-US;q=0.7,en;q=0.3</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Connection">Connection</SPAN></TD> <TD class="netInfoParamValue">keep-alive</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="DNT">DNT</SPAN></TD> <TD class="netInfoParamValue">1</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Host">Host</SPAN></TD> <TD class="netInfoParamValue">usage.projectcalico.org</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Sec-Fetch-Dest">Sec-Fetch-Dest</SPAN></TD> <TD class="netInfoParamValue">document</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Sec-Fetch-Mode">Sec-Fetch-Mode</SPAN></TD> <TD class="netInfoParamValue">navigate</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Sec-Fetch-Site">Sec-Fetch-Site</SPAN></TD> <TD class="netInfoParamValue">none</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Sec-Fetch-User">Sec-Fetch-User</SPAN></TD> <TD class="netInfoParamValue">?1</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="Upgrade-Insecure-Requests">Upgrade-Insecure-Requests</SPAN></TD> <TD class="netInfoParamValue">1</TD> </TR> <TR> <TD class="netInfoParamName"><SPAN title="User-Agent">User-Agent</SPAN></TD> <TD class="netInfoParamValue">Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:107.0) Gecko/20100101 Firefox/107.0</TD> </TR> </TBODY> </TABLE> Mon, 05 Dec 2022 14:43:44 GMT https://community.checkpoint.com/t5/General-Topics/Traffic-to-domain-excepted-is-still-blocked/m-p/164183#M27406 G_W_Albrecht 2022-12-05T14:43:44Z