This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Highlighted
Jonathan_Sander
Iron
‎2018-09-26 05:08 AM

Base a bypass rule on the request address not the response address?

This is a continuation of the issues described in whitelist AWS S3 buckets using complex URI / URL patterns? With help from Dameon Welch Abernathy‌ and Brian Butts‌, what we have determined is that the issue was never that the firewall was having trouble with the complex URLs for the S3 buckets. Instead, the issue appears to be one with how AWS deals with S3 requests. If you were to make a request to 'bucketname.s3.us-east-1.amazonaws.com', what you would get in response is a reply from 's3.us-east-1.amazonaws.com' (and the certificate will say it's for *.s3-us-west-2.amazonaws.com). This can be seen in an nslookup:

$ nslookup mybucket.s3.us-west-2.amazonaws.com
Server:     192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
mybucket.s3.us-west-2.amazonaws.com    canonical name = s3.us-west-2.amazonaws.com.
Name:    s3.us-west-2.amazonaws.com
Address: 52.218.248.56

So the question now becomes: is it possible to create a policy one could use for bypass (specifically bypassing HTTPS Inspection) that is based on the request and not the response? I want to tell Check Point that any time a response is the result of a request to a given URL, that response should get a bypass.

The customer is on R77.30, with plans to upgrade to R80.10 in Q1 2019.

Thanks for any help.

0 Kudos
1 Reply
Highlighted
PhoneBoy
Admin
Admin
‎2018-09-26 07:35 AM

The only way we could do that, maybe, is in an explicit proxy scenario (where the gateway is an explicit proxy for the request). 

Otherwise, I'm not sure how you could even determine what the original request was to.