Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kirubakaran-V
Explorer

CheckPoint Firewall blocks Aruba Instanton access points connectivity to Aruba cloud

Hi All, 

I'm new to Checkpoint Firewall, we already had Aruba network switch (locally Managed) & 2 - Aruba Instanton (AP22) Access Points (Cloud managed) setup in our office. We recently purchased Checkpoint 1550 Appliance and made a setup on top of Network switch and Access points.

Our network setup: ISP > Firewall > Switch > Access Points 

After we connected the firewall - our access points went offline (continue to broadcast SSID and able to connect) and it's not connecting to Aruba cloud, so any config changes made in portal.arubainstanton.com are not sync and apply to the access points. Support have asked to whitelist the following urls in the firewall portal which I tried that but it's still not working. Expecting community help in this regard, 

The following cloud URLs are officially used in Aruba Instant On to add in the allowed domains list:
Official Cloud URLs for Instant On:
 
Onboarding URL used by non-configured Instant On device to reach the cloud:
 
Cloud Connect URL used by configured Instant On devices to send data to the cloud:
 
Software Upgrade URL is used by Instant On devices to get their firmware:
 
DNS: 53 (UDP)
HTTP:  80 (TCP)
HTTPS: 443 (TCP)
NTP: 123 (UDP)

 

0 Kudos
4 Replies
the_rock
Legend
Legend

Question...do you actually see any logs on CP firewall indicating its blocking the traffic to those destinations?

Andy

0 Kudos
the_rock
Legend
Legend

Just came to my mind...can you try add custom category, say *arubainstanton* and see if that works?

Andy

0 Kudos
Lesley
Leader Leader
Leader

I assume it it local management.

Then check if you have this feature enabled:

https://sc1.checkpoint.com/documents/SMB_R80.20/AdminGuides/Locally_Managed/EN/Content/Topics/SSL-In...

HTTPS Categorization

This will make sure firewall will check certificate of the requested URL, so better rulebase match is then possible.

Of course best is to run full https inspection but that could be a bit difficult to start with. So start with ''Light SSL/HTTPS inspection''.

Also make sure FW is able to resolve the URL's. Test via SSH nslookup onboarding.portal.arubainstanton.com/

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
oa_munich
Contributor

I believe Aruba instant on APs also try to ping the above URIs and use google dns (8.8.8.8 and 8.8.4.4), regardless of what you propagate via dhcp. Check for dropped packets originating from the AP IPs.

And if you are using HTTPS inspection, create a bypass rule for *.arubainstanton.com, as they won't trust your CA certificate.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events