This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kirubakaran-V
Participant
‎2024-11-20 05:45 AM
Jump to solution

CheckPoint Firewall blocks Aruba Instanton access points connectivity to Aruba cloud

Hi All, 

I'm new to Checkpoint Firewall, we already had Aruba network switch (locally Managed) & 2 - Aruba Instanton (AP22) Access Points (Cloud managed) setup in our office. We recently purchased Checkpoint 1550 Appliance and made a setup on top of Network switch and Access points.

Our network setup: ISP > Firewall > Switch > Access Points 

After we connected the firewall - our access points went offline (continue to broadcast SSID and able to connect) and it's not connecting to Aruba cloud, so any config changes made in portal.arubainstanton.com are not sync and apply to the access points. Support have asked to whitelist the following urls in the firewall portal which I tried that but it's still not working. Expecting community help in this regard, 

The following cloud URLs are officially used in Aruba Instant On to add in the allowed domains list:
Official Cloud URLs for Instant On:
 
Onboarding URL used by non-configured Instant On device to reach the cloud:
 
Cloud Connect URL used by configured Instant On devices to send data to the cloud:
 
Software Upgrade URL is used by Instant On devices to get their firmware:
 
DNS: 53 (UDP)
HTTP:  80 (TCP)
HTTPS: 443 (TCP)
NTP: 123 (UDP)

 

0 Kudos
1 Solution

Accepted Solutions
Kirubakaran-V
Participant
3 weeks ago
Jump to solution

Hi @All,

Update:

I've successfully connected our Aruba InstantOn AP22 access points to the Aruba Cloud. The access points were identified as IoT devices in the Quantum Spark 1550 appliance console and had outgoing access restricted to the "IoT_Accepted_Domains" network group.

To resolve this, I added the necessary URLs to the IoT_Accepted_Domains group and reset the access points, which allowed them to connect to the Aruba Cloud successfully.

Thanks, everyone, for your help! 😊

Best,

Kirubakaran V

View solution in original post

11 Replies
the_rock
Legend
Legend
‎2024-11-20 06:52 AM
Jump to solution

Question...do you actually see any logs on CP firewall indicating its blocking the traffic to those destinations?

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-11-20 06:57 AM
In response to the_rock
Jump to solution

Just came to my mind...can you try add custom category, say *arubainstanton* and see if that works?

Andy

0 Kudos
Kirubakaran-V
Participant
‎2024-12-06 06:20 AM
In response to the_rock
Jump to solution

Hi @the_rock 
Under Access Policy - I cannot choose URL in destination, only domain, network object, network object group supported. Additionally domain - doesn't allow me to add like *arubainstanton*
Instead I tried add the required Url's but still no luck

From the firewall all I can see under security logs is: Accept to UDP/3490 (service) but I don't see any packets drop there 

0 Kudos
the_rock
Legend
Legend
‎2024-12-06 06:22 AM
In response to Kirubakaran-V
Jump to solution

Sorry, I dont have locally managed smb to test, so cant say for sure, but thats what I always do in smart console for regular Gaia, as long as urlf blade is enabled inside the layer editor.

I would double check with TAC.

Andy

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-11-20 09:07 AM
Jump to solution

I assume it it local management.

Then check if you have this feature enabled:

https://sc1.checkpoint.com/documents/SMB_R80.20/AdminGuides/Locally_Managed/EN/Content/Topics/SSL-In...

HTTPS Categorization

This will make sure firewall will check certificate of the requested URL, so better rulebase match is then possible.

Of course best is to run full https inspection but that could be a bit difficult to start with. So start with ''Light SSL/HTTPS inspection''.

Also make sure FW is able to resolve the URL's. Test via SSH nslookup onboarding.portal.arubainstanton.com/

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Kirubakaran-V
Participant
‎2024-12-06 06:32 AM
In response to Lesley
Jump to solution

Hey @Lesley 
Thanks for your comments, 
Yes, we have https categorisation enabled. I tried ssh into the fw and nslookup required three URL's and able to resolve it. Also. the Access Points are added to a network group and I allowed them to connect to the arubainstanton.com domain in Access Policy still same issue.  

0 Kudos
Alex-
Leader Leader
Leader
‎2024-12-07 02:31 PM
In response to Kirubakaran-V
Jump to solution

You can go in Expert mode and use the domains_tool utility to check if your domain is resolved, the tool is present in Spark.

 

 

 

domains_tool -d onboarding.portal.arubainstanton.com

 

 

 

 

Your AP and firewall should use the same DNS for consistency. You might also need to add the full domains, do not assume the domain object will match all subdomains like in a regex URL object.

Check also that you have Hide NAT on, which I assume you have if Internet access works.

Is your policy in Strict Mode?

You might create an additional rule with Internet access from your AP for analysis and see what goes in there to fine-tune your firewall policy, unless it's against your security policies.

Also, fw ctl zdebug drop in Expert mode will show you what is dropped where if you don't see them in the logs.

HTTPS Categorisation will work with the Application/URL Filtering Blade activated, Domain objects are linked to the Firewall blade.

We don't use Domain objects in locally managed Spark so it's ideas.

the_rock
Legend
Legend
‎2024-12-08 05:53 AM
In response to Alex-
Jump to solution

Great tip! I always keep forgetting about domains_tool.

Andy

0 Kudos
oa_munich
Contributor
‎2024-11-20 09:13 AM
Jump to solution

I believe Aruba instant on APs also try to ping the above URIs and use google dns (8.8.8.8 and 8.8.4.4), regardless of what you propagate via dhcp. Check for dropped packets originating from the AP IPs.

And if you are using HTTPS inspection, create a bypass rule for *.arubainstanton.com, as they won't trust your CA certificate.

0 Kudos
Kirubakaran-V
Participant
3 weeks ago
Jump to solution

Hi @All,

Update:

I've successfully connected our Aruba InstantOn AP22 access points to the Aruba Cloud. The access points were identified as IoT devices in the Quantum Spark 1550 appliance console and had outgoing access restricted to the "IoT_Accepted_Domains" network group.

To resolve this, I added the necessary URLs to the IoT_Accepted_Domains group and reset the access points, which allowed them to connect to the Aruba Cloud successfully.

Thanks, everyone, for your help! 😊

Best,

Kirubakaran V

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top