This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kirubakaran-V
Explorer
a month ago

CheckPoint Firewall blocks Aruba Instanton access points connectivity to Aruba cloud

Hi All, 

I'm new to Checkpoint Firewall, we already had Aruba network switch (locally Managed) & 2 - Aruba Instanton (AP22) Access Points (Cloud managed) setup in our office. We recently purchased Checkpoint 1550 Appliance and made a setup on top of Network switch and Access points.

Our network setup: ISP > Firewall > Switch > Access Points 

After we connected the firewall - our access points went offline (continue to broadcast SSID and able to connect) and it's not connecting to Aruba cloud, so any config changes made in portal.arubainstanton.com are not sync and apply to the access points. Support have asked to whitelist the following urls in the firewall portal which I tried that but it's still not working. Expecting community help in this regard, 

The following cloud URLs are officially used in Aruba Instant On to add in the allowed domains list:
Official Cloud URLs for Instant On:
 
Onboarding URL used by non-configured Instant On device to reach the cloud:
 
Cloud Connect URL used by configured Instant On devices to send data to the cloud:
 
Software Upgrade URL is used by Instant On devices to get their firmware:
 
DNS: 53 (UDP)
HTTP:  80 (TCP)
HTTPS: 443 (TCP)
NTP: 123 (UDP)

 

Preview file
37 KB
0 Kudos
9 Replies
the_rock
Legend
Legend
a month ago

Question...do you actually see any logs on CP firewall indicating its blocking the traffic to those destinations?

Andy

0 Kudos
the_rock
Legend
Legend
a month ago
In response to the_rock

Just came to my mind...can you try add custom category, say *arubainstanton* and see if that works?

Andy

0 Kudos
Kirubakaran-V
Explorer
2 weeks ago
In response to the_rock

Hi @the_rock 
Under Access Policy - I cannot choose URL in destination, only domain, network object, network object group supported. Additionally domain - doesn't allow me to add like *arubainstanton*
Instead I tried add the required Url's but still no luck

From the firewall all I can see under security logs is: Accept to UDP/3490 (service) but I don't see any packets drop there 

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to Kirubakaran-V

Sorry, I dont have locally managed smb to test, so cant say for sure, but thats what I always do in smart console for regular Gaia, as long as urlf blade is enabled inside the layer editor.

I would double check with TAC.

Andy

0 Kudos
Lesley
Leader Leader
Leader
a month ago

I assume it it local management.

Then check if you have this feature enabled:

https://sc1.checkpoint.com/documents/SMB_R80.20/AdminGuides/Locally_Managed/EN/Content/Topics/SSL-In...

HTTPS Categorization

This will make sure firewall will check certificate of the requested URL, so better rulebase match is then possible.

Of course best is to run full https inspection but that could be a bit difficult to start with. So start with ''Light SSL/HTTPS inspection''.

Also make sure FW is able to resolve the URL's. Test via SSH nslookup onboarding.portal.arubainstanton.com/

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Kirubakaran-V
Explorer
2 weeks ago
In response to Lesley

Hey @Lesley 
Thanks for your comments, 
Yes, we have https categorisation enabled. I tried ssh into the fw and nslookup required three URL's and able to resolve it. Also. the Access Points are added to a network group and I allowed them to connect to the arubainstanton.com domain in Access Policy still same issue.  

0 Kudos
Alex-
Leader Leader
Leader
2 weeks ago
In response to Kirubakaran-V

You can go in Expert mode and use the domains_tool utility to check if your domain is resolved, the tool is present in Spark.

 

 

 

domains_tool -d onboarding.portal.arubainstanton.com

 

 

 

 

Your AP and firewall should use the same DNS for consistency. You might also need to add the full domains, do not assume the domain object will match all subdomains like in a regex URL object.

Check also that you have Hide NAT on, which I assume you have if Internet access works.

Is your policy in Strict Mode?

You might create an additional rule with Internet access from your AP for analysis and see what goes in there to fine-tune your firewall policy, unless it's against your security policies.

Also, fw ctl zdebug drop in Expert mode will show you what is dropped where if you don't see them in the logs.

HTTPS Categorisation will work with the Application/URL Filtering Blade activated, Domain objects are linked to the Firewall blade.

We don't use Domain objects in locally managed Spark so it's ideas.

(1)
the_rock
Legend
Legend
a week ago
In response to Alex-

Great tip! I always keep forgetting about domains_tool.

Andy

0 Kudos
oa_munich
Contributor
a month ago

I believe Aruba instant on APs also try to ping the above URIs and use google dns (8.8.8.8 and 8.8.4.4), regardless of what you propagate via dhcp. Check for dropped packets originating from the AP IPs.

And if you are using HTTPS inspection, create a bypass rule for *.arubainstanton.com, as they won't trust your CA certificate.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events