This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fphillips
Participant
‎2025-12-02 12:20 PM

Whitelisted AWS domains still blocked

Just curious if anyone has any suggestions before I engage support. 

 

The basics are, we have whitelisted a domain to allow clients using particular software to access images that are hosted on the aws cdn.  lets say it's abc123.us-east-1.amazonaws.com.    

When clients go to access this content, the accessed is blocked by our fw (R81.20). The destination is shown as  .s3.amazonaws.com within the log details pane, and the site is classified as File Sharing.  

Currently the only solution to get these clients to access the content required is whitelist s3.amazonaws.com, which I'm not too excited about.

We currently have HTTPS inspection enabled, set to complete BYPASS due to some issues which we will be revisiting with R82 shortly.

Some reading online suggested the fw is classifying this access as s3.amazonaws.com if the CN of the certificate is set to s3.amazonaws.com.  I tested allowing my client full access to s3.amazonaws.com, accessed the resource of interested, and inspected the certificate and it shows: 

Common Name (CN)
*.s3.amazonaws.com
 
I found a few other services we access that appear to host content on aws. One is Checkpoint Harmony which seems to use GoDaddy for CN, and hootsuite, which uses Lets Encrypt for CN.
 
Am i barking up the right tree here.  Is the certificate causing the fw to ignore the whitelisting of abc123.us-east-1.amazonaws.com?
 
I apologize for the convoluted question, if needed we will engage support.

 

0 Kudos
10 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-12-02 12:27 PM

I would make sure urlf/appc is enabled in policy layer and then create custom app group with *amazonaws*, allow that, install policy, done.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-02 12:34 PM
In response to the_rock

@fphillips 

This is what I meant.

 

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
fphillips
Participant
‎2025-12-02 12:41 PM
In response to the_rock

Thanks so much for the quick response @the_rock

 

Will start looking into this and report back.  Thanks!

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-02 12:42 PM
In response to fphillips

Give me few mins, will take a video of how I set this up in my lab and send it over.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-02 12:53 PM
In response to fphillips

Here is the video. I would say, mind you, some people would disagree, but I always found having any any inspect at the bottom if inspection policy works better than any any bypass. Also, with ordered layers, important to know that traffic has to be accepted on EVERY ordered layer, hence why I have any any allow at the bottom, except on network layer.

(view in My Videos)

 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
fphillips
Participant
‎2025-12-02 01:10 PM
In response to the_rock

Wow, thanks @the_rock 

Very informative. Thanks for spending so much time to help troubleshoot this!  Hopefully we can see a success to resolving this soon! 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-02 02:03 PM
In response to fphillips

Its nothing really, thats what we are here for, to hrlp others. Im in EST, message me any time, I can do remote either after or before regular hours or during my break.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-02 02:11 PM
In response to fphillips

Just curious, how many layers do you have in your policy? Just network one or more? I find having multiple ordered layers like I did in my lab works the best. Obviously, no need for 3rd layer, I just did that as a test.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
fphillips
Participant
‎2025-12-04 06:57 AM
In response to the_rock

@the_rock We have two policys, which we handle for ports, and applications.  I followed your suggestion creating a custom app, defining the domains of interest.  This seems to have solved the issue with certain traffic now getting misclassified and dropped.  Appreciate your time again!  Hopefully this issue is fully resolved now!

 

 

the_rock
MVP Diamond
MVP Diamond
‎2025-12-04 06:59 AM
In response to fphillips

So partially solved? 🙂

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events