Hello,
We are using one educational site which is hosted in "xxxxx-rearch-xxxx.x.assets.s3.amazonaws.com (scripts and image)" and " xxxxxxxxx.cloudfront.net(most of image) ".
For that we have allowed that site domain name along with this both this domain( xxxxx-rearch-xxxx.x.assets.s3.amazonaws.com, xxxxxxxxx.cloudfront.net) in FQDN host, and also in Web --> Exceptions URL list with Skip the selected checks or actions:- HTTPS decryption, Malware and content scanning, Sandstorm, Policy checks.
Created firewall rule that allow this FQDN host group without authentication along with Web policy "None" or "Allow all" and Application Control "None" or "Allow all" both ways.
AWS bucket change IP address very frequently as they doing because for security and for load balance of traffic.
What I am facing problem is when IP address is not updated in FQDN host list it will denied the traffic, so out of every 30 user 8 user's request gets denied.
Discussed with Sophos team and check everything related to DNS also. Change lots of DNS 127.0.0.1, 8.8.8.8, 8.8.4.4 and 1.1.1.1 for FQDN host update list.
There are 24 or more IP address ranges of AWS S3 bucket and Cloudfron.net, if we allowed all ranges, lots of other site will be accessible without authentication, which is Great pain in Educational environment.
S3 Bucket and Cloudfront.net
https://ip-ranges.amazonaws.com/ip-ranges.json
Any solution on this ?
This thread was automatically locked due to age.
