Amazon publishes a list of ranges of AWS services, which is dynamically updated.
Till R80.20, customers who wish to restrict access to the AWS services based on IP Addresses need to maintain a Network Group object that contains the relevant Network objects provided by Amazon. The customers keep updating this object manually upon Amazon updates and have to install policy after every change.
Check Point Solution for R80.20
- For each published AWS service, Check Point provides a Network Object that can be imported to SmartConsole as an Updatable Object.
- Each AWS Updatable Object matches a list of IP addresses according to the feed published by Amazon.
- On every update in AWS database, these Objects are updated automatically on the gateway (no need to run policy installation).
- When the source or destination IP address matches an object, the action is selected according to the policy.
Click the '+' button under the Source/Destination column, choose import 'Updatable Objects', and then choose the relevant AWS Service from the AWS Services section.
Below is an example of adding AWS updatable objects to Source and Destination columns in Access Policy:
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.