Policy including A record to multiple IPs


We'd like to block a server from getting to anywhere but a handful of IPs and s3.amazonaws.com. I set up an Alias etc, but this didn't work as it didn't seem to check for all of the IPs this uses. I've checked the DNS on the WatchGuard, and I've seen other threads on a similar vein, but couldn't make it work. Any advice?

FireboxV running 12.5.3, so yes I understand it needs to be updated, but hoped to fix this before the scheduled downtime.



  • Options

    It seems that the DNS lookup result for s3.amazonaws.com changes every few seconds.
    It is not clear how many unique IP addrs are used for s3.amazonaws.com. Perhaps it is more than 255.... and some accesses are using ones that are no longer in the firewall IP addr cache.

    From the docs:
    Each domain can map up to 255 IP addresses. Older IP addresses are dropped when the maximum is reached.

    Consider opening a support incident on this to get help from a WG rep.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    s3.amazonaws.com is going to be a huge list of IPs that the firewalls is going to truncate. This may potentially work with a more specific domain.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.