Allow external access to AWS services

We have an in-house developed app that communicates with an AWS hosted third party service. That external service is hosted on the US-EAST-1 region of AWS. What is the best way to allow outbound access from an internal device to those external services? I do not really want to add ALL of the US-EAST-1 networks into an allow rule. Or do I?

It would be ideal if I could set up a rule that is process name based.

I have an XTM525.

What is the best way to proceed here?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @JoshuaThompson

    Depending on the fireware version you're running, you can set up FQDN rules to allow access by FQDN.

    (About Policies by Domain Name (FQDN))
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/fqdn_about_c.html

    Policies by FQDN work best if the firewall is able to see the DNS requests from the client traverse the firewall so it can snoop the replies it gets (as the firewall asking itself may return a different answer.)

    if you're running an older version that doesn't support FQDN, you'll need to allow via IP address.

    -James Carson
    WatchGuard Customer Support

  • Thank you James. We are using FQDN in the rule but the IP addresses are still being blocked. Our DNS on the firewall points to our internal DNS servers.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @JoshuaThompson

    I'd suggest opening a case with support -- they'll be able to take a look at your logs and look into this further with you.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.