Cyberoam stops access to AWS cloudfront hosted sites

Cyberoam stops access to AWS cloudfront hosted sites

Some clients using Cyberoam firewalls have reported problems with being unable to access particular secure websites which are hosted on Amazon Web Services cloudfront. One example is https://app.safetyculture.io

This is because the AWS servers have started including a new Cipher which is currently not supported by Cyberoam Web Proxy.
On checking the Cipher suite for the website found that it is using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Website is not working because Cyberoam proxy does not currently support cipher suit 0xc02f and that is the reason server is closing this connection with Alert (Level: Warning, Description: Close Notify)
CROS proxy doesn’t support cipher suit 0xc02f and considered as a feature request. As per the Product Team, we have an update that currently, they do not have any plan to include feature request in the Cyberoam firewall with CR-OS.

To work around this issue create a new FQDN host for each site that has the issue. Add them to an FQDN group I have called AWS Cloudfront sites. Create a new LAN to WAN firewall rule with that FQDN group as the destination shown below:

Leave a Comment