When Aruba Central initiates webhook connection it is using IP address which is just some AWS IP address. Instead of some general AWS IP we should know that is the FQDN we should whitelist in the firewall in order to allow webhook traffic from Aruba Central to reach splunk server sitting behind firewall.
We had a TAC call on Tuesday and now some engineering people were attending the call, so hopefully we get this fixed soon.
gone fishing.
Original Message:
Sent: Apr 23, 2023 10:32 PM
From: ariyap
Subject: Aruba Central and SPLUNK - what to whitelist?
please share a link to Aruba Central documentation that is using an non-documented AWS IP address.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Apr 17, 2023 10:29 AM
From: vmjunkkari
Subject: Aruba Central and SPLUNK - what to whitelist?
I'll take this back. Nor is documentation updated and webhook message initiated from Aruba Central is still using non-documented AWS IP address.
Isn't there really anyone using Aruba Central webhooks to send notifications to company SPLUNK server sitting behing firewall?
------------------------------
gone fishing.
Original Message:
Sent: Mar 27, 2023 03:25 AM
From: vmjunkkari
Subject: Aruba Central and SPLUNK - what to whitelist?
All right. Now TAC admitted there's an error in the Central docs. Online documentation has been updated with correct URL.
------------------------------
gone fishing.
Original Message:
Sent: Mar 23, 2023 02:19 PM
From: vmjunkkari
Subject: Aruba Central and SPLUNK - what to whitelist?
I suppose not that many have implemented SPLUNK integration in EU Central region?
My concern is related to SPLUNK security since I haven't been able to find out definite Aruba documentation related to URL whitelisting. EU Central region has been documented to use an URL which is not resolvable in DNS. I tend to think this is incorrect information in the documentation but TAC is not providing any insight here.
------------------------------
gone fishing.
Original Message:
Sent: Mar 21, 2023 06:37 AM
From: vmjunkkari
Subject: Aruba Central and SPLUNK - what to whitelist?
Hello!
We have a setup where Aruba Central is using EU Central region. We are to integrate customer's SPLUNK via the use of webhooks. Customer's SPLUNK sits behind a firewall. We have been configuring the firewall whitelisting based on Aruba Central documentation (Opening Firewall Ports for Device Communication). We configured SPLUNK URL settings to Aruba Central and then initiated a test query, but it seems the source IP the firewall sees is none of the available IPs you see once you have resolved the URLs defined in the documentation. In our case the following: eucentral3.central.arubanetworks.com and device-eucentral3.central.arubanetworks.com. We are seeing traffic towards SPLUNK server (and port!) initiated from general public AWS IP and of course we cannot just open up the firewall for random public AWS IP. We will be using URLs in our firewall policy in the production: reference to one IP only is here just for understanging the issue.
Can anyone confirm if the URLs listed in the documentation are up to date? It kind of buggers me to see that eucentral3.central.arubanetworks.com is not a DNS resolvable URL.
------------------------------
gone fishing.
------------------------------