Skip to main content
x_member
x_member
New Member
July 19, 2017
Solved

SSL Inspection blocks Windows Update despite exemptions (Windows 10),

  • July 19, 2017
  • 2 replies
  • 25928 views

FortiOS 5.2.11 on FGT 60D

 

I'm attempting to re-introduce deep inspection of outbound traffic from laptops used on our network following a long standing ssl inspection issue being patched.

The ssl inspection configuration and exemptions we had in place prior to the bug allowed laptops to run Windows Update without issue.

Currently on my laptop (Windows 10 Pro) Windows Update fails with error 0x80240437 when run from behind the Fortigate; if I run from within our guest network (which is not behind a Fortigate / SSL inspection) it completes successfully.

 

I can see in the WindowsUpdate.log that this is (probably) down to a certificate check failure:

2017/07/19 10:36:59.4330139 16176 14616 IdleTimer [0]3F30.3918::07/19/2017-10:36:59.433 [agent]WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 10; does<NULL> use network; is<NULL> at background priority<NULL>
2017/07/19 10:36:59.4330826 16176 14616 WebServices [0]3F30.3918::07/19/2017-10:36:59.433 [webserviceinfra]Auto proxy settings for this web service call.
2017/07/19 10:37:00.4889480 16176 14616 WebServices [0]3F30.3918::07/19/2017-10:37:00.488 [client]Certificate failed SSL intermediate CA check.
2017/07/19 10:37:00.4890632 16176 14616 WebServices [0]3F30.3918::07/19/2017-10:37:00.489 [webserviceinfra]WS error: There was an error communicating with the endpoint at 'https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx'.
2017/07/19 10:37:00.4890703 16176 14616 WebServices [0]3F30.3918::07/19/2017-10:37:00.489 [webserviceinfra]Web service call failed with hr = 80240437.

 

I've spent numerous hours trying to resolve this, however I cannot see what I am missing despite an ever expanding list of exemptions under my "WindowsUpdate" address group:

 

config firewall ssl-ssh-profile
    edit "deep-inspection"
        set comment "Deep inspection."
            config https
                set ports 443
            end
            config ftps
                set ports 990
            end
            config imaps
                set ports 993
            end
            config pop3s
                set ports 995
                set status disable
            end
            config smtps
                set ports 465
            end
            config ssl-exempt
                <snipped for brevity>
                edit 27
                    set type address
                    set address "WindowsUpdate"
            end
        set caname "DPI"
        set ssl-invalid-server-cert-log enable
    end 
 
config firewall addrgrp
    edit "WindowsUpdate"
        set uuid 38db89c2-e371-51e4-1f5b-c23edb9bdf46
        set member "*.download.windowsupdate.com" "*.update.microsoft.com" "*.windowsupdate.com" "*.windowsupdate.microsoft.com" "download.microsoft.com" "download.windowsupdate.com" "ds.download.windowsupdate.com" "msftncsi.com" "ntservicepack.microsoft.com" "stats.update.microsoft.com" "test.stats.update.microsoft.com" "update.microsoft.com" "windowsupdate.microsoft.com" "wustat.windows.com" "crl.microsoft.com" "ctldl.windowsupdate.com" "au.download.windowsupdate.com" "fe2.update.microsoft.com" "AkamaiContentDelivery" "delivery_mp_microsoft_com" "ws_microsoft_com" "fe3_update_microsoft_com" "sls_microsoft_com"
    end

 

For servers we use a separate application control policy to allow updates that is only enabled during maintenance windows; laptop web traffic is not restricted, we simply wish to scan HTTPS for IPS /  AV purposes.

 

My guess is that some additional mechanisms have been introduced by Microsoft since we last had this policy enabled for laptops - I'd appreciate any pointers from the community at this stage.

    Best answer by hmtay_FTNT

    Hello CodeMonkey,

     

    Can you do a packet capture with the settings you have right now? I can identify which session was blocked by the IPS Engine for you. We just have to look for sessions where the Fortigate replaces the SSL Certificate. You can send it to me at my email at hmtay@fortinet.com

     

    Homing

    2 replies

    x_member
    x_memberAuthor
    New Member
    July 19, 2017

    For completeness, the address group members:


    config firewall address
     edit "*.download.windowsupdate.com"
            set uuid d38ab5ee-e2b6-51e4-6811-7ee23f1e5878
            set type fqdn
            set fqdn "*.download.windowsupdate.com"
        next
        edit "*.update.microsoft.com"
            set uuid 7ed92d50-e2b6-51e4-0a3d-207abf35eb4d
            set type fqdn
            set fqdn "*.update.microsoft.com"
        next
     edit "*.windowsupdate.com"
            set uuid 8f997938-e2b6-51e4-ebad-5f46365f3ab4
            set type fqdn
            set fqdn "*.windowsupdate.com"
        next
     edit "*.windowsupdate.microsoft.com"
            set uuid 66ebdab2-e2b6-51e4-0205-d64a7fc3836a
            set type fqdn
            set fqdn "*.windowsupdate.microsoft.com"
            set uuid bda89f7a-e2b6-51e4-ac56-3a6fe6fa1547
        next
     edit "download.microsoft.com"
            set type fqdn
            set fqdn "download.microsoft.com"
        next
     edit "download.windowsupdate.com"
            set uuid a04589b6-e2b6-51e4-8380-45c0c9fb0079
            set type fqdn
            set fqdn "download.windowsupdate.com"
        next
        edit "ds.download.windowsupdate.com"
            set uuid 3eb02cd2-e361-51e4-9f9d-f30206ea75e1
            set type fqdn
            set fqdn "ds.download.windowsupdate.com"
        next
        edit "msftncsi.com"
            set uuid 1e7ec04a-e2b7-51e4-fab0-ee96a6805e60
            set type fqdn
            set fqdn "msftncsi.com"
        next
        edit "ntservicepack.microsoft.com"
            set uuid 0b511536-e2b7-51e4-c03e-fe226297dac7
            set type fqdn
            set fqdn "ntservicepack.microsoft.com"
        next
        edit "stats.update.microsoft.com"
            set uuid f4afa0d6-e2b6-51e4-2c03-d7c1c23a31a0
            set type fqdn
            set fqdn "stats.update.microsoft.com"
        next
        edit "test.stats.update.microsoft.com"
            set uuid 14ac0860-e358-51e4-fee2-a9d3c2029924
            set type fqdn
            set fqdn "test.stats.update.microsoft.com"
        next
        edit "update.microsoft.com"
            set uuid b1948a3a-9ffb-51e4-f60b-81a1028a1e41
            set type fqdn
            set fqdn "update.microsoft.com"
        next
        edit "windowsupdate.microsoft.com"
            set uuid 53e9615a-e2b6-51e4-0a82-3dff7b063060
            set type fqdn
            set fqdn "windowsupdate.microsoft.com"
        next
        edit "wustat.windows.com"
            set uuid 3118405a-e2b7-51e4-2db2-7282d055c0b5
            set type fqdn
            set fqdn "wustat.windows.com"
        next
        edit "crl.microsoft.com"
            set uuid 3fffce5e-e379-51e4-1a51-784f8b01b019
            set type fqdn
            set fqdn "crl.microsoft.com"
        next
        edit "ctldl.windowsupdate.com"
            set uuid 4ff14cde-e379-51e4-d24e-a52781fd37b5
            set type fqdn
            set fqdn "ctldl.windowsupdate.com"
        next
        edit "au.download.windowsupdate.com"
            set uuid 2dd995fc-e379-51e4-59dd-5842c00704a4
            set type fqdn
            set fqdn "au.download.windowsupdate.com"
        next
        edit "fe2.update.microsoft.com"
            set uuid 0037da80-fc8a-51e4-e1b9-eaef59739967
            set type fqdn
            set fqdn "fe2.update.microsoft.com"
        next
        edit "AkamaiContentDelivery"
            set uuid 220095f8-2c5a-51e5-797a-63c7cee9ab2e
            set member "AkamaiContent1" "AkamaiContent2"
            set comment "Akamai content delivery network"
        next
        edit "AkamaiContent1"
            set uuid ebe86900-2c59-51e5-b90f-0a21d8b4f988
            set type fqdn
            set comment "Akamai content delivery network"
            set associated-interface "wan1"
            set fqdn "*.deploy.akamaitechnologies.com"
        next
        edit "AkamaiContent2"
            set uuid 03d551f4-2c5a-51e5-f53e-866580e98268
            set type fqdn
            set comment "Akamai content delivery network"
            set associated-interface "wan1"
            set fqdn "*.deploy.static.akamaitechnologies.com"
        next
        edit "delivery_mp_microsoft_com"
            set uuid ac65c496-6b9d-51e7-cd20-8932289339c0
            set type fqdn
            set fqdn "*.delivery.mp.microsoft.com"
        next
        edit "ws_microsoft_com"
            set uuid ea0fef4c-6bcf-51e7-35de-8f16af209be7
            set type fqdn
            set fqdn "*.ws.microsoft.com"
        next
        edit "fe3_update_microsoft_com"
            set uuid 9d42cebe-6c56-51e7-dadf-f7be7034f1a7
            set type fqdn
            set fqdn "fe3.update.microsoft.com"
        next
        edit "sls_microsoft_com"
            set uuid 83a23cce-6c65-51e7-e0cd-88664b237127
            set type fqdn
            set fqdn "*.sls.microsoft.com"
        end

     

    hmtay_FTNT
    Staff
    hmtay_FTNTAnswer
    Staff
    July 21, 2017

    Hello CodeMonkey,

     

    Can you do a packet capture with the settings you have right now? I can identify which session was blocked by the IPS Engine for you. We just have to look for sessions where the Fortigate replaces the SSL Certificate. You can send it to me at my email at hmtay@fortinet.com

     

    Homing

    x_member
    x_memberAuthor
    New Member
    July 21, 2017

    hmtay wrote:

    Hello CodeMonkey,

     

    Can you do a packet capture with the settings you have right now? I can identify which session was blocked by the IPS Engine for you. We just have to look for sessions where the Fortigate replaces the SSL Certificate. You can send it to me at my email at hmtay@fortinet.com

     

    Homing

    Hi Homing, 

     

    Thanks for the offer, but I now have a ticket open with support to help me resolve this. 

    I think it's probably better I proceed with debugging via the ticket.

     

    I'll update this thread with the solution once resolved.

    ergotherego
    ergotherego
    New Member
    August 18, 2017

    Hi CodeMonkey,

     

    Is this working for you? I am trying to do something similar. I want to enable outbound HTTP/HTTPS traffic to Windows Update, but block other traffic.

     

    I tried using FQDN records but due to CDN the firewall and servers end up getting different IP addresses sometimes - even when using the same DNS resolver.

     

    I do see you have a few names in your list that I don't have in mine, so was curious if it's been stable for you using that addrgrp you have. Also, how did you come to know those Akamai records? I haven't seen those in postings about Windows Update domain names.

     

    Thanks,

    x_member
    x_memberAuthor
    New Member
    August 18, 2017

    Hi ergotherego,

     

    Yes, I have Windows Update working successfully in the scenario covered in this thread. 

    Regarding the additional names I have - they may not all be relevant at this time but they seemed to be when I first looked to install our Fortigates a couple of years ago. Things have obviously moved on since then hence my need to post on this subject.

     

    Regarding your situation I'm not really sure what to suggest, as we allow all web traffic for the laptops (excluding known bad actors using web filters etc.). Perhaps a separate policy using application control might be more appropriate for your needs? We use this approach for windows updates on servers, with specific policies permitting Windows Updates traffic enabled during maintenance windows only.

    Terms & ConditionsAccessibility statement