Whitelist Updates via FortiManager

Use Fortimanager 5.0.3 (latest) to manage FortiGates. Way way better than the FMG 4.3.x even with 4.3.x FortiGates. Make a ADOM in 4.3 mode and your good to go.

Create a CLI script (under Root ADOM->Device Manager->Tools>Script->CLI Script) that does something similar to the following....

config webfilter urlfilter      edit 1              config entries                  edit " .*update\\.microsoft\\.com.*"                       set action monitor                      set type regex                  next                  edit " .*download\\.windowsupdate\\.com.*"                       set action monitor                      set type regex                  next                  edit " .*\\.microsoft\\.com.*"                       set action monitor                      set type regex                  next              end          set name " defined-urlfilter"       next  end  

Next, setup the fgt device group/schedule for running the script... 1. Under Device Manager (Root), right click on the Fortigate group, choose Script->Scheduled Scripts->Create New->Select Script->{name of script from above} 2. Uncheck " Run on DB(Only CLI Scripts)" (if you want the script run directly on the fgt devices) 3. Under " Select Execute Type" choose schedule type. 4. Check " Exclude Certain Devices from the Group" if you want to exclude some devices from the script run. Note the above is untested and I am not sure if you need to run the script against the DB or not. (i.e. the fgt device may go out-of-sync with the fgr.) Also, I suggest running the script on a stand-alone fgt to confirm it is running properly (you may need to remove the padded spaces). Again, the above is untested -- use this info at your own risk. Edit: I am assuming the white list is a URL filter list (but any script code should do).