Windows Updates

I would suggest looking at the log files to see what is being blocked. Many of Windows update servers are hosted by akamai technologies. Therefore, many updates will attach to other servers. I think it' s done by ewither a redirect or DNS round robin. So, if you check the log and add those IPs or URLs, it may work.

Hi,

can anyone help me with white listing the windows update sites. I have added microsoft.com and windowsupdate.microsoft.com to the URL exempt list but not all of the update work. I have 4 Fortigate F60s and one F100A with Ver 3.0 OS.

try to re-check if the filtering is triggered by AV or WF service.

I have ocget.dll being blocked due to the antivirus file block list and also some .exe files which I am blocking as well.

If your profile includes AV/FilePattern blocking you' ll need exempt dll' s/exe' s you know well or try to withelist *.dll and *.exe' s for each protocol you need. you' ll need CLI commands for this; for example: to whitelist ocget.dll for HTTP

   config antivirus filepattern       edit " ocget.dll"        set action allow       set active http    

same thing for *.exes" : you could AV-block them only for ftp, im, smtp but not for http by putting " set active ftp im smtp" only; you can' t see nothing of this under 3.0 webGUI

The way I understood it was that if you put an URL on the exempt list it will by-pass the antivirus rules. Am I wrong?

that' s true under 2.80; under 3.0 there' re several changes about fortiguard services and filter order; I' m not sure under 3.0; we' re in " learning stage" at this moment about this. hope it helps,

Hello! I have similar problem with windows update. I had microsoft.com and windowsupdate.com URLs added in Web Filter > URL Exempt before (v2.80 MR11). And windows updates working fine. Now I upgrade firmware of my FortiGate 500 box to v3.00 MR2. And we don`t have URL Exempt menu in Web Filter anymore. I added microsoft.com and so on to Web Filter > Content Block > Web Content Exempt list. But WU doesn`t work. OK I create rule for ocget.dll but I can`t create rule for windowsxp-kbXXXXXXXX, for example. They are too many and different. How I can allow windows update?

Have a very simple profile in which we do AV, block some file patterns and some other stuff. New computers will hang on windowsupdate forever.... no error, no log entry in the fortigate nothing... Disable the firewall policy, connect to windowsupdate for the first time (when it downloads bits, the new MSI installer n such and the genuine advantage). Reboot, re-enable the profile and all is fine?! What o what is being blocked? Using 2.80... Not using the script filter stuff, so it can' t be ActiveX or JavaScript being blocked. FilePattern block _should_ generate a log entry on the fortigate but I don' t get anything. File patterns we block are: bat, com, hta, scr, vb?, pif and cpl. Ofcourse AV, all spyware categories, some web category blocks (porn and such, also here no log entries) and spamfilter (all options but the HELO check as too many SMTP servers don' t send the right stuff). Oversize file/email is passed on http & ftp (not on mail protocols). Exempt list is enabled. IPS is active (default config).