• Go to Policy & Objects -> Objects -> Addresses -> Create address objects of type FQDN for each domain.
  
  

 

• Verify the FQDN address object status by running the following CLI command:

diagnose firewall fqdn list-ip | grep windows

fqdn_u 0x546ff743 windowsupdate.microsoft.com: type:(1) ID(99) count(1) generation(1) data_len:13 flag: 1

ip list: (1 ip in total)

ip: 20.72.235.82

Total ip fqdn range blocks: 1.

Total ip fqdn addresses: 1.

• Go to Policy & Objects -> Policy -> SSL/SSH Inspection -> Select Full SSL Inspection Profile -> Under 'Exempt from SSL Inspection' add the Addresses that were previously entered in step 1.
  
  

• The list of domains used for Microsoft Updates can be found on the Microsoft website at: https://technet.microsoft.com/en-us/library/cc708605%28v=ws.10%29.aspx

• Windows update servers  are exempt from the default Deep SSL inspection profiles since FortiGate considers these sites trusted

• Suppose a deep inspection profile is used and Windows update servers are not exempt from the SSL inspection profile. In that case, the updates will fail since Microsoft uses certificate pinning (to ensure that devices connect to a legitimate Microsoft Server to prevent man-in-the-middle attacks). FortiGate will resign the certificate using its own CA. See 'Securing metadata connections': https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-security#securing-metadat....