| Description | This article describes how to allow routing using ISDB and FQDN objects for Microsoft update purposes. |
| Scope | FortiOS. |
| Solution |
Despite the possibility to control FortiGate routing only to a specific destination, such as for Microsoft update purposes, it is possible to use ISDB to facilitate the job rather than to define every IP individually.
However, it is important to be aware that not all IP addresses are possible to be listed in the FortiGuard ISDB (Internet Service Database).
Reason: Microsoft Update service is hosted on CDN, which includes dynamically assigned IP addresses. The IP addresses change constantly and there is no publication of the IP addresses, meanwhile, ISDB is a static IP-based database service, which cannot handle dynamic IP addresses or FQDN directly.
It is suggested to use FQDN Address as a complimentary method to retrieve the latest IP addresses resolved from specific domains in the local environment.
Look at this update regularly in order to maintain your connection to Microsoft:
How to add a complimentary config for this case:
1) Create FQDN object - allow 'static route configuration'.
2) Create an address group if having more than one FQDN object (optional):
3) Add this FQDN object or this address group to static route - 3.a) or 3.b).
3.a) This works only if having only FQDN object.
3.b) This works only if having address group.
Note: proper firewall policy will be required to handle the traffic correctly (not covered in this KB).
Related Article: Technical Tip: Custom Internet Service Database (I... - Fortinet Community |
