Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT
Staff
Staff

Created on ‎04-12-2011 07:09 AM Edited on ‎04-14-2025 10:27 PM By Moderator

Article Id 192825

Technical Tip: SSL exempt for Microsoft Windows Update

Description

 

This article explains how to use SSL exemption for Microsoft Windows Update sites.


Scope

 

FortiOS (supported versions).


Solution

 

By default, Windows update servers (based on the certificate) are exempt from Deep SSL inspection. This means that FortiGate considers these sites trusted, and no further UTM checks are required to be performed on these connections. Therefore, everything works even if the Windows client does not trust the FortiGate's deep inspection Certificate Authority and Microsoft Windows updates can succeed in the default configuration without certificate warnings or UTM.

 

Some Windows installations do require an additional SSL exemption for 'go.microsoft.com' in order for updates to succeed, see below.

 

config firewall address
    edit "go.microsoft.com"
        set type fqdn
        set fqdn "go.microsoft.com"
    next
end
 
config firewall ssl-ssh-profile
    edit <deep inspection profile>
        config ssl-exempt
            edit 0
                set type address
                set address "go.microsoft.com"
            next
        end
    next
end

 

SSL exemptions are configured as in the article Technical Tip: Exempting applications/domains/websites from Deep SSL Inspection.

 

If required to block or inspect Windows updates, the matching SSL exemptions must be removed. Once removed, the actions set up in the Application Control profile will be applied (Block, Reset, etc). If the SSL exemptions are not removed, the Application control will not take any action but will correctly detect the type of application.

 

A common problem that is seen and reported is that the Application Control with Block action correctly detects the application 'app="MS.Windows.Update"', yet the logs say 'action="pass"'. 

 

Notes:

  • This applies to all applications that are intended to be blocked through Application Control. Sites and domains that are exempt from SSL inspection (considered to be trusted), will bypass the Application Control profile configured with actions 'block' or 'reset'.

  • In flow-based inspection mode, destinations that are 'Exempt from SSL Inspection' within the SSL Inspection profile are also exempt from subsequent UTM inspection (described in this KB article).

  • In proxy-based inspection mode, destinations that are 'Exempt from SSL Inspection' within the SSL Inspection profile are exempt from SSL deep inspection, but subsequent UTM inspection applies.
Labels:
10127
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.