Description
This article explains how to use SSL exemption for Microsoft Windows Update sites.
Scope
FortiOS (supported versions).
Solution
By default, Windows update servers (based on the certificate) are exempt from Deep SSL inspection. This means that FortiGate considers these sites trusted, and no further UTM checks are required to be performed on these connections. Therefore, everything works fine and Microsoft Windows updates are allowed in the default configuration.
But if there is a requirement to block Windows updates, the SSL-exempts need to be removed. Once removed, the actions set up in the Application Control profile will be applied (Block, Reset, etc). If the SSL exemptions are not removed, the Application control will not take any action, but will correctly detect the type of application.
The common problem that is seen and reported is that the Application Control with Block action correctly detects the application app="MS.Windows.Update", yet the logs say action="pass".
Note:
This applies to all applications that are intended to be blocked through Application Control. One site/domain that is exempt from SSL inspection (considered to be trusted), will bypass the Application Control profile configured with actions 'block' or 'reset'.
Note 2:
In flow-based inspection mode, destinations that are 'Exempt from SSL Inspection' within the SSL Inspection profile are also exempt from subsequent UTM inspection (described in this KB article).
In proxy-based inspection mode, destinations that are 'Exempt from SSL Inspection' within the SSL Inspection profile are exempt from SSL deep inspection, but subsequent UTM inspection applies.
