Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- SSL Inspection blocks Windows Update despite exemp...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL Inspection blocks Windows Update despite exemptions (Windows 10),
FortiOS 5.2.11 on FGT 60D
I'm attempting to re-introduce deep inspection of outbound traffic from laptops used on our network following a long standing ssl inspection issue being patched.
The ssl inspection configuration and exemptions we had in place prior to the bug allowed laptops to run Windows Update without issue.
Currently on my laptop (Windows 10 Pro) Windows Update fails with error 0x80240437 when run from behind the Fortigate; if I run from within our guest network (which is not behind a Fortigate / SSL inspection) it completes successfully.
I can see in the WindowsUpdate.log that this is (probably) down to a certificate check failure:
2017/07/19 10:36:59.4330139 16176 14616 IdleTimer [0]3F30.3918::07/19/2017-10:36:59.433 [agent]WU operation (CAgentProtocolTalker::SyncUpdates_WithRecover) started; operation # 10; does<NULL> use network; is<NULL> at background priority<NULL>
2017/07/19 10:36:59.4330826 16176 14616 WebServices [0]3F30.3918::07/19/2017-10:36:59.433 [webserviceinfra]Auto proxy settings for this web service call.
2017/07/19 10:37:00.4889480 16176 14616 WebServices [0]3F30.3918::07/19/2017-10:37:00.488 [client]Certificate failed SSL intermediate CA check.
2017/07/19 10:37:00.4890632 16176 14616 WebServices [0]3F30.3918::07/19/2017-10:37:00.489 [webserviceinfra]WS error: There was an error communicating with the endpoint at 'https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx'.
2017/07/19 10:37:00.4890703 16176 14616 WebServices [0]3F30.3918::07/19/2017-10:37:00.489 [webserviceinfra]Web service call failed with hr = 80240437.
I've spent numerous hours trying to resolve this, however I cannot see what I am missing despite an ever expanding list of exemptions under my "WindowsUpdate" address group:
config firewall ssl-ssh-profile
edit "deep-inspection"
set comment "Deep inspection."
config https
set ports 443
end
config ftps
set ports 990
end
config imaps
set ports 993
end
config pop3s
set ports 995
set status disable
end
config smtps
set ports 465
end
config ssl-exempt
<snipped for brevity>
edit 27
set type address
set address "WindowsUpdate"
end
set caname "DPI"
set ssl-invalid-server-cert-log enable
end
config firewall addrgrp
edit "WindowsUpdate"
set uuid 38db89c2-e371-51e4-1f5b-c23edb9bdf46
set member "*.download.windowsupdate.com" "*.update.microsoft.com" "*.windowsupdate.com" "*.windowsupdate.microsoft.com" "download.microsoft.com" "download.windowsupdate.com" "ds.download.windowsupdate.com" "msftncsi.com" "ntservicepack.microsoft.com" "stats.update.microsoft.com" "test.stats.update.microsoft.com" "update.microsoft.com" "windowsupdate.microsoft.com" "wustat.windows.com" "crl.microsoft.com" "ctldl.windowsupdate.com" "au.download.windowsupdate.com" "fe2.update.microsoft.com" "AkamaiContentDelivery" "delivery_mp_microsoft_com" "ws_microsoft_com" "fe3_update_microsoft_com" "sls_microsoft_com"
end
For servers we use a separate application control policy to allow updates that is only enabled during maintenance windows; laptop web traffic is not restricted, we simply wish to scan HTTPS for IPS / AV purposes.
My guess is that some additional mechanisms have been introduced by Microsoft since we last had this policy enabled for laptops - I'd appreciate any pointers from the community at this stage.
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello CodeMonkey,
Can you do a packet capture with the settings you have right now? I can identify which session was blocked by the IPS Engine for you. We just have to look for sessions where the Fortigate replaces the SSL Certificate. You can send it to me at my email at hmtay@fortinet.com
Homing
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For completeness, the address group members:
config firewall address
edit "*.download.windowsupdate.com"
set uuid d38ab5ee-e2b6-51e4-6811-7ee23f1e5878
set type fqdn
set fqdn "*.download.windowsupdate.com"
next
edit "*.update.microsoft.com"
set uuid 7ed92d50-e2b6-51e4-0a3d-207abf35eb4d
set type fqdn
set fqdn "*.update.microsoft.com"
next
edit "*.windowsupdate.com"
set uuid 8f997938-e2b6-51e4-ebad-5f46365f3ab4
set type fqdn
set fqdn "*.windowsupdate.com"
next
edit "*.windowsupdate.microsoft.com"
set uuid 66ebdab2-e2b6-51e4-0205-d64a7fc3836a
set type fqdn
set fqdn "*.windowsupdate.microsoft.com"
set uuid bda89f7a-e2b6-51e4-ac56-3a6fe6fa1547
next
edit "download.microsoft.com"
set type fqdn
set fqdn "download.microsoft.com"
next
edit "download.windowsupdate.com"
set uuid a04589b6-e2b6-51e4-8380-45c0c9fb0079
set type fqdn
set fqdn "download.windowsupdate.com"
next
edit "ds.download.windowsupdate.com"
set uuid 3eb02cd2-e361-51e4-9f9d-f30206ea75e1
set type fqdn
set fqdn "ds.download.windowsupdate.com"
next
edit "msftncsi.com"
set uuid 1e7ec04a-e2b7-51e4-fab0-ee96a6805e60
set type fqdn
set fqdn "msftncsi.com"
next
edit "ntservicepack.microsoft.com"
set uuid 0b511536-e2b7-51e4-c03e-fe226297dac7
set type fqdn
set fqdn "ntservicepack.microsoft.com"
next
edit "stats.update.microsoft.com"
set uuid f4afa0d6-e2b6-51e4-2c03-d7c1c23a31a0
set type fqdn
set fqdn "stats.update.microsoft.com"
next
edit "test.stats.update.microsoft.com"
set uuid 14ac0860-e358-51e4-fee2-a9d3c2029924
set type fqdn
set fqdn "test.stats.update.microsoft.com"
next
edit "update.microsoft.com"
set uuid b1948a3a-9ffb-51e4-f60b-81a1028a1e41
set type fqdn
set fqdn "update.microsoft.com"
next
edit "windowsupdate.microsoft.com"
set uuid 53e9615a-e2b6-51e4-0a82-3dff7b063060
set type fqdn
set fqdn "windowsupdate.microsoft.com"
next
edit "wustat.windows.com"
set uuid 3118405a-e2b7-51e4-2db2-7282d055c0b5
set type fqdn
set fqdn "wustat.windows.com"
next
edit "crl.microsoft.com"
set uuid 3fffce5e-e379-51e4-1a51-784f8b01b019
set type fqdn
set fqdn "crl.microsoft.com"
next
edit "ctldl.windowsupdate.com"
set uuid 4ff14cde-e379-51e4-d24e-a52781fd37b5
set type fqdn
set fqdn "ctldl.windowsupdate.com"
next
edit "au.download.windowsupdate.com"
set uuid 2dd995fc-e379-51e4-59dd-5842c00704a4
set type fqdn
set fqdn "au.download.windowsupdate.com"
next
edit "fe2.update.microsoft.com"
set uuid 0037da80-fc8a-51e4-e1b9-eaef59739967
set type fqdn
set fqdn "fe2.update.microsoft.com"
next
edit "AkamaiContentDelivery"
set uuid 220095f8-2c5a-51e5-797a-63c7cee9ab2e
set member "AkamaiContent1" "AkamaiContent2"
set comment "Akamai content delivery network"
next
edit "AkamaiContent1"
set uuid ebe86900-2c59-51e5-b90f-0a21d8b4f988
set type fqdn
set comment "Akamai content delivery network"
set associated-interface "wan1"
set fqdn "*.deploy.akamaitechnologies.com"
next
edit "AkamaiContent2"
set uuid 03d551f4-2c5a-51e5-f53e-866580e98268
set type fqdn
set comment "Akamai content delivery network"
set associated-interface "wan1"
set fqdn "*.deploy.static.akamaitechnologies.com"
next
edit "delivery_mp_microsoft_com"
set uuid ac65c496-6b9d-51e7-cd20-8932289339c0
set type fqdn
set fqdn "*.delivery.mp.microsoft.com"
next
edit "ws_microsoft_com"
set uuid ea0fef4c-6bcf-51e7-35de-8f16af209be7
set type fqdn
set fqdn "*.ws.microsoft.com"
next
edit "fe3_update_microsoft_com"
set uuid 9d42cebe-6c56-51e7-dadf-f7be7034f1a7
set type fqdn
set fqdn "fe3.update.microsoft.com"
next
edit "sls_microsoft_com"
set uuid 83a23cce-6c65-51e7-e0cd-88664b237127
set type fqdn
set fqdn "*.sls.microsoft.com"
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello CodeMonkey,
Can you do a packet capture with the settings you have right now? I can identify which session was blocked by the IPS Engine for you. We just have to look for sessions where the Fortigate replaces the SSL Certificate. You can send it to me at my email at hmtay@fortinet.com
Homing
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hmtay wrote:Hello CodeMonkey,
Can you do a packet capture with the settings you have right now? I can identify which session was blocked by the IPS Engine for you. We just have to look for sessions where the Fortigate replaces the SSL Certificate. You can send it to me at my email at hmtay@fortinet.com
Homing
Hi Homing,
Thanks for the offer, but I now have a ticket open with support to help me resolve this.
I think it's probably better I proceed with debugging via the ticket.
I'll update this thread with the solution once resolved.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the end it appears that there was a simple solution to this - one that I'm told now ships as part of the default configuration.
I had to add a wildcard FQDN object for *.microsoft.com and include it in the exemptions.
This in turn enabled me to get rid of some redundant FQDNs from exemptions:
fe2.update.microsoft.com
*.deploy.akamaitechnologies.com *.deploy.static.akamaitechnologies.com *.delivery.mp.microsoft.com
*.ws.microsoft.com fe3.update.microsoft.com *.sls.microsoft.com
All seems well with the revised configuration having tested against Windows Update on multiple laptops (Windows 10, Windows 8 Pro).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi CodeMonkey,
Is this working for you? I am trying to do something similar. I want to enable outbound HTTP/HTTPS traffic to Windows Update, but block other traffic.
I tried using FQDN records but due to CDN the firewall and servers end up getting different IP addresses sometimes - even when using the same DNS resolver.
I do see you have a few names in your list that I don't have in mine, so was curious if it's been stable for you using that addrgrp you have. Also, how did you come to know those Akamai records? I haven't seen those in postings about Windows Update domain names.
Thanks,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ergotherego,
Yes, I have Windows Update working successfully in the scenario covered in this thread.
Regarding the additional names I have - they may not all be relevant at this time but they seemed to be when I first looked to install our Fortigates a couple of years ago. Things have obviously moved on since then hence my need to post on this subject.
Regarding your situation I'm not really sure what to suggest, as we allow all web traffic for the laptops (excluding known bad actors using web filters etc.). Perhaps a separate policy using application control might be more appropriate for your needs? We use this approach for windows updates on servers, with specific policies permitting Windows Updates traffic enabled during maintenance windows only.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,688 -
FortiClient
1,760 -
5.2
801 -
FortiManager
728 -
5.4
639 -
FortiAnalyzer
557 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
431 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
244 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.