Windows Update only

Chura · ‎06-05-2014

Hi, I' m using 1500D and trying to allow one of the server only to be able to use Windows Update. Tried making a HTTP+S service with only windows update allowed, it didn' t work :( Any suggestions ? BTW, I dont have IPS license. Is it required for using Application Control ?

//Chura CCIE, NSE7, CCSE+

pcraponi · ‎06-05-2014

Yes... IPS and App.Control are the " same feature" . Need be licensed for update signatures.. You maybe can try to create some FQDN address as " windowsupdate.com" , " update.microsoft.com" etc... and create as firewall rule, instead use app. control. regards, paulo raponi

Regards, Paulo Raponi

Dave_Hall · ‎06-05-2014

If I recall correctly, you can still use Application control sensors, but the signatures themselves will not be updated. If you choose this approach, you will need to allow updates through (when you create the app sensor). As for the old-fashion approach (as indicated by Paulo), you can create FQDN entries and group them together then create a firewall policy and move it up the firewall chain; from a config file perspective, it looks something like this...

 config firewall address
     edit " update.microsoft.com" 
         set associated-interface " WAN" 
         set type fqdn
         set fqdn " update.microsoft.com" 
     next
     edit " download.windowsupdate.com" 
         set associated-interface " WAN" 
         set type fqdn
         set fqdn " download.windowsupdate.com" 
     next
     edit " windowsupdate.microsoft.com" 
         set associated-interface " WAN" 
         set type fqdn
         set fqdn " windowsupdate.microsoft.com" 
     next
     edit " msftncsi" 
         set type fqdn
         set fqdn " www.msftncsi.com" 
     next
     edit " download.microsoft.com" 
         set type fqdn
         set fqdn " download.microsoft.com" 
     next
     edit " wustat.windows.com" 
         set type fqdn
         set fqdn " wustat.windows.com" 
     next
     edit " ntservicepack.microsoft.com" 
         set type fqdn
         set fqdn " ntservicepack.microsoft.com" 
     next
 end
 config firewall addrgrp
     edit " Windows Updates" 
             set member " download.windowsupdate.com"  " update.microsoft.com"  " windowsupdate.microsoft.com"  " download.microsoft.com"  " ntservicepack.microsoft.com"  " wustat.windows.com"  " msftncsi" 
     next
 end
 config firewall policy
     edit 1
         set srcintf " internal_net" 
         set dstintf " WAN" 
             set srcaddr " all"              
             set dstaddr " Windows Updates"              
         set action accept
         set schedule " always" 
             set service " ANY"              
         set nat enable
     next
 end

However, Microsoft have moved most of their services to other content providers, so the above may not work (as well as it once did). Application control sensor seems to work better (IMHO).

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Chura · ‎06-06-2014

Hi Thanks for the prompt replies. I have updated signatures manually:) The FQDN doesnt work because M$ using CDN' s and many sub-sub domains and I can' t track them all. I' ve tried using App Control on Port HTTP+HTTPS and marked all windows update there, but it didn' t work :(

//Chura CCIE, NSE7, CCSE+

NKL · ‎06-06-2014

I' m using an URL filter (or " Web Site Filter" , as it is called nowadays), where I have defined all urls mentioned at http://technet.microsoft.com/en-us/library/dd939870%28WS.10%29.aspx . Just use types " Simple" and/or " Wildcard" , and make sure, that the last entry in the list is " URL: .* ; Typ: Regex; Action: Block" . When using deep inspection, I found out, it is important to set the action for the ms urls to " Exempt" instead of " Allow" .

Dave_Hall · ‎06-06-2014

I' ve tried using App Control on Port HTTP+HTTPS and marked all windows update there, but it didn' t work :(

Been using all&all updates via App control with no problems (so far). (see attached pic). Fixed NKL' s link: http://technet.microsoft.com/en-us/library/dd939870%28WS.10%29.aspx

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Chura · ‎06-06-2014

Hi, The corrent way i' m using is WebFiltering but my Company auditor don' t like this way. I' ll check again the app control

//Chura CCIE, NSE7, CCSE+

MikePruett · ‎06-20-2016

Create an application control sensor that blocks all applications. Under the override section put the windows update signature and list it as allow.

Apply this to a policy that allows your servers to go out to the internet for windows update.

Note, this is only useful with this type of deployment if Windows Update is the ONLY application they need access for.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

NeilG · ‎07-09-2016

I used to have

This used to work for me, but as of June 30'th there are now a number of IP addresses that are classified as Collaboration or Microsoft.Portal rather than Windows.Update and thus being blocked.

FTG-60D 5.2.5 (and have since upgraded to 5.2.7 with the same results)

Mind you, my rules for only allowing windows updates had been working for months, and my first reports of it not working began July 1st.

Not sure if that is helpful..

Windows Update only

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website