Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Windows Updates

I am setting up some new WIN2000 boxes from scratch behind a Fortigate 200. Once I have the operating system up and running, I run the Windows Update. All but the last two updates work fine, but the systems fail to install the latest two WIN2K updates. When I disable A/V and Firewall (see attached image), the updates install without a problem. How do I program the Fortigate to allow Windows Update to work properly (without disabling A/V)?
21 REPLIES 21
Not applicable

No, the update-site is quite fast from another location without a fortigate. It' s in this case not a microsoft-problem ;-) /Detlef
Not applicable

lucky you are ! :) Here it is a pain in the...
Not applicable

Note for anyof you looking for a better way to administer those computers. unless you need harsh policies i set av to scan not block mode this way it just simply checks. Now if your still having problems with those windows updates microsoft recommends that you run SUS i dont remember what that stands for but its your own CORP Windows update. You have 1 server that gets all the updates he serves them out to yoru clients. You simply need to install the update on your clients that will make them connect to the SUS server. Then simply daily check and approve updates that you want automaticly deployed. Much easier. Saves on network traffic and FW CPU time as well.
Not applicable

FReEx is talking about Software Update Services. It' s something that every company that is serious about security should look into ...seriously. Anyway, you can find information about it here: http://www.microsoft.com/windowsserversystem/sus/
Not applicable

it may be a bit off-topic here, but I have to say this: Some years ago we were glad about running machines without updates every week. " Never touch a running system" is a true word. I lost 1 server (" only" a connector-server for mail) during a security-update. EVERY update is a risk for your machines. And every server-reboot because of an update makes me a bit nervious. You see the boot-screen, you see the windows-screen and .... bang? No, it' s running, thank you, god of bits and bytes. As mentioned: a bit off-topic. /Detlef
Not applicable

I see your point, but there are two sides to the coin. Q) Why are there Windows updates? A) To fix problems and/or security exploits which could comprimise your system with malcious code. Q) Would you rather supported Microsoft code - the patch/update you are installing - break your server OR malcious code which exploits a vulnerability that relates to the Microsoft patch that you decided not to install because it may break your server? A) In my opinion, I would rather have an MS patch - " The Devil I know" - break my system and call Microsoft Product Support Services for free when it' s a patch issue, then have to completely rebuild the server from scratch when my server becomes infected with malicious code that took over my system cause I did not patch it. Just my thoughts on the issue.
Not applicable

SUS is of limited use at the minute for a lot of people. It is an " opt in" technology so you have to believe your machines are correctly downloading the required patches from your sus server. It also doesn' t presently patch office though i believe the future version WUS will. Standard practice is to scan with Microsoft Baseline Security Analyser (MBSA) before and after to see where you are. A better product for patching is HFNetchk Pro. This technology is used in the MBSA from M$ and is highly regarding as an agentless patching system. Will have an agent soon, in 4.5, as far as i' m aware. Nice thing about it is its free for 10 machines or less so for your remote sites with 50s and 60s it could work well. We use it with great success.
Not applicable

The solution to this is to create a firewall rule before the scan rule for exceptions. To do an exception for a site do the following: run nslookup at the command prompt type q=all then type the name of host of interest (v4.windowsupdate.com ?) It will return all the IP' s that the host stands for. In the case of load balanced hosts, I head to geektools.com and do a whois on the IP to get my range owned by that provider (a full class B in Microsoft' s case) Add the various objects to the exception group in the rule bypassing AV tada...the site is not checked. it is worthwhile to report the issue to Fortinet as they have fixed some streaming issues I reported on a certain site in a later release, but the bypass can get you going on " trusted" sites...
skyhigh
New Contributor

Or even better, include v4.windowsupdate.com in your URL exemptlist. This will have the same effect.
Fortinet Technical Support
Fortinet Technical Support
Not applicable

I had a similar problem. I fixed it by stopping my firewall from blocking .VB? files. Windows Update uses it. Once I allowed the Visual Basic (.VB?) files update works everytime.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors