Windows Updates

Report Inappropriate Content · ‎07-21-2006

Hello, can anyone help me with white listing the windows update sites. I have added microsoft.com and windowsupdate.microsoft.com to the URL exempt list but not all of the update work. I have 4 Fortigate F60s and one F100A with Ver 3.0 OS. I have ocget.dll being blocked due to the antivirus file block list and also some .exe files which I am blocking as well. The way I understood it was that if you put an URL on the exempt list it will by-pass the antivirus rules. Am I wrong? Please help.

Report Inappropriate Content · ‎07-21-2006

I would suggest looking at the log files to see what is being blocked. Many of Windows update servers are hosted by akamai technologies. Therefore, many updates will attach to other servers. I think it' s done by ewither a redirect or DNS round robin. So, if you check the log and add those IPs or URLs, it may work.

Report Inappropriate Content · ‎07-21-2006

Thanks for the post. Just as you said, the bloked files were coming from akamai technologies. I added it to the URL list. I' ll find out if it works or not in a day or two. Thanks,

abelio · ‎07-21-2006

Hi,

can anyone help me with white listing the windows update sites. I have added microsoft.com and windowsupdate.microsoft.com to the URL exempt list but not all of the update work. I have 4 Fortigate F60s and one F100A with Ver 3.0 OS.

try to re-check if the filtering is triggered by AV or WF service.

I have ocget.dll being blocked due to the antivirus file block list and also some .exe files which I am blocking as well.

If your profile includes AV/FilePattern blocking you' ll need exempt dll' s/exe' s you know well or try to withelist *.dll and *.exe' s for each protocol you need. you' ll need CLI commands for this; for example: to whitelist ocget.dll for HTTP

   config antivirus filepattern
      edit " ocget.dll" 
      set action allow
      set active http

same thing for *.exes" : you could AV-block them only for ftp, im, smtp but not for http by putting " set active ftp im smtp" only; you can' t see nothing of this under 3.0 webGUI

The way I understood it was that if you put an URL on the exempt list it will by-pass the antivirus rules. Am I wrong?

that' s true under 2.80; under 3.0 there' re several changes about fortiguard services and filter order; I' m not sure under 3.0; we' re in " learning stage" at this moment about this.

hope it helps,

regards

/ Abel

Report Inappropriate Content · ‎07-21-2006

Hi Abelio, the example you gave is great but I don' t want to allow .exe to be downloaded at all except the ones on the white list. Thanks,

Report Inappropriate Content · ‎07-24-2006

Hello! I have similar problem with windows update. I had microsoft.com and windowsupdate.com URLs added in Web Filter > URL Exempt before (v2.80 MR11). And windows updates working fine. Now I upgrade firmware of my FortiGate 500 box to v3.00 MR2. And we don`t have URL Exempt menu in Web Filter anymore. I added microsoft.com and so on to Web Filter > Content Block > Web Content Exempt list. But WU doesn`t work. OK I create rule for ocget.dll but I can`t create rule for windowsxp-kbXXXXXXXX, for example. They are too many and different. How I can allow windows update?

Report Inappropriate Content · ‎08-17-2006

Have a very simple profile in which we do AV, block some file patterns and some other stuff. New computers will hang on windowsupdate forever.... no error, no log entry in the fortigate nothing... Disable the firewall policy, connect to windowsupdate for the first time (when it downloads bits, the new MSI installer n such and the genuine advantage). Reboot, re-enable the profile and all is fine?! What o what is being blocked? Using 2.80... Not using the script filter stuff, so it can' t be ActiveX or JavaScript being blocked. FilePattern block _should_ generate a log entry on the fortigate but I don' t get anything. File patterns we block are: bat, com, hta, scr, vb?, pif and cpl. Ofcourse AV, all spyware categories, some web category blocks (porn and such, also here no log entries) and spamfilter (all options but the HELO check as too many SMTP servers don' t send the right stuff). Oversize file/email is passed on http & ftp (not on mail protocols). Exempt list is enabled. IPS is active (default config).