Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎07-21-2006 12:03 PM

Windows Updates

Hello, can anyone help me with white listing the windows update sites. I have added microsoft.com and windowsupdate.microsoft.com to the URL exempt list but not all of the update work. I have 4 Fortigate F60s and one F100A with Ver 3.0 OS. I have ocget.dll being blocked due to the antivirus file block list and also some .exe files which I am blocking as well. The way I understood it was that if you put an URL on the exempt list it will by-pass the antivirus rules. Am I wrong? Please help.
4932
0 Kudos
6 REPLIES 6
Not applicable

Created on ‎07-21-2006 12:19 PM

I would suggest looking at the log files to see what is being blocked. Many of Windows update servers are hosted by akamai technologies. Therefore, many updates will attach to other servers. I think it' s done by ewither a redirect or DNS round robin. So, if you check the log and add those IPs or URLs, it may work.
2548
0 Kudos
Not applicable
In response to

Created on ‎07-21-2006 12:49 PM

Thanks for the post. Just as you said, the bloked files were coming from akamai technologies. I added it to the URL list. I' ll find out if it works or not in a day or two. Thanks,
2548
0 Kudos
abelio
SuperUser
SuperUser

Created on ‎07-21-2006 12:42 PM

Hi,
can anyone help me with white listing the windows update sites. I have added microsoft.com and windowsupdate.microsoft.com to the URL exempt list but not all of the update work. I have 4 Fortigate F60s and one F100A with Ver 3.0 OS.
try to re-check if the filtering is triggered by AV or WF service.
I have ocget.dll being blocked due to the antivirus file block list and also some .exe files which I am blocking as well.
If your profile includes AV/FilePattern blocking you' ll need exempt dll' s/exe' s you know well or try to withelist *.dll and *.exe' s for each protocol you need. you' ll need CLI commands for this; for example: to whitelist ocget.dll for HTTP 
   config antivirus filepattern
      edit " ocget.dll" 
      set action allow
      set active http
same thing for *.exes" : you could AV-block them only for ftp, im, smtp but not for http by putting " set active ftp im smtp" only; you can' t see nothing of this under 3.0 webGUI
The way I understood it was that if you put an URL on the exempt list it will by-pass the antivirus rules. Am I wrong?
that' s true under 2.80; under 3.0 there' re several changes about fortiguard services and filter order; I' m not sure under 3.0; we' re in " learning stage" at this moment about this. hope it helps,

regards




/ Abel

regards / Abel
2548
0 Kudos
Not applicable
In response to abelio

Created on ‎07-21-2006 12:59 PM

Hi Abelio, the example you gave is great but I don' t want to allow .exe to be downloaded at all except the ones on the white list. Thanks,
2548
0 Kudos
Not applicable

Created on ‎07-24-2006 02:02 AM

Hello! I have similar problem with windows update. I had microsoft.com and windowsupdate.com URLs added in Web Filter > URL Exempt before (v2.80 MR11). And windows updates working fine. Now I upgrade firmware of my FortiGate 500 box to v3.00 MR2. And we don`t have URL Exempt menu in Web Filter anymore. I added microsoft.com and so on to Web Filter > Content Block > Web Content Exempt list. But WU doesn`t work. OK I create rule for ocget.dll but I can`t create rule for windowsxp-kbXXXXXXXX, for example. They are too many and different. How I can allow windows update?
2548
0 Kudos
Not applicable

Created on ‎08-17-2006 02:45 AM

Have a very simple profile in which we do AV, block some file patterns and some other stuff. New computers will hang on windowsupdate forever.... no error, no log entry in the fortigate nothing... Disable the firewall policy, connect to windowsupdate for the first time (when it downloads bits, the new MSI installer n such and the genuine advantage). Reboot, re-enable the profile and all is fine?! What o what is being blocked? Using 2.80... Not using the script filter stuff, so it can' t be ActiveX or JavaScript being blocked. FilePattern block _should_ generate a log entry on the fortigate but I don' t get anything. File patterns we block are: bat, com, hta, scr, vb?, pif and cpl. Ofcourse AV, all spyware categories, some web category blocks (porn and such, also here no log entries) and spamfilter (all options but the HELO check as too many SMTP servers don' t send the right stuff). Oversize file/email is passed on http & ftp (not on mail protocols). Exempt list is enabled. IPS is active (default config).
2548
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.