FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT

Description

This article explains how to use SSL exemption for Microsoft Windows Update sites.

Refer to the related article for FortiOS v5.2.


Scope

FortiOS v4.0 MR2.


Solution

To use SSL Exemption to exempt the Windows updates sites.
 
 

 

1. Create a local category called "windows-update" and ALLOW the Windows update server addresses to belong to this category. This can be done as shown below:-
config webfilter ftgd-local-cat
edit "windows-updates"
set id 140
next
end

config webfilter ftgd-local-rating
edit "www.update.microsoft.com"
set rating 140
next
edit "update.microsoft.com"
set rating 140
next
edit "download.windowsupdate.com"
set rating 140
next
edit "windowsupdate.microsoft.com"
set rating 140
next
end
 
2. Create a SSL exempt web profile and enable logging
 
config webfilter profile
edit "windows-updates-ssl-exempt web profile"
config ftgd-wf
set enable g01 g02 g03 g04 g05 g06 g07 g08 g21 140 c01 c02 c03 c04 c05 c06 c07
set ssl-exempt 140
end
set web-ftgd-err-log enable
next
end
 
3. On the web based manager, go to UTM->Webfilter->Profile->FortiGuard Web Filtering->SSL Exempt, select the "windows-update" category. Note that SSL Deep Scan will bypass this traffic and will not be inspected by the FortiGate and allow the exemption.
 

 

 
4. Apply the exemption to the appropriate Firewall Policy.

 

 

Related Articles

Technical Note: How to use SSL exemption for Microsoft Windows Updates