Description
This article explains how to use SSL exemption for Microsoft Windows Update sites.
Refer to the related article for FortiOS v5.2.
Scope
FortiOS v4.0 MR2.
Solution
To use SSL Exemption to exempt the Windows updates sites.
1. Create a local category called "windows-update" and ALLOW the Windows update server addresses to belong to this category. This can be done as shown below:-
config webfilter ftgd-local-cat
edit "windows-updates"
set id 140
next
end
config webfilter ftgd-local-rating
edit "www.update.microsoft.com"
set rating 140
next
edit "update.microsoft.com"
set rating 140
next
edit "download.windowsupdate.com"
set rating 140
next
edit "windowsupdate.microsoft.com"
set rating 140
next
end |
2. Create a SSL exempt web profile and enable logging
config webfilter profile
edit "windows-updates-ssl-exempt web profile"
config ftgd-wf
set enable g01 g02 g03 g04 g05 g06 g07 g08 g21 140 c01 c02 c03 c04 c05 c06 c07
set ssl-exempt 140
end
set web-ftgd-err-log enable
next
end |
3. On the web based manager, go to UTM->Webfilter->Profile->FortiGuard Web Filtering->SSL Exempt, select the "windows-update" category. Note that SSL Deep Scan will bypass this traffic and will not be inspected by the FortiGate and allow the exemption.
4. Apply the exemption to the appropriate Firewall Policy.
Related Articles
Technical Note: How to use SSL exemption for Microsoft Windows Updates
