Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mike_Orr
New Contributor

Created on ‎05-01-2019 02:53 AM

Symantec Endpoint LiveUpdate

Hi all,

I'm hoping someone here has successfully been able to set this up and can give me some pointers.

I'm running 6.0.4 on a 200E and need to allow Symantec LiveUpdate to run through the F/W.

The updates work when I allow all traffic from DMZ -> WAN, so I know the Symantec software is installed fine. However, when I block internet traffic, allow DNS lookup to pass through as LiveUpdate uses FQDNs and follow the Symantec tech article to allow it through the firewall, it fails every time.

 

The tech article in question can be found here: https://support.symantec.com/en_US/article.TECH102059.html

 

I've done some packet tracing when all traffic is allowed and it looks like LiveUpdate has multiple CNAMEs returned from the DNS. Should these CNAMEs be added to the policy as allowed or should the firewall be able to deal with them?

 

It's getting to the point where I'm considering setting up LiveUpdate to run once a day and to allow all traffic out to the internet for a 10 min widow while it does. However this is obviously not the preferred solution.

Thanks in advance for any help given :)

Labels:
4088
0 Kudos
1 Solution
Dave_Hall
Honored Contributor

Created on ‎05-01-2019 02:14 PM

Going by that KB article, creating FQDNs for liveupdate.symantecliveupdate.com and liveupdate.symantec.com and creating a firewall policy allowing "unrestricted" access to those FQDNs should do the trick  (assuming the firewall rule is moved up in the firewall chain).

 

Alternately there is an application sensor that you could also apply. 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
89 KB
2215
0 Kudos
2 REPLIES 2
Dave_Hall
Honored Contributor

Created on ‎05-01-2019 02:14 PM

Going by that KB article, creating FQDNs for liveupdate.symantecliveupdate.com and liveupdate.symantec.com and creating a firewall policy allowing "unrestricted" access to those FQDNs should do the trick  (assuming the firewall rule is moved up in the firewall chain).

 

Alternately there is an application sensor that you could also apply. 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
89 KB
2216
0 Kudos
Mike_Orr
New Contributor
In response to Dave_Hall

Created on ‎05-02-2019 01:16 AM

Thanks for the answer Dave, I'd already done your first suggestion to no avail. However I'd never played with the application control options, so I thought I'd give it a go.

After 20 mins of reading and 5 mins of config work on the firewall, it all worked first time.

Well done, and thanks again for a great response.

2180
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.