User Authentication Windows Updates

peter_cleveland · ‎05-29-2017

I have a Fortigate 90D running FortiOS 5.4.1. I have a policy that requires all users to authenticate prior to accessing the internet (i.e Source = Local Lan, Allowed Internet Users) and is the last policy in the LAN->WAN1. When accessing any website users are prompted for authentication and once authenticated they can access any web site.

The problem that I currently have is that unless a user authenticates to access the internet on workstations, Windows and AV updates are blocked by the policy. The Authd process is overloaded by Windows and AV updates being blocked. I have tried adding a policy before the authentication to allow the updates using FQDN destinations, but Microsoft uses wildcard FQDN's as per the following MS KB article

https://technet.microsoft.com/en-us/library/bb693717.aspx

I tried adding a policy following the authentication policy that uses a web filter to allow Windows updates and block all other sites. Unfortunately after adding this rule users were no longer prompted for authentication and would only allow users access to the defined Microsoft Sites. Removing the part of the filter that blocks all other websites, allowed unauthenticated access to the internet.

All I am trying to do is require users to authenticate to access the internet, but have exceptions for certain web sites.

Thanks

x_member · ‎05-30-2017

Using a FGT60D on 5.2.7 we were advised by Fortinet TAC to use an application control policy for Windows Update access.

So for our servers we have an additional rule (enabled only when performing Windows Update maintenance) permitting access to ANY but applying the application control policy to traffic.

I've attached a screenshot of the policy.