Hot!Need to exempt access to www.msftconnecttest.com

Author
scerazy
Gold Member
  • Total Posts : 152
  • Scores: 0
  • Reward points: 0
  • Joined: 2009/12/22 14:09:01
  • Status: offline
2018/01/16 04:47:59 (permalink)
0

Need to exempt access to www.msftconnecttest.com

FTG no matter what firmware version does not allow wildcard
This DNS entry resolves to a server farm *.c-msedge.net
 
And I need unrestricted access from any device on the network no matter what user web policies are
 
Any ideas?
 
Seb
#1

13 Replies Related Threads

    rwpatterson
    Expert Member
    • Total Posts : 8156
    • Scores: 171
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Need to exempt access to www.msftconnecttest.com 2018/01/16 06:57:30 (permalink)
    0
    Why not use FQDN? That should do it.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #2
    scerazy
    Gold Member
    • Total Posts : 152
    • Scores: 0
    • Reward points: 0
    • Joined: 2009/12/22 14:09:01
    • Status: offline
    Re: Need to exempt access to www.msftconnecttest.com 2018/01/16 11:16:50 (permalink)
    0
    Does it?
     
    If it does then great
    #3
    rwpatterson
    Expert Member
    • Total Posts : 8156
    • Scores: 171
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Need to exempt access to www.msftconnecttest.com 2018/01/16 11:31:34 (permalink)
    0
    You tell me/us. Select that in the policy instead of IP address/subnet and let us know.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #4
    dmcquade
    Bronze Member
    • Total Posts : 57
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/10/31 06:21:51
    • Status: offline
    Re: Need to exempt access to www.msftconnecttest.com 2018/01/19 19:20:39 (permalink)
    0
    with firewall policies, you have to use FQDN. Wildcard FQDN objects are for use in security profiles. In your webfilter, enable URL filters and create an entry of type Wildcard and enter the URL (i.e. *.abcdomain.com). You can set the action to either exempt or allow. Make sure the status of the entry is enabled (default).
     
    HTH
    d
    #5
    sw2090
    Bronze Member
    • Total Posts : 47
    • Scores: 6
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Status: offline
    Re: Need to exempt access to www.msftconnecttest.com 2018/01/23 07:40:05 (permalink)
    0
    you can use wildcards on a FGT. However you cannot use them in web rating overrides, that's officially not supported TAC told me once.
    What you can do is use the url filter instead for it does support wildcards AND exempt.
    Url-filter matches before rating overrides. So just inside your webfilter profile enable the url filter and create a rule for *.somednsname.com EXEMPT and it should work.
    #6
    dmcquade
    Bronze Member
    • Total Posts : 57
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/10/31 06:21:51
    • Status: offline
    Re: Need to exempt access to www.msftconnecttest.com 2018/03/29 17:16:33 (permalink)
    0
    Your configuration or approach is most likely wrong. This works for numerous clients and installations I have deployed. See this link for an explanation on wildcard FQDN and why you can't use them in the destination:
    http://kb.fortinet.com/kb/documentLink.do?externalID=FD35297
    Use the URL filter within the Web Filter profile to make exceptions. I use this method all the time for machines that a client wants to restrict to a very specific set of URLs. You don't have to use categories, just enable URL filter and enter the list of allowed sites and at the end use a wildcard of *.* with an action of block. Very useful for servers that are required to reach out to public resources without exposing them to the rest of the Internet.
    #7
    dmcquade
    Bronze Member
    • Total Posts : 57
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/10/31 06:21:51
    • Status: offline
    Re: Need to exempt access to www.msftconnecttest.com 2018/04/10 17:45:32 (permalink)
    0
    You use *.* set to block in a URL filter ONLY when using strictly the URL filter. This forces you to create a static list of allowed URLs (above the block) which is very useful for strict Internet access (i.e. servers, admin accounts, etc.).
     
    For normal users, use the Fortiguard categories in combination with the URL filter. In the URL filter, only create exceptions to the categories. So if you block File Storage but want to allow Dropbox, add *.dropbox.com in the URL Filter set to allow or exempt. If you want to allow Social networking, but block Facebook, enable the category in Fortiguard Categories and create a URL filter entry for *.facebook.com set to block.
     
    The configuration options in the Web Filter profiles are fairly robust and can pretty much accommodate any Internet Usage policy. If you want to use wildcard FQDNs in the destination, you may want to create an Explicit Proxy policy.
     
    HTH
    d
    #8
    dmcquade
    Bronze Member
    • Total Posts : 57
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/10/31 06:21:51
    • Status: offline
    Re: Need to exempt access to www.msftconnecttest.com 2018/04/11 12:43:52 (permalink)
    0
    I get what you are saying and in my opinion that is just very bad logic in what you described. Basically you are stating you want unknown users the ability to browse anywhere. That implies someone could connect a rougue device and introduce malicious content into your network. I am sure there are much better ways to achieve what your end goal is. If you truly believe your logic is correct just create a rule allowing access with no security profiles. That would allow any device / user hitting that rule access to the entire web but I still be it is a flawed design as I believe most others would. I have completed several dozen installations for clients and have never heard anyone request any such design.
     
    Good luck
    #9
    dmcquade
    Bronze Member
    • Total Posts : 57
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/10/31 06:21:51
    • Status: offline
    Re: Need to exempt access to www.msftconnecttest.com 2018/04/14 04:18:24 (permalink)
    0
    I've setup dozens of installations that have WSUS get updates. It is actually quite easy and common setup. Not sure why you are having so much trouble. Maybe you simply do not understand.
    #10
    scerazy
    Gold Member
    • Total Posts : 152
    • Scores: 0
    • Reward points: 0
    • Joined: 2009/12/22 14:09:01
    • Status: offline
    Re: Need to exempt access to www.msftconnecttest.com 2018/04/14 04:27:46 (permalink)
    0
    I tell you while you do not have problems, because you never tried to make machines get updates with no user logged in, or one of your rules leaks such access, or you have Do not connect to any Windows Update Internet locations: Enabled (which by the way affects in random way access to ie Windows Store)
    Please read the whole explanation here - Why WSUS and SCCM managed clients are reaching out to Microsoft Online
    Maybe you can learn something new?
     
    Seb
    post edited by scerazy - 2018/04/14 07:13:53
    #11
    dmcquade
    Bronze Member
    • Total Posts : 57
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/10/31 06:21:51
    • Status: offline
    Re: Need to exempt access to www.msftconnecttest.com 2018/04/14 06:57:56 (permalink)
    0
    I tried to help but maybe you don't really want it. You sound more interested in bashing a product's features that you don't really know how to implement properly.
    No user auth required for WSUS servers to properly get updates from the Internet. You just need to know how to configure your policies. Again, not sure why this works for hundreds of clients and not you.
    Good luck.
    #12
    scerazy
    Gold Member
    • Total Posts : 152
    • Scores: 0
    • Reward points: 0
    • Joined: 2009/12/22 14:09:01
    • Status: offline
    Re: Need to exempt access to www.msftconnecttest.com 2018/04/14 07:03:39 (permalink)
    0
    I see you can not even read (or can't be bothered or do not understand what you read)
    You tried to help, you failed. No need to defend the product that is not capable to do what it should
    End of
     
     
     
    #13
    dmcquade
    Bronze Member
    • Total Posts : 57
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/10/31 06:21:51
    • Status: offline
    Re: Need to exempt access to www.msftconnecttest.com 2018/04/14 12:39:44 (permalink)
    0
    Like I said, good luck. Works fine for me and dozens of others. Try thinking about it differently and maybe you will see the answer.
    #14
    Jump to:
    © 2018 APG vNext Commercial Version 5.5