Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mehdi_ouazaa
New Contributor II

Allow access only to Microsoft update services

Hi all,

I have an upstream WSUS server in my DMZ which should be allowed to only access the Microsoft update services resumed in these urls:

[link]https://*.microsoft.com[/link] [link]https://*.update.microsoft.com[/link] [link]http://*.windowsupdate.com[/link] [link]http://*.download.windowsupdate.com[/link] [link]https://*.windowsupdate.microsoft.com[/link] [link]http://*.update.microsoft.com[/link] [link]http://*.windowsupdate.microsoft.com[/link] download.windowsupdate.com windowsupdate.microsoft.com ntservicepack.microsoft.com wustat.windows.com download.microsoft.com stats.microsoft.com test.stats.update.microsoft.com

 

I tried two ways but I failed in 

1- Way1

I blocked all Fortiguard web categories and added a url filter allowing all the needed urls (as you can see in attach1).

This doesn't work since the urls were blocked by the web categories filter as belonging to the blocked Information Technologie category.

2- Way2

I disabled the web categories filter and added a blocking filter at the end of the url filter list (attach2). But access was also blocked. I also tried allow and exempt in the url filter but the result was the same.

 

Could anyone help ?

7 REPLIES 7
mehdi_ouazaa
New Contributor II

Dear all,

 

any suggestion

emed
New Contributor

did you solve your problem ?

Haris
New Contributor

The problem could be solved by creating a IPv4 Policy using Internet Service as a destination rather than address objects and moving the policy to the top. That worked for us for some time but anyhow we're now experiencing problems such as that a server behind the firewall and properly configured policy sometimes updates just normally while sometimes the synchronization fails for some reason. After the initial configuration it worked normally and then suddenly we're experiencing a lot of problems with this WSUS policy.

 

If we enable all traffic to the internet everything works.

emed
New Contributor

hi. 

I added Internet Services as destination (Microsoft-Azure  Microsoft-DNS Microsoft-Microsoft.Update Microsoft-NetBIOS.Name.Service  Microsoft-NetBIOS.Session.Service Microsoft-NTP Microsoft-SSH Microsoft-Web) and some application in ApplicationControl (MS.Windows.Update Microsoft.CDN Microsoft.Portal Microsoft.Authentication Microsoft_Login). And its woking now.

 

 

mehdi_ouazaa
New Contributor II

Hi emed,

 

Yes solved,

 

using this url filter

 

 

mehdi_ouazaa

this one

emed

hi, i've made in different way and it's works too plus some restrictions in application control (apply just Microsoft Portals and SSL)

Labels
Top Kudoed Authors