Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DerekWSmall
New Contributor II

Trying to allow access to virus and MS updates only

I have a customer with Fortigate 201Es.  They have a segment of their network, which they would like to allow access to MalwareBytes.com and Microsoft updates only.  I've tried doing I basic IP policy with FQDN objects, but the problem is if you query any of the laundry list of domains used by either of those companies for updates, you will get as many as 8 IP addresses for some of them, but they are constantly changing (like every couple seconds, even though the TTL is 60 seconds).  Regardless of how fast they change, the IPs that the FQDN address object resolves to continually changes, so using FQDN objects to allow access doesn't work.

Next I tried use a Web policy.  That seemed to suffer from the same problem.  I not really sure why I needed to include a wildcard * with a deny at the end of my URL filter list also, as the next rule in my list blocked all access from that inside segment to the Internet, but the URL filter didn't work either as I was still getting traffic blocked if the end system later resolved one of the domains to a public IP that was different than what the firewall had at the time to traffic flow happened.

 

With domains that can return several of several hundred possible public IPs for a given URL, how are you supposed to permit access to them on a Fortigate? It would be nice if the Fortigate updated the Web Filter URL and/or the FQDN address with the public IPs of any DNS response returned to an internal system.  I mean added new IPs to the list, instead of just replacing them with new values.

 

Do I have to configure the DNS service on the Fortigate then put forwarders on all my internal DNS servers to the Fortigates?  That is a pretty big change, so I'm trying to find some absolute statements like "Yes that will final solve this problem" or "No, that won't help, but maybe you should try this instead......"

 

Any help is much appreciated.

 

Derek Small
Derek Small
1 REPLY 1
Dave_Hall
Honored Contributor

 You may have better luck with an app control sensor configured to allow "Updates" - create or add this category or if you want to narrow down the choice of updates, just choose Malwarebytes and MS.Windows.Update, on a app sensor - apply it to those client's outgoing connection. 

 

 

You may still need to allow/exempt urls - for malwarebytes.com they list their firewall exempting rules here. From the looks of it - these sites are accessible on HTTPS (port 443) so you will need to either enable full SSL inspection on the connection or (if using security certification inspection) craft URL exemptions based on the CN or alt names listed on the security certificate.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Labels
Top Kudoed Authors