Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MattyG2787
New Contributor

ISDB to block server updates

Hey Everyone,

 

Our projects team are having issues stopping server 2016/2019 from updating automatically during the day and they have turned to networking.

 

I've tried creating a deny policy with the destination as Microsoft-Microsoft.Update and it's showing log violations but Updates are still able to download with Microsoft Updates. (server 2019)

 

Anyone had any luck trying to do something like this? Unfortunatley, a manual address list with Microsoft is too broad as we can't block Office 365 and other similar services.

 

Thanks

4 REPLIES 4
James_G
Contributor III

This is a server management issue and not a networking issue, none of our 2016/2019 servers update randomly during the day even tho they have access to the WSUS server 24/7

MattyG2787

WSUS gives you access to control the update times. Installing a WSUS for 150 different AD's would be extremely costly to clients.

 

I simply asked if anyone knew of a way to block this via Firewall to stop automatic updates

rohitchoudhary1978

Hi, It can be stopped from application control. You can make 2 policies which will be clone but with 2 different schedule(Night and day) and allow or deny updates as desired but through application control. This is what we do 

 

Thanks

Rohit k

Rohit K
Rohit K
poundy

but irrespective of when you can contact the public Microsoft update site to download updates, your server will still install those updates and reboot if it's settings allow it to, at some random-ish length of time. So locking updates to a time doesn't guarantee that's when the servers would reboot.

 

This isn't a firewall problem. As others have said, this is a server management issue. You must control this properly outside the firewall. You should be looking at group policy to control active hours and when the server can install and reboot for updates. So you have 150 AD domains; that just means creating appropriate policies and applying them, not creating 150 WSUS servers. Heck, if you're controlling this via 1 firewall, only 1 WSUS server is needed... 

 

But to be clear - the only way you'll get control of this is at a Windows level, not the firewall. 

Labels
Top Kudoed Authors