https://live.paloaltonetworks.com/t5/panorama-discussions/block-all-internet-web-browsing-but-allow-ms-updates/m-p/521875#M1229 <P>Worked great! Much appreciated.</P> Mon, 21 Nov 2022 13:18:19 GMT MTaylor22 2022-11-21T13:18:19Z https://live.paloaltonetworks.com/t5/panorama-discussions/block-all-internet-web-browsing-but-allow-ms-updates/m-p/521614#M1226 <P>For our isolated network I need to block all devices from using the internet but I need to access services like ms updates, sophos etc that require SSL for a couple servers. When applying policies with the required application these require SSL/web-browsing.</P> <P>&nbsp;</P> <P>We are having trouble finding a work around.&nbsp;</P> <P>The IP's are dynamic so nailing down the exact IP's seem futile. We tried to apply the url's or wildcard addresses for these services in a URL group in the policy, but this still allows internet to these servers.</P> <P>&nbsp;</P> <P>Any suggestions are appreciated.</P> <P>Using Panorama 10.1.6 with firewall PA-440 and other sites with PA-410</P> Fri, 18 Nov 2022 00:57:17 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/block-all-internet-web-browsing-but-allow-ms-updates/m-p/521614#M1226 MTaylor22 2022-11-18T00:57:17Z https://live.paloaltonetworks.com/t5/panorama-discussions/block-all-internet-web-browsing-but-allow-ms-updates/m-p/521626#M1227 <P>Hello, you can create a Policy, allow apps ssl, web-browser, and microsoft update app ( Microsoft Update use port 80/443 ) and create a custom category URL, with allowed microsoft update subdomains, put in the URL category in the secure policy.</P> <P>&nbsp;</P> <P>microsoft update subdomains/FQDN:</P> <P><A href="https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#:~:text=Your%20first%20WSUS%20server%20must%20have%20outbound%20access%20to%20ports%2080%20and%20443%20on%20the%20following%20domains%3A" target="_blank" rel="noopener">https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#:~:text=Your%20first%20WSUS%20server%20must%20have%20outbound%20access%20to%20ports%2080%20and%20443%20on%20the%20following%20domains%3A</A></P> <P>&nbsp;</P> <P>Whit that only allow ssl/https and microsft update app to the destination for the Microsoft update services. You can doit the same for Sophos.</P> <P>&nbsp;</P> <P>Of course it will allow access to the servers to the Internet, but only at the level of the destination in the URL custom category, and nothing else. Additional to protect add profile security policy. And then with another rule close all the rest of the servers access, a total deny of all the rest and above/free the policy of ms-update, web-browser, ssl only to the URLs in question (ms-update and sophos).</P> <P>&nbsp;</P> <P>Cheers</P> Fri, 18 Nov 2022 04:16:34 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/block-all-internet-web-browsing-but-allow-ms-updates/m-p/521626#M1227 Metgatz 2022-11-18T04:16:34Z https://live.paloaltonetworks.com/t5/panorama-discussions/block-all-internet-web-browsing-but-allow-ms-updates/m-p/521685#M1228 <P>Thank you for the quick reply. I will be working on this today and let you know how it goes. Thank you!</P> Fri, 18 Nov 2022 13:14:12 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/block-all-internet-web-browsing-but-allow-ms-updates/m-p/521685#M1228 MTaylor22 2022-11-18T13:14:12Z https://live.paloaltonetworks.com/t5/panorama-discussions/block-all-internet-web-browsing-but-allow-ms-updates/m-p/521875#M1229 <P>Worked great! Much appreciated.</P> Mon, 21 Nov 2022 13:18:19 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/block-all-internet-web-browsing-but-allow-ms-updates/m-p/521875#M1229 MTaylor22 2022-11-21T13:18:19Z