topic Re: Allowing Microsoft and Java Updates in General Topics

Allowing Microsoft and Java Updates

khaldeman — Wed, 04 May 2011 16:23:36 GMT

I'm trying to allow downloads of .exe and PE files for updates but continue to block users from downloading those file types from other sources. Not sure what the best way to do this is.

If I build a file filter with 3 rules like:

1. allow application ms-update

2. block .exe

3. allow any

Are these rules evaluated in sequential order? Or will the block .exe override the allow ms-update?

If I change rule 1 to allow application ms-update + allow .exe

Would those variables (the app and the filetype) be And'ed or Or'd together?

Another way I've tried to do this was to allow the application ms-updates in the firewall prior to URL filtering, but I get warnings that I need web-browsing enabled for the rule to work. If I enable web-browsing in the same firewall rule I start to see browsing passing that rule instead of my service-http rules, although some traffic still gets down to the normal URL rules.

So what's the best way to go about this?

Thanks,

Kevin

Re: Allowing Microsoft and Java Updates

dburns — Wed, 04 May 2011 23:05:44 GMT

In your file block profile you can add allow download for application MS-Update above you block and you will be able to download the updates. Java may be a little harder as there is not application in the file blocking profile. You may want to contact you SE to submit a feature request to allow Java-updates as an application for file blocking.

You can also make a rule above your current rule with no file block profile allow web-browsing to Sun's servers to get the downloaded files.

If I change rule 1 to allow application ms-update + allow .exe (this would be 'and')

Dominic

Re: Allowing Microsoft and Java Updates

khaldeman — Thu, 05 May 2011 17:23:38 GMT

I'm running version 4.0.2.

I continue to have problems with ms-updates being blocked, specificially windows PE files. I see the block in Data Filtering Log, so from the details of the block log I see that it is passing the URL filter with the appropriate file blocking ruleset. I'm not sure if the file blocking builder screen is incomplete or not, but I find it strange that you should be able to sort the rules by name or other rather than the sequential order drag and drop mechanism of the other firewall rule screens. I've named my rules alphebetically and sorted by name (a-z). They appear on the main File Blocking screen in correct order. I've also looked at the Config Audit screen to see if they were ordered properly in the config file. They were, but for some reason even though the log shows that the application type was ms-update and the file was a Win PE file, it was still denied. I've even seperated all file types into their own rule (ie. ms-update+PE, ms-update.exe, ms-update.cab) and combined them. Both with the same result.

Any suggestions or should I start a ticket?

Re: Allowing Microsoft and Java Updates

wayne_webner — Thu, 22 Sep 2011 21:29:55 GMT

Im trying to achieve the same goal, did you ever get a resolve? file blocking profile with allow EXE from ms-update etc does not work. Could use FQDN however was wondering what you managed to find out. thanks

Ps, on PANO 4.0.5

Re: Allowing Microsoft and Java Updates

jleung — Fri, 23 Sep 2011 06:14:32 GMT

Hi,

Have you checked the log what file type has been blocked? Have you tried to allow MS-Update as the app and allow all file types to see what file type actually we have allowed?

Regards,

Jones

Re: Allowing Microsoft and Java Updates

khaldeman — Fri, 23 Sep 2011 15:39:24 GMT

I never could get it to work the way I was thinking in my head, but I did get it to work an easier way.

Rather than allowing at the file level, I am allowing at the app level.
So under Policies->Security as a rule above my user http/https rules I have a rule called updates
In that rule I allow the application adobe-update, java-update, kaspersky, ms-update with the service type http/https

I don't do any file level blocking in that rule.

Under the above updates rule I have my normal user based url filter with http/https which contains the block to .exe types.
The application for the user based filter is any.

The Palo Alto is smart enough to be able to decipher these update applications, and so far all is working appropriately.

Let me know if this helps..