https://live.paloaltonetworks.com/t5/general-topics/block-ms-update-for-globalprotect-sessions/m-p/68378#M39892 <P>you could also use QoS to slow down the updates. So if no bandwith is used then the updates will load with max. bandwith (or a max. value konfigured by you), but if there is more important traffic the updates will be slowed down for example to only 1 mbit/s</P> Thu, 19 Nov 2015 15:25:56 GMT Remo 2015-11-19T15:25:56Z https://live.paloaltonetworks.com/t5/general-topics/block-ms-update-for-globalprotect-sessions/m-p/68374#M39889 <P>Hi all --&nbsp;</P> <P>&nbsp;</P> <P>Lately, with the Win10 release, I'm finding many of my VPN users are downloading gigs of updates over my meager 10mbps company&nbsp;internet cxn. &nbsp;I'm wondering if there is any way to&nbsp;block specific services/applications (ie.- ms-update) over a GlobalProtect connection.. &nbsp;I can't find anywhere to specify a URL filtering profile in the Gateway config.. Would I apply a profile to the VPN IP Pool in&nbsp;the Security Policies? &nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> <P>-- michael~</P> <P>&nbsp;</P> <P>edit: &nbsp;Running on PA200, wth PanOS 6.1.5.&nbsp;</P> Thu, 19 Nov 2015 14:29:54 GMT https://live.paloaltonetworks.com/t5/general-topics/block-ms-update-for-globalprotect-sessions/m-p/68374#M39889 thatguy 2015-11-19T14:29:54Z https://live.paloaltonetworks.com/t5/general-topics/block-ms-update-for-globalprotect-sessions/m-p/68375#M39890 <P>Yep, that's exactly how you would do it. &nbsp;Create a security policy that says:</P> <P>&nbsp;from GP Zone</P> <P>&nbsp;to untrust</P> <P>&nbsp;app ms-update</P> <P>&nbsp;action block</P> <P>&nbsp;</P> <P>If you're terminating the GlobalProtect users in your "trust zone", then be more specific about the source like this:</P> <P>&nbsp; from trust zone</P> <P>&nbsp; from 192.168.1.20-192.168.1.29</P> <P>&nbsp; to untrust</P> <P>&nbsp; app ms-update</P> <P>&nbsp; action block</P> <P>&nbsp;</P> <P>Just make sure that you place this security policy above the policy that permits your GP users to get out to the Internet. &nbsp;</P> Thu, 19 Nov 2015 14:43:42 GMT https://live.paloaltonetworks.com/t5/general-topics/block-ms-update-for-globalprotect-sessions/m-p/68375#M39890 jvalentine 2015-11-19T14:43:42Z https://live.paloaltonetworks.com/t5/general-topics/block-ms-update-for-globalprotect-sessions/m-p/68376#M39891 <P>much appreciated. thank you</P> Thu, 19 Nov 2015 14:45:16 GMT https://live.paloaltonetworks.com/t5/general-topics/block-ms-update-for-globalprotect-sessions/m-p/68376#M39891 thatguy 2015-11-19T14:45:16Z https://live.paloaltonetworks.com/t5/general-topics/block-ms-update-for-globalprotect-sessions/m-p/68378#M39892 <P>you could also use QoS to slow down the updates. So if no bandwith is used then the updates will load with max. bandwith (or a max. value konfigured by you), but if there is more important traffic the updates will be slowed down for example to only 1 mbit/s</P> Thu, 19 Nov 2015 15:25:56 GMT https://live.paloaltonetworks.com/t5/general-topics/block-ms-update-for-globalprotect-sessions/m-p/68378#M39892 Remo 2015-11-19T15:25:56Z