topic Re: Can't join Windows Updates server, application "not applicable" in General Topics

Can't join Windows Updates server, application "not applicable"

informatiq — Wed, 24 May 2017 09:04:06 GMT

Hi !

I'm trying to connect the server to the Internet in order to download and to install updates. My server is a Windows Server 2016, so i'm trying to reach Windows Updates servers.

In order to do that, I created a rule in the firewall :

The address group contain theses addresses :

To verifiy that my server can reach Windows Update server, I checked the logs.

I've got in Application field "not applicable" :

Support says : "Not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service"

Here is an example of a detailed log :

Do you have any idea to solve the problem ?

Best regards,

Alexandre

Re: Can't join Windows Updates server, application "not applicable"

TranceforLife — Wed, 24 May 2017 09:27:48 GMT

Your traffic is not hitting your policy. Instead it is hitting All_Deny rule

Re: Can't join Windows Updates server, application "not applicable"

reaper — Wed, 24 May 2017 09:37:32 GMT

Those sessions' destination IPs are not matching the FQDN objects you created so the connection bypasses the security policy and hits the deny_all instead.

At this point, APP-ID is not going to try and identify the application (as the session is getting discarded by policy anyway) so the app is labeled as not applicable

Re: Can't join Windows Updates server, application "not applicable"

TranceforLife — Wed, 24 May 2017 09:40:02 GMT

Taking "off" FQDNs from the policy should allow you to get updates.

Re: Can't join Windows Updates server, application "not applicable"

Remo — Wed, 24 May 2017 09:46:18 GMT

You could use a custom URL category where you enter the fqdn's which you now have configured as address objects. After that remove all the address objects from your security policy and add the custom URL category to this rule. (no URL filtering license required)

This way it should be able to limit the access to only the Microsoft Update Servers while not having problems with FQDN objects (where it is, specially with CDN's, likely that the firewall does not resolve the FQDN to the same ip as your internal server)

Re: Can't join Windows Updates server, application "not applicable"

informatiq — Wed, 24 May 2017 09:53:28 GMT

Thanks all. It was FQDN the problem !

I will create addresses object, and I will see what IP are used, to modify the rule.

Have a good day ! Thanks !

Re: Can't join Windows Updates server, application "not applicable"

Remo — Wed, 24 May 2017 10:38:10 GMT

In this case I would not recommend doing that. Create the rule either only application based as @TranceforLife proposed or limit it by using a custom URL category.

But because Microsoft distributes the updates with a CDN you will most likely end up with often changing your security policy (adding new ip's regularly; deleting old ones; and not to forget to troubleshoot everytime to find out which ip really belongs to this FQDN's and which ones are just traffic you don't want to allow)

Re: Can't join Windows Updates server, application "not applicable"

TranceforLife — Wed, 24 May 2017 11:22:27 GMT

Hey,

Totally agreed. Anyway, sometimes FQDNs just simply fail to refresh.

Re: Can't join Windows Updates server, application "not applicable"

informatiq — Wed, 24 May 2017 13:10:54 GMT

So I created an URL category, and it works ! I have "deny" for some IP, but I can have updates !

Thanks all !