topic Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates in General Topics

Allowing ms-update on app-default, File blocking PE and therefore no windows updates

drewdown — Wed, 23 Aug 2017 19:07:06 GMT

Me again and file blocking per PA best practice (PE, multi-level, etc..) and allowing ms-update on application default. However the WSUS server is not able to download any updates and its classifying a PE file as a threat. The file in question is am_delta_patch_1.249.1313.0_52b04aae0eb450654fc89884b43d10b7ed5 and threat-id is 52060 but nothing matches in the Threat Vault.

Do I need a specific rule allowing windows updates that specifically allows PE files?

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

BPry — Wed, 23 Aug 2017 19:57:47 GMT

@drewdown,

On the WSUS server you'll need to allow PE downloads, Once you have a policy allowing the WSUS server to actually download the PE files you should be good to go.

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

drewdown — Wed, 23 Aug 2017 20:38:57 GMT

What the easiest way to do that for all users, ms websites and whatever relevant file types? I read an old article about PA and MS-updates but I don't want to block web browsing.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Block-Web-Browsing-while-Allowing-Microsoft-Updates/ta-p/58399

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

BPry — Thu, 24 Aug 2017 14:24:14 GMT

@drewdown,

Is your WSUS server in the same zone as your clients?

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

drewdown — Thu, 24 Aug 2017 14:42:16 GMT

Yes.

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

BPry — Thu, 24 Aug 2017 14:47:01 GMT

@drewdown,

You really shouldn't have to worry about it then as the traffic wouldn't pass through your firewall so your File-Blocking profiles wouldn't effect anything. Allowing the WSUS server to go out and grab the updates should be the only step you need to take at that point.

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

drewdown — Thu, 24 Aug 2017 16:14:18 GMT

@BPry wrote:
@drewdown,
You really shouldn't have to worry about it then as the traffic wouldn't pass through your firewall so your File-Blocking profiles wouldn't effect anything. Allowing the WSUS server to go out and grab the updates should be the only step you need to take at that point.

It would if the machines weren't part of the domain (we have both domain and non-domain windows) and thus not getting updates from WSUS. Therefore I need to make sure its allowed through. To get it working until I (or PA support) can figure it out I just allowed PE files but that brings me to my next point which would fix this issue anyways. Albeit not in any way shape or form that I would prefer it to be done.

Another issue today with downloading large files from the internet and having any profile applied to the matching policy causes them to slow to a crawl or stop completely. The only way I can make it so the files complete is by having 0 profiles applied to the rule. PA don't know why its doing it and don't know when they can get a resolution to me because they are 'busy with other cases.' Still haven't heard back from imaps case which I opened on 8/21 (status says researching) although you guys helped me fix that one.

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

Remo — Thu, 24 Aug 2017 17:21:58 GMT

Create a custom url category with the following entries: *.update.microsoft.com, *.windowsupdates.microsoft.com, *.windowsupdate.com, windowsupdates.microsoft.com
Create a new security policy rule and attach the custom url category from step 1 directly to this policy in the url category column
Attach the security profiles you want to this rule but other than your normal internet access rule, allow pe files here
(If you decrypt tls traffic) create decryption exclusion rule where you use the same custom url category from step 1

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

BPry — Thu, 24 Aug 2017 17:28:32 GMT

@drewdown,

Out of curiosity what PAN-OS version are you running? 8.0.4?

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

drewdown — Thu, 24 Aug 2017 18:38:25 GMT

@Remo Thanks. Couple questions though, I created the URL category already and allowed all of those, do I need to block everything else? Do I need to allow the app-ids or just leave it any/any?

@BPry 8.0.2

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

Remo — Thu, 24 Aug 2017 18:55:05 GMT

In my rule I use web-browsing, ssl and ms-update. What exatly do you mean with "block everything else"?

If you added the custom category into the security policy as described, traffic will only match that rule for these URL's and nothing else.

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

drewdown — Thu, 24 Aug 2017 20:25:18 GMT

I was confusing URL filter with URL category. Do you do any file blocking with this specific rule?

Will give it a try.

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

Remo — Thu, 24 Aug 2017 22:37:03 GMT

No, in this case I have set the fileblocking to log all

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

Remo — Fri, 25 Aug 2017 14:42:09 GMT

Not relevant in this topic, but if you ONLY want to allow windows updates and deny everything else towards the internet, you have to add crl.microsoft.com and www.microsoft.com as microsoft hosts two CRLs there.

--> do not add *.microsoft.com to your custom url category as this will also allow the "customer experience" microsoft analysis service/spyware to send out data...

Re: Allowing ms-update on app-default, File blocking PE and therefore no windows updates

HEscobar — Fri, 17 Mar 2023 14:58:03 GMT

I have a specific rule for the wsus server to only connect to Microsoft for Windows updates (Just like the one recommend here). The issue I have encounter so far is that it only downloads the definitions but won't download the actual update when I approve the KB. Is there a specific URL where it downloads the update. I added all the URLs Microsoft recommends to the allowlist.