https://live.paloaltonetworks.com/t5/general-topics/windows-update-issues-windows-10/m-p/176609#M55206 <P>I am currently troubleshooting an issue on PAN-OS 8.0.4 regarding the ability for Windows 10 / Windows Server 2016 to update via Windows Update. &nbsp;Windows Update for Windows 7 is working fine, however any time I try to download updates&nbsp;on Windows 10 (Creators Update) it fails unless i add a the&nbsp;subnets&nbsp;below to exclude them from decryption. &nbsp;As the App-ID <STRONG>ms-update</STRONG> does not decrypt by default, I'm wondering if there has been a change in data stream which is causing some Windows Update traffic to be identified as <STRONG>ssl</STRONG> rather than <STRONG>ms-update</STRONG>. &nbsp;</P><P>&nbsp;</P><P>Subnets excluded to get this to work:&nbsp;64.4.0.0/18,&nbsp;65.52.0.0/14</P><P>&nbsp;</P><P><EM><FONT size="1 2 3 4 5 6 7">X.X.X.X--&gt;64.4.54.18 76370000... 169 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 </FONT></EM><BR /><EM><FONT size="1 2 3 4 5 6 7">X.X.X.X--&gt;65.55.252.202 59010000... 209 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA </FONT></EM></P><P>&nbsp;</P><P>Has anyone else seen this issue as of recently? &nbsp;I am trying to avoid opening up these entire subnets.</P><P>&nbsp;</P><P>- Matt</P> Thu, 14 Sep 2017 22:01:19 GMT mlinsemier 2017-09-14T22:01:19Z https://live.paloaltonetworks.com/t5/general-topics/windows-update-issues-windows-10/m-p/176609#M55206 <P>I am currently troubleshooting an issue on PAN-OS 8.0.4 regarding the ability for Windows 10 / Windows Server 2016 to update via Windows Update. &nbsp;Windows Update for Windows 7 is working fine, however any time I try to download updates&nbsp;on Windows 10 (Creators Update) it fails unless i add a the&nbsp;subnets&nbsp;below to exclude them from decryption. &nbsp;As the App-ID <STRONG>ms-update</STRONG> does not decrypt by default, I'm wondering if there has been a change in data stream which is causing some Windows Update traffic to be identified as <STRONG>ssl</STRONG> rather than <STRONG>ms-update</STRONG>. &nbsp;</P><P>&nbsp;</P><P>Subnets excluded to get this to work:&nbsp;64.4.0.0/18,&nbsp;65.52.0.0/14</P><P>&nbsp;</P><P><EM><FONT size="1 2 3 4 5 6 7">X.X.X.X--&gt;64.4.54.18 76370000... 169 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 </FONT></EM><BR /><EM><FONT size="1 2 3 4 5 6 7">X.X.X.X--&gt;65.55.252.202 59010000... 209 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA </FONT></EM></P><P>&nbsp;</P><P>Has anyone else seen this issue as of recently? &nbsp;I am trying to avoid opening up these entire subnets.</P><P>&nbsp;</P><P>- Matt</P> Thu, 14 Sep 2017 22:01:19 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-update-issues-windows-10/m-p/176609#M55206 mlinsemier 2017-09-14T22:01:19Z https://live.paloaltonetworks.com/t5/general-topics/windows-update-issues-windows-10/m-p/179750#M55722 <P>Perhaps this was fixed in 8.0.5</P><P>&nbsp;</P><P>There is a fix listed</P><P>&nbsp;</P><P>PAN-77171</P><P>Fixed an issue where the firewall discarded sessions that required the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher for SSL decryption</P> Tue, 03 Oct 2017 06:00:23 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-update-issues-windows-10/m-p/179750#M55722 PhilH 2017-10-03T06:00:23Z https://live.paloaltonetworks.com/t5/general-topics/windows-update-issues-windows-10/m-p/180048#M55800 <P>Add these url`s to no-decrypt:</P><P>&nbsp;</P><P>*.mp.microsoft.com/<BR />*.microsoft.com<BR />fe2.w2.microsoft.com</P> Wed, 04 Oct 2017 12:52:34 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-update-issues-windows-10/m-p/180048#M55800 JoneSkj 2017-10-04T12:52:34Z