https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7927#M5847 <HTML><HEAD></HEAD><BODY><P>We are using WSUS to manage our Windows updates. It's hosted on Windows Server 2012 and runs smoothly.</P><P></P><P>We recently added a Windows Server 2012 in DMZ and pointed it to our WSUS server:</P><P></P><P>server --- DMZ --- PA2020 --- LAN --- WSUS server</P><P></P><P>The PA2020 does not recognize specific WSUS traffic to the WSUS server.</P><P></P><P>That is: most detecting/reporting passes fine as application ms-sms.</P><P>The actual downloading of updates is not recognized as ms-update, but as web-browsing. That traffic is on the non-default http port 8530 (this is in fact the default port voor WSUS). Our other servers in DMZ (Windows Server 2008 R2) update fine and their traffic to the WSUS server is identified as expected (ms-update).</P><P></P><P>We are on app definition version 391-1924.</P><P></P><P>Anyone else seeing similar behaviour ?</P></BODY></HTML> Mon, 09 Sep 2013 12:42:30 GMT dieter_b 2013-09-09T12:42:30Z https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7927#M5847 <HTML><HEAD></HEAD><BODY><P>We are using WSUS to manage our Windows updates. It's hosted on Windows Server 2012 and runs smoothly.</P><P></P><P>We recently added a Windows Server 2012 in DMZ and pointed it to our WSUS server:</P><P></P><P>server --- DMZ --- PA2020 --- LAN --- WSUS server</P><P></P><P>The PA2020 does not recognize specific WSUS traffic to the WSUS server.</P><P></P><P>That is: most detecting/reporting passes fine as application ms-sms.</P><P>The actual downloading of updates is not recognized as ms-update, but as web-browsing. That traffic is on the non-default http port 8530 (this is in fact the default port voor WSUS). Our other servers in DMZ (Windows Server 2008 R2) update fine and their traffic to the WSUS server is identified as expected (ms-update).</P><P></P><P>We are on app definition version 391-1924.</P><P></P><P>Anyone else seeing similar behaviour ?</P></BODY></HTML> Mon, 09 Sep 2013 12:42:30 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7927#M5847 dieter_b 2013-09-09T12:42:30Z https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7928#M5848 <HTML><HEAD></HEAD><BODY><P>Can you please report this mis-identification to Support:</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-5336">How to Validate and Report Application Misidentification</A></P></BODY></HTML> Mon, 09 Sep 2013 12:56:52 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7928#M5848 UhMayYeah 2013-09-09T12:56:52Z https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7929#M5849 <HTML><HEAD></HEAD><BODY><P>That's a lot of work for an issue thay may or may not exist...</P><P>If others report the same findings, I will properly report it.</P><P></P><P>However, in your howto it's not clear where that report should go: here in the thread or sending it to support (mail ??)</P></BODY></HTML> Mon, 09 Sep 2013 13:54:39 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7929#M5849 dieter_b 2013-09-09T13:54:39Z https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7930#M5850 <HTML><HEAD></HEAD><BODY><P>The document enlists all the steps to be performed before opening case with support.</P><P>In most of the case, PCAPs from <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Windows Server 2012 and <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Windows Server 2008 R2</SPAN></SPAN> should help in validating the application misidentification.</P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Traffic logs and <STRONG>show session id &lt;id&gt;</STRONG> o/p&nbsp; from working and nonworking scenario would help in validating the mis-id.</SPAN></P><P></P><P></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P></BODY></HTML> Mon, 09 Sep 2013 20:56:40 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7930#M5850 UhMayYeah 2013-09-09T20:56:40Z https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7931#M5851 <HTML><HEAD></HEAD><BODY><P>I have found the same issue.&nbsp; Some of our Admins spun up 2012 WSUS clients in a DMZ and the traffic is not identified.&nbsp; The default port is 8530 as dieterb reported.&nbsp; I will just use an app-override to cope.</P><P></P><P>Cheers,</P><P>Mike</P></BODY></HTML> Thu, 02 Jan 2014 17:13:11 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7931#M5851 msullivan 2014-01-02T17:13:11Z https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7932#M5852 <HTML><HEAD></HEAD><BODY><P>You could always report it without creating a case if you want to just supply basic info to the application team:</P><P><A href="http://researchcenter.paloaltonetworks.com/submit-an-application/">http://researchcenter.paloaltonetworks.com/submit-an-application/</A></P><P></P><P>That link allows you to submit an app along with your company and email so the content team can get in touch if they need more info. If you have a packet capture, even better. If not, the content team may still be able to redefine that traffic. </P><P></P><P>Hope this helps,</P><P>Greg</P></BODY></HTML> Thu, 02 Jan 2014 17:22:17 GMT https://live.paloaltonetworks.com/t5/general-topics/windows-server-2012-ms-update/m-p/7932#M5852 gwesson 2014-01-02T17:22:17Z