Instead of creating several address objects for the many MS update servers available, and then creating a group to plug into a security policy that allows my WSUS server to get updates, is there a way to use wildcards in the address objects? MS updates lists multiple locations available for updates:
This list could be condensed down to perhaps four address objects:
which could be put into a address group and use the group in the security policy destination. Then I only have to move objects into and out of the group as MS changes and I don't have to worry about changing a rule. If they add or remove servers within the wildcard domains, then I don't need to make any changes.
Solved! Go to Solution.
I assume following is what you are trying to do:-
When you log into the WEB UI:-
Objects----> Addresses --->Click Add
You would like to add the FQDN as a wildcard address.
Type: FQDN *.windowsupdate.microsoft.com
SEE ATTACHMENT :- wildcard.PNG
The above FQDN syntax is not valid and cannot be used.
If this is what you are trying to do, Wildcards in address objects cannot be used (at this time).
You would have to create multiple addresses and encapsulate them in a group and bind it to the policy.
You can use those wildcards in the URL filtering profile and can have in the Explicit allow/block list.The URL filtering Profile can then be applied to the policy.
Go to OBJECTS-->URL Filtering Profile
List teh following URLS in the Allow list:-
Please see the attcment :- url-filtering.PNG
This way you can use the Wildcards BUT to only ALLOW AND DENY.
Let me know if that helps.
A custom url-filtering along with only allow appid:ms-update (and set service:default-application) should do it.
A sidenote is that SSL decryption doesnt work for ms update traffic (since they use their own built in certs and doesnt allow any other, at least if you use WSUS or such) so Im not sure how widely open the above rule might be in reality.
Im not sure how you can in a good way limit it down further. Perhaps adding dstip:126.96.36.199/24 but these ip's I guess might differ from time to time along with being different depending on when and from where you query the DNS.
Edit: Seems it was true regarding various ip's for windowsupdate... so make that dstip:188.8.131.52/16 :smileysilly:
I used a Custom URL Category along with ms-update application filtering but it was not enough to just list the wildcard versions of the FQDN's, I also had to list the FQDN without the *.
ie. This is what worked for me with PANOS 4.1.10
If you want to limit which FTP sites should be possible to visit you need to use FQDN or setup a dynamic address object which you then "feed" by a script running on some server (to inform the PA device which ip addresses this current adress object/group should point at).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!