Windows Update Traffic (ms-update) being recognized as web-browsing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Windows Update Traffic (ms-update) being recognized as web-browsing

L2 Linker

Hi Everyone,

 

I have an issue that I haven't been able to resolve.  I have a small domain setup with a Windows Server Update Service that is located in a DMZ.  The machinges that are in the inside network (trusted), are setup to pull their Windows updates from the server in the DMZ.  I have setup Group Policy to make this happend, and it works fine for all of my servers. 

 

The issue is that I have a Windows 10 machine that refuses to connect to the WSUS server. The same group policy is applied and when I look at Monitor, I can see attempts to connect to the server over port 8530 ( Default Port), but the traffic is identified at web-browsing instead of ms-update.  

 

Since 8530 isn't a standard port for web-browsing, the traffic isn't allowed.  I know I could always setup an application override, but I shouldn't have to.  I cannot figure out why this particular machines traffic is recognized as web-browsing instead of ms-update.

 

If anyone has any suggestions, I would like to hear them. 

 

Thanks

1 accepted solution

Accepted Solutions

Thanks for the reply. 

I ended up opening a case with support regarding this.  I sent them some packet captures, and they were able to replicate my issue. 

 

They are going to relay this information to their content team and have the signatures updated from ms-update.

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

The PAN takes time to identify traffic, unfortuantly its getting blocked prior to being inspected properly. Just create a new policy that allows web-browsing and ssl. Then set the services to http, https, and create a custom service for 8530-tcp.

 

Hope that makes sense.

 

Thanks for the reply. 

I ended up opening a case with support regarding this.  I sent them some packet captures, and they were able to replicate my issue. 

 

They are going to relay this information to their content team and have the signatures updated from ms-update.

Hello,

 

Did support fix this issue? I have same issue too, where ms-update traffic is categorized as web-browsing and being denied. Please let me know.

 

Thanks!

I did work with support on this, and they did find that they were identifying the traffic incorrectly.  They made a change and released it as a part of their weekly content updates.  Since doing this, I haven't had an issue.

L2 Linker

Hi Everybody,

 

This issue poped-up in my case as well. It was working before so I opened a case with support.

Solution from the engineer was to configure "Any" as the service.

 

Regards.

  • 1 accepted solution
  • 21034 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!