Allowing Microsoft and Java Updates

Showing results for 
Search instead for 
Did you mean: 

Allowing Microsoft and Java Updates

L1 Bithead

I'm trying to allow downloads of .exe and PE files for updates but continue to block users from downloading those file types from other sources.  Not sure what the best way to do this is.

If I build a file filter with 3 rules like:

1.  allow application ms-update

2. block .exe

3. allow any

Are these rules evaluated in sequential order? Or will the block .exe override the allow ms-update?

If I change rule 1 to allow application ms-update +  allow .exe

Would those variables (the app and the filetype) be And'ed or Or'd together?

Another way I've tried to do this was to allow the application ms-updates in the firewall prior to URL filtering, but I get warnings that I need web-browsing enabled for the rule to work.  If I enable web-browsing in the same firewall rule I start to see browsing passing that rule instead of my service-http rules, although some traffic still gets down to the normal URL rules.

So what's the best way to go about this?




L4 Transporter

In your file block profile you can add allow download for application MS-Update above you block and you will be able to download the updates. Java may be a little harder as there is not application in the file blocking profile.  You may want to contact you SE to submit a feature request to allow Java-updates as an application for file blocking.

You can also make a rule above your current rule with no file block profile allow web-browsing to Sun's servers to get the downloaded files.

If I change rule 1 to allow application ms-update +  allow .exe (this would be 'and')


I'm running version 4.0.2.

I continue to have problems with ms-updates being blocked, specificially windows PE files.  I see the block in Data Filtering Log, so from the details of the block log I see that it is passing the URL filter with the appropriate file blocking ruleset.  I'm not sure if the file blocking builder screen is incomplete or not, but I find it strange that you should be able to sort the rules by name or other rather than the sequential order drag and drop mechanism of the other firewall rule screens.  I've named my rules alphebetically and sorted by name (a-z).  They appear on the main File Blocking screen in correct order.  I've also looked at the Config Audit screen to see if they were ordered properly in the config file.  They were, but for some reason even though the log shows that the application type was ms-update and the file was a Win PE file, it was still denied.  I've even seperated all file types into their own rule (ie. ms-update+PE,  ms-update.exe, and combined them.  Both with the same result.

Any suggestions or should I start a ticket?

Im trying to achieve the same goal, did you ever get a resolve? file blocking profile with allow EXE from ms-update etc does not work. Could use FQDN however was wondering what you managed to find out. thanks

Ps, on PANO 4.0.5


Have you checked the log what file type has been blocked? Have you tried to allow MS-Update as the app and allow all file types to see what file type actually we have allowed?



I never could get it to work the way I was thinking in my head, but I did get it  to work an easier way.

Rather than allowing at the file level, I am  allowing at the app level.
So under Policies->Security as a rule above my  user http/https rules I have a rule called updates
In that rule I allow the  application adobe-update, java-update, kaspersky, ms-update with the service  type http/https

I don't do any file level blocking in that  rule.

Under the above updates rule I have my normal user based url filter  with http/https which contains the block to .exe types.
The application for  the user based filter is any.

The Palo Alto is smart enough to be able to  decipher these update applications, and so far all is working  appropriately.

Let me know if this helps..

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!