Can't join Windows Updates server, application "not applicable"

Reply
informatiq
L1 Bithead

Can't join Windows Updates server, application "not applicable"

Hi !

 

I'm trying to connect the server to the Internet in order to download and to install updates. My server is a Windows Server 2016, so i'm trying to reach Windows Updates servers.

 

In order to do that, I created a rule in the firewall :

 

Regle SRVACD WU.PNG

The address group contain theses addresses :

 adresse.PNG 

 

 

 To verifiy that my server can reach Windows Update server, I checked the logs.

 I've got in Application field "not applicable" :Log.PNG 

Support says : "Not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service"

 

Here is an example of a detailed log :Srv - WU not applicable trame.PNG

 

Do you have any idea to solve the problem ?

 

Best regards,

Alexandre


Accepted Solutions
reaper
L7 Applicator

Those sessions' destination IPs are not matching the FQDN objects you created so the connection bypasses the security policy and hits the deny_all instead.

At this point, APP-ID is not going to try and identify the application (as the session is getting discarded by policy anyway) so the app is labeled as not applicable

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post


All Replies
TranceforLife
L6 Presenter

Your traffic is not hitting your policy. Instead it is hitting All_Deny rule

reaper
L7 Applicator

Those sessions' destination IPs are not matching the FQDN objects you created so the connection bypasses the security policy and hits the deny_all instead.

At this point, APP-ID is not going to try and identify the application (as the session is getting discarded by policy anyway) so the app is labeled as not applicable

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post

TranceforLife
L6 Presenter

Taking "off" FQDNs from the policy should allow you to get updates. 

 

vsys_remo
Cyber Elite

You could use a custom URL category where you enter the fqdn's which you now have configured as address objects. After that remove all the address objects from your security policy and add the custom URL category to this rule. (no URL filtering license required)

This way it should be able to limit the access to only the Microsoft Update Servers while not having problems with FQDN objects (where it is, specially with CDN's,  likely that the firewall does not resolve the FQDN to the same ip as your internal server)

informatiq
L1 Bithead

Thanks all. It was FQDN the problem !

 

I will create addresses object, and I will see what IP are used, to modify the rule.

 

Have a good day ! Thanks !

vsys_remo
Cyber Elite

In this case I would not recommend doing that. Create the rule either only application based as @TranceforLife proposed or limit it by using a custom URL category.

 

But because Microsoft distributes the updates with a CDN you will most likely end up with often changing your security policy (adding new ip's regularly; deleting old ones; and not to forget to troubleshoot everytime to find out which ip really belongs to this FQDN's and which ones are just traffic you don't want to allow)

TranceforLife
L6 Presenter

Hey,

 

Totally agreed. Anyway, sometimes FQDNs just simply fail to refresh. 

informatiq
L1 Bithead

So I created an URL category, and it works ! I have "deny" for some IP, but I can have updates !

 

Thanks all !

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!