Microsoft updates getting blocked by Firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
1 accepted solution

Accepted Solutions

L4 Transporter

After raise to PANW TAC checking and the issue is actually ISP BGP routing issue. PANW TAC perform a packet capture and notice there is no drop packet in firewall then PANW TAC confirm that the issue is from ISP. Due to ISP BGP route the traffic to some ip that is not firewall resolve to. After ISP fix the routing issue then the issue is resolve. 

View solution in original post

8 REPLIES 8

Community Team Member

Hi @JiaXiang ,

 

It's not very clear how you've configured your policy.

For Windows Updates specifically, do you have a security policy in place for the application 'ms-update' ?

How is the traffic identified/blocked exactly ? Is the traffic blocked from a security profile perspective ?

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi Kiwi,

 

In the security policy I have allow above FQDN any service and any application but the log result is showing aged-out. When using outlook in office the outlook will have  (!)  mark.

L4 Transporter

User who is using Global protect or I try to test using mobile network to perform Windows update is fine. I think the problem is not in Windows firewall.

L4 Transporter

After raise to PANW TAC checking and the issue is actually ISP BGP routing issue. PANW TAC perform a packet capture and notice there is no drop packet in firewall then PANW TAC confirm that the issue is from ISP. Due to ISP BGP route the traffic to some ip that is not firewall resolve to. After ISP fix the routing issue then the issue is resolve. 

L2 Linker

This issue is a year old.  How were you dealing with wildcard FQDN's?  It's my understanding you cannot use them.  I'm trying to solve this very issue.

You can not use wildcard FQDNs (because an address object must be resolvable to a specific IP(s)), however above JiaXiang was using a URL filter which can be wildcarded as it matches a portion of a string within a HTTP-like request. URL filters only apply to URL requests (HTTP/HTTPS/various APIs on non-standard ports), FQDNs apply to any communication to an IP.

Ah, so my testing methodology was faulty (using ping to test).  Do you know if Microsoft Updates are URL requests?  I can easily re-create the test and simply web instead of ping.

 

L6 Presenter

Microsoft update does a HTTP request (port 80 to something like updates.microsoft.com) followed by multiple HTTPS requests (port 443) to various Microsoft domains and CDNs to download the actual patches. There may also be ping tests for reachability, I don't recall exactly.

  • 1 accepted solution
  • 11840 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!