04-19-2012 02:04 PM
Instead of creating several address objects for the many MS update servers available, and then creating a group to plug into a security policy that allows my WSUS server to get updates, is there a way to use wildcards in the address objects? MS updates lists multiple locations available for updates:
This list could be condensed down to perhaps four address objects:
which could be put into a address group and use the group in the security policy destination. Then I only have to move objects into and out of the group as MS changes and I don't have to worry about changing a rule. If they add or remove servers within the wildcard domains, then I don't need to make any changes.
Thanks,
Bart
04-19-2012 03:19 PM
Hi Bart,
I assume following is what you are trying to do:-
When you log into the WEB UI:-
Objects----> Addresses --->Click Add
You would like to add the FQDN as a wildcard address.
Name:- testobject
Type: FQDN *.windowsupdate.microsoft.com
SEE ATTACHMENT :- wildcard.PNG
The above FQDN syntax is not valid and cannot be used.
If this is what you are trying to do, Wildcards in address objects cannot be used (at this time).
You would have to create multiple addresses and encapsulate them in a group and bind it to the policy.
Regards,
Parth
04-19-2012 03:19 PM
Hi Bart,
I assume following is what you are trying to do:-
When you log into the WEB UI:-
Objects----> Addresses --->Click Add
You would like to add the FQDN as a wildcard address.
Name:- testobject
Type: FQDN *.windowsupdate.microsoft.com
SEE ATTACHMENT :- wildcard.PNG
The above FQDN syntax is not valid and cannot be used.
If this is what you are trying to do, Wildcards in address objects cannot be used (at this time).
You would have to create multiple addresses and encapsulate them in a group and bind it to the policy.
Regards,
Parth
04-19-2012 03:30 PM
Yes, I had tried that already and discovered I couldn't do it. I'm wondering if there is any other way to accomplish this.
04-19-2012 04:16 PM
Hi Bart,
You can use those wildcards in the URL filtering profile and can have in the Explicit allow/block list.The URL filtering Profile can then be applied to the policy.
Go to OBJECTS-->URL Filtering Profile
List teh following URLS in the Allow list:-
*.windowsupdate.microsoft.com
*.update.microsoft.com
*.download.windowsupdate.com
*.windowsupdate.com
Please see the attcment :- url-filtering.PNG
This way you can use the Wildcards BUT to only ALLOW AND DENY.
Let me know if that helps.
Regards,Parth
04-19-2012 04:27 PM
Thanks,
I had looked at that before writing the post and was wondering if that wouldn't work. I'll give it a try.
04-20-2012 12:40 AM
A custom url-filtering along with only allow appid:ms-update (and set service:default-application) should do it.
A sidenote is that SSL decryption doesnt work for ms update traffic (since they use their own built in certs and doesnt allow any other, at least if you use WSUS or such) so Im not sure how widely open the above rule might be in reality.
Im not sure how you can in a good way limit it down further. Perhaps adding dstip:65.55.27.0/24 but these ip's I guess might differ from time to time along with being different depending on when and from where you query the DNS.
Edit: Seems it was true regarding various ip's for windowsupdate... so make that dstip:65.55.0.0/16 :smileysilly:
04-23-2013 04:00 PM
I used a Custom URL Category along with ms-update application filtering but it was not enough to just list the wildcard versions of the FQDN's, I also had to list the FQDN without the *.
ie. This is what worked for me with PANOS 4.1.10
windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
update.microsoft.com
*.update.microsoft.com
download.windowsupdate.com
*.download.windowsupdate.com
windowsupdate.com
*.windowsupdate.com
05-03-2013 08:29 AM
Yes, this works, but only for HTTP. How to make this work for FTP?
05-04-2013 03:06 PM
If you want to limit which FTP sites should be possible to visit you need to use FQDN or setup a dynamic address object which you then "feed" by a script running on some server (to inform the PA device which ip addresses this current adress object/group should point at).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
