Block All Internet Web-Browsing But Allow MS_UPDATES

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Block All Internet Web-Browsing But Allow MS_UPDATES

L1 Bithead

For our isolated network I need to block all devices from using the internet but I need to access services like ms updates, sophos etc that require SSL for a couple servers. When applying policies with the required application these require SSL/web-browsing.

 

We are having trouble finding a work around. 

The IP's are dynamic so nailing down the exact IP's seem futile. We tried to apply the url's or wildcard addresses for these services in a URL group in the policy, but this still allows internet to these servers.

 

Any suggestions are appreciated.

Using Panorama 10.1.6 with firewall PA-440 and other sites with PA-410

1 accepted solution

Accepted Solutions

L4 Transporter

Hello, you can create a Policy, allow apps ssl, web-browser, and microsoft update app ( Microsoft Update use port 80/443 ) and create a custom category URL, with allowed microsoft update subdomains, put in the URL category in the secure policy.

 

microsoft update subdomains/FQDN:

https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deplo...

 

Whit that only allow ssl/https and microsft update app to the destination for the Microsoft update services. You can doit the same for Sophos.

 

Of course it will allow access to the servers to the Internet, but only at the level of the destination in the URL custom category, and nothing else. Additional to protect add profile security policy. And then with another rule close all the rest of the servers access, a total deny of all the rest and above/free the policy of ms-update, web-browser, ssl only to the URLs in question (ms-update and sophos).

 

Cheers

High Sticker

View solution in original post

3 REPLIES 3

L4 Transporter

Hello, you can create a Policy, allow apps ssl, web-browser, and microsoft update app ( Microsoft Update use port 80/443 ) and create a custom category URL, with allowed microsoft update subdomains, put in the URL category in the secure policy.

 

microsoft update subdomains/FQDN:

https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deplo...

 

Whit that only allow ssl/https and microsft update app to the destination for the Microsoft update services. You can doit the same for Sophos.

 

Of course it will allow access to the servers to the Internet, but only at the level of the destination in the URL custom category, and nothing else. Additional to protect add profile security policy. And then with another rule close all the rest of the servers access, a total deny of all the rest and above/free the policy of ms-update, web-browser, ssl only to the URLs in question (ms-update and sophos).

 

Cheers

High Sticker

Thank you for the quick reply. I will be working on this today and let you know how it goes. Thank you!

Worked great! Much appreciated.

  • 1 accepted solution
  • 2801 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!