09-14-2017 02:24 PM - edited 09-14-2017 03:01 PM
I am currently troubleshooting an issue on PAN-OS 8.0.4 regarding the ability for Windows 10 / Windows Server 2016 to update via Windows Update. Windows Update for Windows 7 is working fine, however any time I try to download updates on Windows 10 (Creators Update) it fails unless i add a the subnets below to exclude them from decryption. As the App-ID ms-update does not decrypt by default, I'm wondering if there has been a change in data stream which is causing some Windows Update traffic to be identified as ssl rather than ms-update.
Subnets excluded to get this to work: 64.4.0.0/18, 65.52.0.0/14
X.X.X.X-->64.4.54.18 76370000... 169 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
X.X.X.X-->65.55.252.202 59010000... 209 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Has anyone else seen this issue as of recently? I am trying to avoid opening up these entire subnets.
- Matt
