cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Cyber Elite
Cyber Elite

@bhelman,

URL categories will never work for limiting ICMP requests. That simply isn't how ICMP functions and there would be no way for your firewall to know that you're attempting to send ICMP requests to "microsoft.com" because your machine will just send the request to the resolved IP address. The only way to accomplish that specific task would be FQDN objects and hoping that the firewall and the client actually keep the resolved address in check.

 

That addressed, the following list will function for getting Microsoft updates as a custom URL category. It may not be complete, likely isn't complete, and can change at any time.

              <entry name="Microsoft Updates">
                <list>
                  <member>windowsupdate.microsoft.com/</member>
                  <member>*.windowsupdate.microsoft.com/</member>
                  <member>update.microsoft.com/</member>
                  <member>*.update.microsoft.com/</member>
                  <member>*.windowsupdate.com/</member>
                  <member>*.download.windowsupdate.com/</member>
                  <member>download.microsoft.com/</member>
                  <member>*.download.microsoft.com/</member>
                  <member>wustat.windows.com/</member>
                  <member>ntservicepack.microsoft.com/</member>
                  <member>stats.microsoft.com/</member>
                  <member>amupdatedl.microsoft.com/</member>
                  <member>*.events.data.microsoft.com/</member>
                  <member>*.data.microsoft.com/</member>
                  <member>smartscreen-prod.microsoft.com/</member>
                </list>
                <description>Used to account for Microsoft Update Traffic</description>
                <type>URL List</type>
              </entry>

 

You can then setup a policy that uses that category and allows app-ids [ ms-update ssl ocsp web-browsing ] with the category applied. This would allow updates to function, but it should prevent normal browsing access. 

View solution in original post

Who rated this post