topic Re: Can't Connect To Windows Update in Firewall and Security Management

Can't Connect To Windows Update

rotto841 — Fri, 18 Aug 2023 21:10:18 GMT

Hi everyone we've restricted our Windows domain controllers from accessing the internet and I've been a sked to allow Windows Update to function. I tried creating a rule with the windows update and update optimization applications with the source of our domain controllers to destination internet (DNS such is a different rule) but no dice.

So I updated the rule and created a network group using this page from Microsoft and added http and https. Yet we still can't connect I just see random IP addresses from Microsoft dropping I know that checkpoints aren't great when it comes to resolving wildcard domain names.

Its unfortunate that more updateable objects are available for download in this situation but I'm kind of banging my head at this now and wanted to post something to see if anyone else had luck opening the required URLs and such for Windows update to function.

Thanks for reading.

Re: Can't Connect To Windows Update

PhoneBoy — Wed, 30 Aug 2023 00:42:39 GMT

Hi, couple comments:

1. FQDN Domain Objects won't work here since you need to resolve for all *.download.microsoft.com instead of just .download.microsoft.com.
2. Updatable Objects are dependent on the underlying vendor (in this case Microsoft) providing the relevant information in a programmatically readable way so it can be consumed by our gateways.
3. "Windows Update" and the services http/https are redundant insofar as they both include http/https.

You can include the relevant domains in a Custom Application/Site object, which will be used as a service.
This requires: R80.40+, Categorize HTTPS Inspection enabled (it is by default), and App Control.

Re: Can't Connect To Windows Update

the_rock — Wed, 30 Aug 2023 01:15:50 GMT

Easiest way I always found to fix this issue is add custom url filtering group with *microsoft* and *windowsupdate* in it and dont even bother with updatable objects. Push policy, problem solved.

Reap the benefits : - )

Andy

Re: Can't Connect To Windows Update

the_rock — Wed, 30 Aug 2023 01:43:27 GMT

Forgot to say, this is important, you do need blades @PhoneBoy mentioned enabled on the gateway.

Andy

Re: Can't Connect To Windows Update

momoo168 — Mon, 01 Jul 2024 08:26:27 GMT

Hi Rock,

I too have to disable an internet rule that will impact Windows updates. I need to find a solution to block all internet traffic and only allow Windows updates to continue.

When I tried to add the custom domain into the URL filtering, it kept saying the domain must start with a "."

Any pointers?

I'm new and learning.

Thanks,

Re: Can't Connect To Windows Update

PhoneBoy — Mon, 01 Jul 2024 16:20:59 GMT

A Domain object does not work in the way you are attempting to use it.
What we're discussing is a Custom Application/Sites object where this IS allowed.
However, doing it in a wildcard fashion like this will allow stuff you probably do not want to allow.

There are a couple of Updatable Objects that might be useful here:

Microsoft Updates -- HTTPS Bypass
Microsoft Updates -- SmartAccel

See: https://support.checkpoint.com/results/sk/sk131852