Create a Post
Showing results for 
Search instead for 
Did you mean: 

Restricting internet access to WSUS (Windows Update) Only

We are on R80.30 Take 227. We would like to restrict Internet access from server hosts to WSUS (Windows update) only. 

Windows update communicates on port 80 and 443 and as we want to restrict internet traffic from specific server hosts I found Microsoft has list of URLs published that needs to allowed in order to get windows update but they are either FQDN's or Wildcard FQDN's.

How can we achieve this on CP Gateway, a easier way I thought was by creating a network layer policy to only allow recommended URL's for windows update (refer below article) from the server hosts. But looks like R80.30 have limitation for having such objects. Also there is no updatable objects that is specified for WSUS we can use.

Also, I have read sk117432 which states that by default, WSUS 6.2 and later (at least Windows Server 2012) uses TCP port 8530 for HTTP traffic and TCP port 8531 for HTTPS traffic. Meaning, the predefined Check Point services 'http' and 'https' are not enough for this traffic to pass. So, I understand that we need to allow these ports aswell. I am looking for the best possible way we can achieve this.


0 Kudos
2 Replies

Have you tried the pre-defined application we have for this?


If you also need TCP port 8350 and 8351, you will have to create TCP services for these ports and add to add them to this configuration:


0 Kudos

I have the same issue.  The problem is not port access, the problem is getting the Check Point to allow access only to the specific URLs provided by Microsoft.  I have tried using Domain Objects but some of the IPs that get passed to the Check Point by clients accessing windowsupdate don't have reverse look ups so never match the domain objects.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events