This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
checkgsingh
Participant
‎2021-09-14 07:04 PM

Restricting internet access to WSUS (Windows Update) Only

We are on R80.30 Take 227. We would like to restrict Internet access from server hosts to WSUS (Windows update) only. 

Windows update communicates on port 80 and 443 and as we want to restrict internet traffic from specific server hosts I found Microsoft has list of URLs published that needs to allowed in order to get windows update but they are either FQDN's or Wildcard FQDN's.

How can we achieve this on CP Gateway, a easier way I thought was by creating a network layer policy to only allow recommended URL's for windows update (refer below article) from the server hosts. But looks like R80.30 have limitation for having such objects. Also there is no updatable objects that is specified for WSUS we can use.

Also, I have read sk117432 which states that by default, WSUS 6.2 and later (at least Windows Server 2012) uses TCP port 8530 for HTTP traffic and TCP port 8531 for HTTPS traffic. Meaning, the predefined Check Point services 'http' and 'https' are not enough for this traffic to pass. So, I understand that we need to allow these ports aswell. I am looking for the best possible way we can achieve this.


Reference:
https://docs.microsoft.com/en-us/answers/questions/284387/windows-update-ports.html
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy...

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2021-09-16 09:28 PM

Have you tried the pre-defined application we have for this?

image.png

If you also need TCP port 8350 and 8351, you will have to create TCP services for these ports and add to add them to this configuration:

image.png

0 Kudos
Mraybone
Explorer
‎2022-03-09 03:49 AM
In response to PhoneBoy

I have the same issue.  The problem is not port access, the problem is getting the Check Point to allow access only to the specific URLs provided by Microsoft.  I have tried using Domain Objects but some of the IPs that get passed to the Check Point by clients accessing windowsupdate don't have reverse look ups so never match the domain objects.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events