This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rotto841
Explorer
‎2023-08-18 02:09 PM

Can't Connect To Windows Update

Hi everyone we've restricted our Windows domain controllers from accessing the internet and I've been a sked to allow Windows Update to function. I tried creating a rule with the windows update and update optimization applications with the source of our domain controllers to destination internet (DNS such is a different rule) but no dice. 

So I updated the rule and created a network group using this page from Microsoft and added http and https. Yet we still can't connect I just see random IP addresses from Microsoft dropping I know that checkpoints aren't great when it comes to resolving wildcard domain names.

Its unfortunate that more updateable objects are available for download in this situation but I'm kind of banging my head at this now and wanted to post something to see if anyone else had luck opening the  required URLs and such for Windows update to function. 

Thanks for reading.

wsus2.pngwsus.pngwsus3.png

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2023-08-29 05:42 PM

Hi, couple comments:

1. FQDN Domain Objects won't work here since you need to resolve for all *.download.microsoft.com instead of just .download.microsoft.com.
2. Updatable Objects are dependent on the underlying vendor (in this case Microsoft) providing the relevant information in a programmatically readable way so it can be consumed by our gateways.
3. "Windows Update" and the services http/https are redundant insofar as they both include http/https.

You can include the relevant domains in a Custom Application/Site object, which will be used as a service.
This requires: R80.40+, Categorize HTTPS Inspection enabled (it is by default), and App Control.

 

0 Kudos
the_rock
Legend
Legend
‎2023-08-29 06:15 PM

Easiest way I always found to fix this issue is add custom url filtering group with *microsoft* and *windowsupdate* in it and dont even bother with updatable objects. Push policy, problem solved.

Reap the benefits : - )

Andy

0 Kudos
momoo168
Explorer
‎2024-07-01 01:26 AM
In response to the_rock

Hi Rock,

I too have to disable an internet rule that will impact Windows updates. I need to find a solution to block all internet traffic and only allow Windows updates to continue.

When I tried to add the custom domain into the URL filtering, it kept saying the domain must start with a "."

Any pointers?

I'm new and learning.

Thanks,

Preview file
122 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-01 09:20 AM
In response to momoo168

A Domain object does not work in the way you are attempting to use it.
What we're discussing is a Custom Application/Sites object where this IS allowed.
However, doing it in a wildcard fashion like this will allow stuff you probably do not want to allow.

There are a couple of Updatable Objects that might be useful here:

  • Microsoft Updates -- HTTPS Bypass
  • Microsoft Updates -- SmartAccel

See: https://support.checkpoint.com/results/sk/sk131852 

0 Kudos
the_rock
Legend
Legend
‎2023-08-29 06:43 PM

Forgot to say, this is important, you do need blades @PhoneBoy mentioned enabled on the gateway.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events