This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LadaNemecek
Participant
‎2022-02-28 08:21 AM

Problem with Windows Update

Hi,

can anybody help/advise what to check/where to start with Win update problems?

Customer runing 6400 cluster on R81, https inspection on,

enabled_blades fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot ThreatEmulation mon Scrub

 

Reporting the problem with direct winupdate, local wsus updates are fine. By them difference between nonCP subnet vs CP controlled subnet are: 

-servers cannot find updates/cannot update download most of time,

-updates found after seveal tries sometime,

-time to find/download update 10times longer behind CP

 

as far as know Update services should be bypasses implicitly + HTTPS policy contains rules:

Capture.PNG

 

 

log not shows any Microsoft related connections processed by inspection / blocked (little bit wierd log from TE which is not enabled for this subnet..), but in result have no idea where to look more.Capture2.PNG

 

Thanks for tips here,

LN

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2022-02-28 09:05 AM

First thing I would look at are drops in dashboard. Then, run zdebug on the firewall filtering for IP address of the affected machine...say IP is 10.10.10.35, you would do fw ctl zdebug + drop | grep 10.10.10.35 from expert mode of the firewall or whichever one is master, if cluster. If that does not show anything either, then I would dig deeper with tcpdump and fw monitor, also filter for specific IP.

 

Andy

0 Kudos
LadaNemecek
Participant
‎2022-03-01 05:43 AM
In response to the_rock

Didn't directly checked fw ctl zdebug drops so far... but in Smartlog no any relevant drops.In additional don't think so its a hard network/firewalling error,

Looks to me as a intercepting problem (sometimes ok, sometimes not, tooks longer, problem running accross servers...), thats why suspecting URL filtering and HTTPS inspect

0 Kudos
the_rock
Legend
Legend
‎2022-03-01 06:01 AM
In response to LadaNemecek

Easiest way to tell is if you disable https inspection and test...never seen url filtering cause this, but logs would show it, for sure.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events