cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AMP blocking

SOLVED
Here to help

AMP blocking

Have an MX84 with firmware:  MX 13.36

 

Cannot run Windows Update (on either Windows 7 or Win 10) with Threat Protection on.  Disabled AMP & changed IPS to Detection Mode and it works.

 

I attempted to make the following AMP whitelists, but without success:

*.windowsupdate.com/*

*.microsoft.com/*

 

I can also document the issue from linux with:

wget http://download.windowsupdate.com/c/msdownload/update/others/2018/10/27555021_67b2474502ce5e63e1b326...

 

That fails with AMP on, and succeeds with AMP off, so I know it is not an issue with any of the Windows workstations.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: AMP blocking

We have 14.19 and 14.27 on hundreds of MXes. No problems. 

10 REPLIES 10
A model citizen

Re: AMP blocking

I know MX13.xx has some issues with AMP, particularly the Whitelist. Meraki has done a lot of work in the MX14.xx firmware revisions to improve this and has worked from my observations. I would suggest trying that out for you. Maybe try updating a test environment first to make sure it doesn't have a bug that might cause an issue for you.

Here to help

Re: AMP blocking

Any issues I should be concerned about with switching production to a Beta firmware??? I worry even typing that on Halloween....

Kind of a big deal

Re: AMP blocking

@khowanitz You dont happen to have any content filtering rules blocking Windows updates do you?

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
A model citizen

Re: AMP blocking

@khowanitz I find that Meraki's beta firmware releases to be quite stable. I would highly recommend testing before changing firmware revisions, but that would be for beta or stable.

Here to help

Re: AMP blocking

Not exactly the same, but we have a MX100/13.36 and as far as I know, we have never had any windows updates issues.  We set up new machines constantly and we would notice if windows update was not functional.  AMP = enabled and IDS = detection/balanced.

No whitelist.

2 deny layer 7 rules

 

Kind of a big deal

Re: AMP blocking

I'm with @MacuserJim - move to 14.x code.  We have a large number of customers using 14.x.  It works well.

Highlighted
Kind of a big deal

Re: AMP blocking

We have 14.19 and 14.27 on hundreds of MXes. No problems. 

Here to help

Re: AMP blocking

I have updated to 14.34 then turned Threat Protection back on. (Enabled AMP & changed IPS to Prevention Mode.)

 

Windows Update is working properly.

 

Thanks!

Comes here often

Re: AMP blocking

I'm running MX with v14.39 and in Prevention/Security mode.

 

Can't get sccm to work without Whitelisting the machine being imaged.  Added the IP's for the SCCM server but still blocks.  Getting mostly MALWARE-Other Executable Control Panel file download.

 

Anyone have any luck in Security mode?

Here to help

Re: AMP blocking

The only way I was able to get it to work was to upgrade the firewall firmware. 😞  Sorry!!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.