Hi all,
I have been trying to lock down our servers not being able to reach the Internet.
Most servers are allowed to retrieve signature updates from our protection suite and that works very well. All servers are also pointing towards our WSUS. But here is my problem. I need my WSUS server to be able to reach Windows Updates via Internet, but I just can't get it working.
Is there anyone in here that have it working and could point / show the config of how you got it working.
What addresses did you allow in your L3 Firewall and perhaps I need more in the L7 rules or Content filtering.
Please help - thank you.
Solved! Go to solution.
It is almost impossible to craft firewall rules for this to be locked down. Windows Update uses a wide range of URLs and IP addresses.
You are probably going to have to allow HTTP and https from the WSUS server to any.
This is a group I created that works *most* of the time:
Where there is a - put a . when adding. When it says "star" put in a *.
Windows Update requires TCP port 80, 443, and 49152-65535. The IP address for the Windows Update web site constantly changes and it is not a fixed address. Also, there is no official publication of the IP addresses.
https://learn.microsoft.com/en-us/answers/questions/457840/what-are-the-ip-ranges-for-microsofty-win...
Layer 3 and 7 Firewall Processing Order
By default, outbound traffic will be allowed through the firewall unless explicitly blocked by at least one L3 or L7 rule. In this example, SSH (TCP port 22) traffic will be allowed through the firewall because there are no configured L3 or L7 rules that act upon it.
Layer 3 Rules
Layer 7 Rules
In this example, SMTP traffic (TCP port 25) will be blocked by the L3 firewall, because rule 3 under layer 3 explicitly blocks it. Layer 7 rules would be ignored because the traffic has already been blocked.
Layer 3 Rules
Layer 7 Rules
The MR access point and MX security appliance differ slightly in their processing of L7 firewall rules after the L3 firewall. On the MR, if traffic matches an allow rule on the L3 firewall, that traffic will bypass the L7 firewall altogether.
On MR, default L3 rules do not act as a bypass for L7 rules. Only allow custom rules will bypass L7 rules.
On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.
On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.
Layer 3 Rules
Layer 7 Rules
Well described - thank you!
Hi , simply create a L3 firewall rule with 'ALL' FQDN related to Microsoft update and tcp port 443.
I don't have that list on hand but I could provide some later today.
It is almost impossible to craft firewall rules for this to be locked down. Windows Update uses a wide range of URLs and IP addresses.
You are probably going to have to allow HTTP and https from the WSUS server to any.
This is a group I created that works *most* of the time:
Where there is a - put a . when adding. When it says "star" put in a *.
This is almost a copy of what we are also using. Not pretty but works most of the time.
Let's hope Meraki can come up with a 'Major Application' that would magically update the object. That would be nice !
Thank you - much appreciated!