Meraki

Community

Windows Updates - L3 Firewall/Filtering

Solved
YoinkZ
Getting noticed
‎Nov 21 2023 6:42 AM
‎Nov 21 2023 6:42 AM

Windows Updates - L3 Firewall/Filtering

Hi all,

 

I have been trying to lock down our servers not being able to reach the Internet.

Most servers are allowed to retrieve signature updates from our protection suite and that works very well. All servers are also pointing towards our WSUS. But here is my problem. I need my WSUS server to be able to reach Windows Updates via Internet, but I just can't get it working.

 

Is there anyone in here that have it working and could point / show the config of how you got it working.
What addresses did you allow in your L3 Firewall and perhaps I need more in the L7 rules or Content filtering.

 

Please help - thank you.

Labels:
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 21 2023 11:40 AM
‎Nov 21 2023 11:40 AM

It is almost impossible to craft firewall rules for this to be locked down.  Windows Update uses a wide range of URLs and IP addresses.

 

You are probably going to have to allow HTTP and https from the WSUS server to any.

 

 

This is a group I created that works *most* of the time:

 

PhilipDAth_0-1700595569565.png

Where there is a - put a . when adding.  When it says "star" put in a *.

View solution in original post

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 21 2023 6:55 AM
‎Nov 21 2023 6:55 AM

Windows Update requires TCP port 80, 443, and 49152-65535. The IP address for the Windows Update web site constantly changes and it is not a fixed address. Also, there is no official publication of the IP addresses.

 

https://learn.microsoft.com/en-us/answers/questions/457840/what-are-the-ip-ranges-for-microsofty-win...

Layer 3 and 7 Firewall Processing Order

Traffic Allowed by Default

By default, outbound traffic will be allowed through the firewall unless explicitly blocked by at least one L3 or L7 rule. In this example, SSH (TCP port 22) traffic will be allowed through the firewall because there are no configured L3 or L7 rules that act upon it.

Layer 3 Rules

  1. No Match
  2. No Match
  3. No Match

Layer 7 Rules

  1. No Match

Traffic Blocked by Layer 3 Rule

In this example, SMTP traffic (TCP port 25) will be blocked by the L3 firewall, because rule 3 under layer 3 explicitly blocks it. Layer 7 rules would be ignored because the traffic has already been blocked.

Layer 3 Rules

  1. No Match
  2. No Match
  3. Matched - Traffic blocked

Layer 7 Rules

  1. Not processed because traffic was already blocked

 

Traffic Blocked by Layer 7 Rule

The MR access point and MX security appliance differ slightly in their processing of L7 firewall rules after the L3 firewall. On the MR, if traffic matches an allow rule on the L3 firewall, that traffic will bypass the L7 firewall altogether.

On MR, default L3 rules do not act as a bypass for L7 rules. Only allow custom rules will bypass L7 rules. 

On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.

On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Matched - Traffic blocked

    https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
YoinkZ
Getting noticed
‎Nov 22 2023 12:24 AM
‎Nov 22 2023 12:24 AM

Well described - thank you!

0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Nov 21 2023 8:26 AM
‎Nov 21 2023 8:26 AM

Hi , simply create a L3 firewall rule with 'ALL' FQDN related to Microsoft update and tcp port 443. 

 

I don't have that list on hand but I could provide some later today.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 21 2023 11:40 AM
‎Nov 21 2023 11:40 AM

It is almost impossible to craft firewall rules for this to be locked down.  Windows Update uses a wide range of URLs and IP addresses.

 

You are probably going to have to allow HTTP and https from the WSUS server to any.

 

 

This is a group I created that works *most* of the time:

 

PhilipDAth_0-1700595569565.png

Where there is a - put a . when adding.  When it says "star" put in a *.

In response to PhilipDAth
RaphaelL
Kind of a big deal
Kind of a big deal
‎Nov 21 2023 11:48 AM
‎Nov 21 2023 11:48 AM

This is almost a copy of what we are also using. Not pretty but works most of the time. 

 

Let's hope Meraki can come up with a 'Major Application' that would magically update the object. That would be nice !

In response to RaphaelL
YoinkZ
Getting noticed
‎Nov 22 2023 12:25 AM
‎Nov 22 2023 12:25 AM

Thank you - much appreciated!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.