Windows Update requires TCP port 80, 443, and 49152-65535. The IP address for the Windows Update web site constantly changes and it is not a fixed address. Also, there is no official publication of the IP addresses. https://learn.microsoft.com/en-us/answers/questions/457840/what-are-the-ip-ranges-for-microsofty-windows-upda Layer 3 and 7 Firewall Processing Order Traffic Allowed by Default By default, outbound traffic will be allowed through the firewall unless explicitly blocked by at least one L3 or L7 rule. In this example, SSH (TCP port 22) traffic will be allowed through the firewall because there are no configured L3 or L7 rules that act upon it. Layer 3 Rules No Match No Match No Match Layer 7 Rules No Match Traffic Blocked by Layer 3 Rule In this example, SMTP traffic (TCP port 25) will be blocked by the L3 firewall, because rule 3 under layer 3 explicitly blocks it. Layer 7 rules would be ignored because the traffic has already been blocked. Layer 3 Rules No Match No Match Matched - Traffic blocked Layer 7 Rules Not processed because traffic was already blocked Traffic Blocked by Layer 7 Rule The MR access point and MX security appliance differ slightly in their processing of L7 firewall rules after the L3 firewall. On the MR, if traffic matches an allow rule on the L3 firewall, that traffic will bypass the L7 firewall altogether. On MR, default L3 rules do not act as a bypass for L7 rules. Only allow custom rules will bypass L7 rules. On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule. On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall. Layer 3 Rules Matched - Traffic allowed through L3 firewall Not processed Not processed Layer 7 Rules Matched - Traffic blocked https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewall_Processing_Order
... View more