Sometimes there are issues with an application's ability ability to get updates for that application (application will not download the updates). I have seen this in various applications...Quickbooks, Adobe, Veeam Endpoint for example.
Usually this is due to restrictions present in web filtering.
Typically in my XG I have an Internal to WAN FW Rule that has Scan HTTP, Intrusion Prevention (LAN to WAN), Web Policy (Default Workplace Policy), and Rewrite source address (masquerading) set.
In order to attempt resolve the inability to download the application updates I do the following:
- Get the Source IP of the endpoint attempting the application update.
- Use the Log viewer to get the URLs being accessed by that endpoint
- Create a IP host for that endpoint
- Create a FQDN host (and / or group) for the destination URLs being accessed.
- Create a FW Rule from LAN to WAN
- Source Zone: LAN
- Source networks or devices: IP Host with IP of the trouble endpoint
- Destination Zone: WAN
- Destination Networks: FQDN Host (or group) for the destination URLs
- Rewrite source address (masquerading) set
- No other options set on this rule.
- Apply rule to top of LAN to WAN group.
Test the download for the application on the endpoint.
Immediately starts downloading application updates.
To re-verify, cancel the download, disable the rule specifically created for the endpoint.
So here is the issue and my question...after disabling the rule, the application does process the download successfully.,
The application download did not work until I created and applied that rule, and now it works after I disable it. This makes NO sense.
Seems that the rule is still being applied even though it is disabled, or it internally created an opening in the FW that remains even after it is disabled.
Can someone provide an explanation?
Much appreciated
Lonnie
This thread was automatically locked due to age.
