Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 1149 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Windows Update firewall rule not hit

Fred_B

Under Web -> Exceptions the default Microsoft Windows Update exception is enabled. We have added a second one with some additional websites as per the Sophos KB.

We have an allow firewall rule that allows traffic from any LAN source to the FQDN host group WindowsUpdateSites with all Microsoft Websites as per the Windows recommendations services http and https. There are no security or scanning features enabled on this rule. 

Below that rule we have another firewall rule for internet proxy access through the XG and we have all the security features enabled and allow only green health and with a heartbeat,

In my understanding machines with no Endpoint X (so no green health and heartbeat) that require windowsupdate would be allowed to use WindowsUpdate as that rule is before the proxy firewall rule. But Windows Update throws an error. I can browse to the sites in the list on the machine. That is not the problem.

It seems that Windows Update itself is hitting the wrong firewall rule as I see in the firewall log under web filter that there is content delivery denied. It refers to the Proxy fw rule awhich it should not hit, and web_policy_id="2", category="Content Delivery", category_type="Acceptable" and the microsoft url is referrered to akamaized.net. 

I thought that because it hits the Proxy firewall rule that requires green health and a heartbeat it would be denied but removing Green Health and heartbeat requirement did not fix it.

Should it not hit first the firewall rule above the proxy firewall rule? Is this again a system service that takes precedence over the firewall rules?



This thread was automatically locked due to age.
  • 0

    It seems to be something on this server as I have no problem on a W2012 R2 server also without Endpoint X. This hits the correct firewall rule and updates just fine.

  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community!

    Could you please check if the workstation is sending the traffic to the configured FQDN within the firewall? If the workstation sends traffic to the destination IP address, it won't trigger the FQDN firewall rule. 

    Thanks,

  • 0 in reply to FormerMember

    I think it has to do with GPO settings we use to push the proxy server. I disabled the proxy server settings on the server as I know that it won't allow due to no heartbeat. I forgot it will return the settings when I logon again. I have to change the GPO to exclude this machine. 

  • 0 in reply to Fred_B

    Heartbeat is not a filter criteria, instead a action. Filter criteria of a matching firewall are source IP, destination IP and service. And if you work with a direct proxy, the service is likely not matching? IF you select http/s, it is not including port 3128/8080. 

  • +1 in reply to LuCar Toni

    Troubleshooting can sometimes be a real pain as sometimes you don't get all the information needed from the log. For example because it is hiting a rule that is not logged or a system service.

    In this case the WindowsUpdate fw rule higher up in the fw rules allows http, https from the LAN to the FQDN Host Group to the WindowsUpdateSites. WindowsUpdate does not call IP adresses direct, it calls domains. There are already two exceptions in Web -> Exceptions.

    The Proxy server rule lower in the fw rules allows services http, https, proxy 3128 from the LAN but requires green health and a heartbeat is required.

    This machine has no Endpoint X so no green health, heart beat but that is not required as it should hit the WindowsUpdate rule first.

    I had a problem that this one machine would not update and I didn't see it in the fw log as I had disabled logging on the proxy rule. I saw it being blocked under web filter. But it should not hit that rule. I enabled logging again on the proxy rule and saw it being blocking on heartbeat with the proxy fw wule ID.  

    The cause are my ad gpo settings that push the proxy settings and in this case it shouldn't so I fixed that.