Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 40 subscribers
  • Views 16578 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Firewall Preventing WSUS from downloading updates

JakeCherrie

Hi everyone, this is my first post to Sophos Community so sorry if this is the wrong place. I have just installed the Sophos XG Firewall in my test environment and I have found that by doing so I have blocked http 1.1 byte range requests required for WSUS to download the updates. I can see in other Firewall's such as Dell Sonic Wall this is easy enough to enable and allow though a firewall but I can't seem to work out how to do this on the Sophos XG firewall. Has anyone else come accross this issue? does anyone know how to enable it? As a work around for now I have enabled BITS to the foreground which is allowing me to download the updates again but I would prefer to have that disabled if I can.



This thread was automatically locked due to age.
Parents
  • 0
    Jake,
    Welcome on board. What you can do is to allow the server to access 80/443 to download updates from Microsoft.
    You can create an object called "clientless" under Objects > Identity > Clientless Users and add your WSUS ip server. Now create a Policy (user policy) where only the clientless object you created can access 80/443 Microsoft website.
    Try to activate IPS rule and see if it breaks the connections (otherwise you need to create exception).

    If you want to be more specific, you can create a URL group under Objects > Content > URL Group where only Microsoft websites are allowed (technet.microsoft.com/.../cc708605(v=ws.10).aspx).
    Then create a Web Filter under Objects > Policies > Web Filter cloning from Deny all and add the URL group defined before.
    At the end create a Policy where user is clientless object going to WAN using 80/443 and as Web FIlter choose the filter you have created before.
    Note that this webfilter will allow the server to go only on specified url group created. All other traffic will be blocked (deny all except url specified).

    Luk
Reply
  • 0
    Jake,
    Welcome on board. What you can do is to allow the server to access 80/443 to download updates from Microsoft.
    You can create an object called "clientless" under Objects > Identity > Clientless Users and add your WSUS ip server. Now create a Policy (user policy) where only the clientless object you created can access 80/443 Microsoft website.
    Try to activate IPS rule and see if it breaks the connections (otherwise you need to create exception).

    If you want to be more specific, you can create a URL group under Objects > Content > URL Group where only Microsoft websites are allowed (technet.microsoft.com/.../cc708605(v=ws.10).aspx).
    Then create a Web Filter under Objects > Policies > Web Filter cloning from Deny all and add the URL group defined before.
    At the end create a Policy where user is clientless object going to WAN using 80/443 and as Web FIlter choose the filter you have created before.
    Note that this webfilter will allow the server to go only on specified url group created. All other traffic will be blocked (deny all except url specified).

    Luk
Children
No Data
Unfiltered HTML