Sophos UTM: Decommissioning of obsolete URL categorization services CFFS.Click here for important info.

Windows updates being country blocked

Hey everyone,

This is probably a super basic question, but I've been trying to figure it out for a while now and am just stumped. We have a Sophos UTM firewall deployed in the field with a PC that needs to get Windows updates. I've used this site as a reference for the DNS addresses, which I've added as network definitions and made into a DNS group:

I then wrote a firewall rule for that PC to be allowed to connect to that DNS group using HTTP and HTTPS and I've also written a country blocking exception rule for that Microsoft DNS group using HTTP and HTTPS as well.

When I trigger Windows updates on the PC and watch the live log though, I still see it being country blocked, which is where I'm stuck. Other than allowing traffic from each individual country that Microsoft could be using, which seems to change a lot, I can't figure out why it's still being country blocked. Would the country block exception not cover that?

Here's some screenshots of the rules for clarity:


  • Hello Eric,

    you can (and should) paste your screenshots here directly into the editor window.

    Some guys are very hesitant when it comes to external links with downloadable files. Just a tip.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.