01-22-2020 02:26 AM
Hello,
I have ASA with SFR module managed by FMC.
I have a problem with windows update.
I have a new pc and I try to update it, but it fails, when the traffic passes through the SFR.
When I disable the SFR the updates are successful.
It hits the right rule of the SSL policy, which contains the Microsoft update application.
In the events, I see that in the "SSL certificate status" field it says "Invalid issuer".
I installed the certificate to the pc but nothing changed.
How could I allow windows updates to pass?
Thanks and regards,
Konstantinos
01-22-2020 03:36 AM
Hi,
It seems you are using SSL decryption for all type of traffic. If allowed by your organization, you can configure a rule in your decryption policy to not to decrypt traffic for Microsoft.
Have a look on the attached snapshot related to add a rule for not to decrypt traffic for Microsoft updates. You can select *.update.microsoft.com from CN tab in this rule.
01-22-2020 04:19 AM
Hello Muhammad Awais Khan
Thank you for the reply.
The thing is that the rule already does "not decrypt".
I will though add the *sls.microsoft.com CN, the others already exist
Regards,
Konstantinos
01-22-2020 04:26 AM
what is the default intrusion policy you are using. have you configured the network discovery? as an test you can go into your access control policy acl and change the rule to turst instead of allow.
01-23-2020 05:03 AM
01-23-2020 11:20 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide