Solved: Firepower 1010 Windows update Wildcard policy

sirajuddeen t p · ‎09-04-2020

Dear support team,

I have a requirement to allow only windows update from specific IP address to the internet. The firewall we use FTD1010.

we used below link as reference for the URLs and ports to be allowed for windows update.

https://answers.microsoft.com/en-us/windows/forum/all/need-windows-update-servers-ip-address-range-to/0b0d3618-f74c-411d-bb46-58bd605f7abe

Unfortunately FTD doesnt allow to use wildcard with the FQDN. Kindly advice if there is any method to achieve the requirement.

sirajuddeen t p · ‎09-18-2020

I was able to achieve this by adding URL object in the FTD.

microsoft.com

windows.com

s-microsoft.com

windowsupdate.com

Then created a URL group and added to above URL objects.

Then created a policy to inside to outside to allow selected URL group only.

View solution in original post

Marvin Rhoads · ‎09-05-2020

Are you managing with FMC or with the on-box FDM?

For FMC there is an open source project that allows you to import the Microsoft )365 addresses as an object and then use that in an Access Control Policy rule.

https://github.com/chrivand/Firepower_O365_Feed_Parser

sirajuddeen t p · ‎09-07-2020

Dear Marvin,

We are not using FMC. Small business purpose with on-box FDM.

sirajuddeen t p · ‎09-18-2020