SRX Services Gateway
Highlighted
SRX Services Gateway

WSUS SRX Web Filtering

Wednesday

Microsoft recommends allowing thw following urls:

 

 

However, the SRX does not allow me to use wildcards, what is the best way of allowing this traffic?  Here is what I have so far:


set security zones security-zone WSUSUPDATEINTERNET-ZONE address-book address WSUSUPDATELINK dns-name http://windowsupdate.microsoft.com ipv4-only
set security zones security-zone WSUSUPDATEINTERNET-ZONE address-book address WSUSUPDATELINK dns-name http://*.windowsupdate.microsoft.com ipv4-only
set security zones security-zone WSUSUPDATEINTERNET-ZONE address-book address WSUSUPDATELINK dns-name https://*.windowsupdate.microsoft.com ipv4-only
set security zones security-zone WSUSUPDATEINTERNET-ZONE address-book address WSUSUPDATELINK dns-name http://*.update.microsoft.com ipv4-only
set security zones security-zone WSUSUPDATEINTERNET-ZONE address-book address WSUSUPDATELINK dns-name https://*.update.microsoft.com ipv4-only
set security zones security-zone WSUSUPDATEINTERNET-ZONE address-book address WSUSUPDATELINK dns-name http://*.windowsupdate.com ipv4-only
set security zones security-zone WSUSUPDATEINTERNET-ZONE address-book address WSUSUPDATELINK dns-name http://download.windowsupdate.com ipv4-only
set security zones security-zone WSUSUPDATEINTERNET-ZONE address-book address WSUSUPDATELINK dns-name http://download.microsoft.com ipv4-only
set security zones security-zone WSUSUPDATEINTERNET-ZONE address-book address WSUSUPDATELINK dns-name http://*.download.windowsupdate.com ipv4-only
set security zones security-zone WSUSUPDATEINTERNET-ZONE address-book address WSUSUPDATELINK dns-name http://wustat.windows.com ipv4-only
set security zones security-zone WSUSUPDATEINTERNET-ZONE address-book address WSUSUPDATELINK dns-name http://ntservicepack.microsoft.com ipv4-only
set security policies from-zone WSUS-SecZone to-zone WSUSUPDATEINTERNET-ZONE policy PERMIT-WSUSUPDATE match source-address WSUSSERVER
set security policies from-zone WSUS-SecZone to-zone WSUSUPDATEINTERNET-ZONE policy PERMIT-WSUSUPDATE match destination-address WSUSUPDATELINK
set security policies from-zone WSUS-SecZone to-zone WSUSUPDATEINTERNET-ZONE policy PERMIT-WSUSUPDATE match application http https
set security policies from-zone WSUS-SecZone to-zone WSUSUPDATEINTERNET-ZONE policy PERMIT-WSUSUPDATE then permi

 

1 REPLY 1
Highlighted
SRX Services Gateway

Re: WSUS SRX Web Filtering

Wednesday

Hello,

 

As you stated correctly, DNS address book entries with wildcard is not supported in SRX security policy. So, you have to configure the sub-domains manually.

 

[SRX] DNS address book entries with wildcard is not accepted

https://kb.juniper.net/InfoCenter/index?page=content&id=KB34600&cat=SRX_SERIES&actp=LIST

 

But I understand that there can be multiple sub-domains when WSUS server is concerned. Can we give Source address as a specific sources, destination address as ANY, application with WSUS ports?



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Feedback