Knowledge Base  >   Firewall  > 

Blocking Windows Updates

To prevent unawareness Windows updates, we can use the Firewall with URL filter and DNS filter to block client's access to Windows update server. The idea is to use the firewall to block the domains which are related to the Windows update service. This note demonstrates the configuration required.

1. Go to Objects Setting >> Keyword Object, click on an empty index to create a keyword object.

a screenshot of DrayOS Keyword Object list

2. Name the profile and enter windowsupdate in Contents.

a screenshot of DrayOS Keyword Object setup

3. Repeat the step above to add keyword profiles to all the domains below:

  • windowsupdate
  • update.microsoft
  • download.microsoft
  • ws.microsoft
  • ntservicepack.microsoft
  • wustat.windows
a screenshot of DrayOS Keyword Object List

4. Go to CSM >> URL Content Filter Profile, click on an empty profile index to create a new one.

a screenshot of DrayOS URL Content Filter profile slit

5. Edit the profile as follows:

  1. Enter a Profile Name
  2. Check Enable URL Access Control
  3. Select "Block" for Action
  4. Click Edit, in the pop-out window, select all the keyword objects created in the previous steps
  5. Click OK to close the pop-out window, then click OK to save the profile.
a screenshot of DrayOS URL Content Filter profile

6. Go to CSM >> DNS Filter to add a profile as follows:

  1. Enter a Profile Name
  2. Select the profile created in the previous step for URL Content Filter (UCF)
  3. Click OK to save
a screenshot of DrayOS DNS Filter

7. Go to Firewall >> Filter Setup >> Filter Set 2, click on an empty index number.

a screenshot of DrayOS Firewall Rule

8. Edit the profile as follows:

  1. Enable the Filter Rule
  2. (Optional) Enter a Comments
  3. Select "LAN/DMZ/RT/VPN -> WAN" for Direction
  4. Select "Pass Immediately" for Filter
  5. Select the profile created in the previous steps for URL Content Filter and DNS Filter
a screenshot of DrayOS Firewall Filter Rule

With the configuration above, the LAN clients will be blocked from the Windows update service.

1. Go to Objects Setting >> Keyword / DNS Object page >> DNS Object to create a object.

2. Enter the profile name, and add all the domains below into Member Table.

  • windowsupdate
  • update.microsoft
  • download.microsoft
  • ws.microsoft
  • ntservicepack.microsoft
  • wustat.windows

3. Go to Firewall >> Filter Setup page, add a Filter Group in IP Filter tab.

4. In the new filter group, click Add to create a new rule.

5. Edit the filter rule as follows:

  • Enter a Profile name
  • Check Enable
  • Select Block for Action
  • At Destination DNS Object, select the profile created in the previous step.
  • Click Apply to save

With the configuration above, the LAN clients will be blocked from Windows update service.

Published On: 2017-12-19 

Was this helpful?   

book icon

Related Articles