WG-Signature-Updates blocks Microsoft Office Updates?

Since last month we have the issue that no Microsoft Office Updates can be downloaded and installed.

We have a third-party company that manages our network/Watchguard FW.
They told us
1. there are Watchguard Firmware-Updates and
2. there are Watchguards Signature Updates and last are the issue!
So they tried to set a test-rule for one client in our company and then the MS Office updates could be downloaded and installed on that.
With this result they set a final-rule for MS Office Updates for our complete company.
This has now cost us money again unnecessarily.

Now i'm asking you:
Is this true?
WG-Signature Updates blocks MS Office Updates?
Thern can it be fixed (with your sig-Updates)?
Or was it a lie?

Comments

  • I have never had this issue with GAV or IPS signatures.

    GAV signature sets are often updated multiple times per day.
    IPS signature sets are updated much less frequently - my last update was on Aug 5th.
    Normally when there is a "bad" signature, if affects many sites and WG quickly identifies the problem signature and either removes it or updates it.
    It is recommended to set automatic signature updates to multiple times per day, such as for every 2 hours.

    There are 3 IPS signature sets - 1 for smaller firewall models, such as mine, and 1 for large firewall models.
    I have no idea where the Standard set is used.

    Intrusion Prevention Service and Application Control signature sets size
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3E5SAI&lang=en_US

    If there was a signature which actually prevented MS updates to work, it would affect a huge number of WG sites, and I would expect to have seen a number of posts about it. I have seen no such posts.

    I would ask for actual details of what is changed on your firewall which allowed the MS updates to work. If it was a specific signature that was excluded, which signature number.
    You can look up specific signature number here:
    https://securityportal.watchguard.com/Threats

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @SMAedoc

    I have no recently reported issues of a signature update causing MS Office to not be able to update. On the current 12.x firmwares there are even built in exceptions in the HTTPS proxy that can be enabled to make administering them easier.

    I suspect that your IT admin may be trying to simplify the issue -- if they're having trouble ensuring that Office is able to update -- I'd suggest that they open a case with our support team so we can help identify what's going wrong and help to find them a long-term fix.

    -James Carson
    WatchGuard Customer Support

  • @Bruce_Briggs
    As far as i know they change the HTTP/S-Proxy rule/s for MS Office Updates.
    Normal windows 10 Updates does not concern it!
    That made me wonder.
    I'm not so familiar with WG, so i've access but i don't find exact MS rules in HTTP/S-Proxy rule/s.

    After they change it it works, so it's fine!
    So you think it was a lie from them? - I agree.

    @james.carson
    Since I cannot understand what exactly has been changed and it is running, we can tick off the topic for now.

  • I have never had an issue with MS Office or Windows updates with the HTTPS proxy.
    I think that is is something that they are not accurately telling you.
    Yes, one can make the HTTPS proxy deny MS updates, but the default settings include the Predefined Content Inspection Exceptions list, which allows MS update sites.

  • The problem was that it just stopped working last month.
    All the years before we had no problem with the MS Office updates!

    I know they had changed rules (for security), but (actually) none that have to do with the MS Office updates.
    Since then, the problem probably occurred.
    I only noticed it later.
    That's why I was surprised by the statement.

  • I can verify this as I have two client environments with the same issue. After some troubleshooting it appears to be the proxy blocking the update so I assume Microsoft has added new servers/IP ranges. We are still running this down.

  • Thank you @Larry for your verifying posting.

  • I still have no issues with MS Office updates.

    Could this possibly be a Geo block issue?
    MS updates can come from IP addrs associated from many countries.

  • It totally could be. We block everything outside the USA.

    I have tried creating a proxy bypass policy and adding the M365 networks/hostnames but there are so many of them it is hard to update. Is there anyway to take the Microsoft M365 IP and URL list provided here: https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 and convert that to a format an alias can import?

  • See the "Import and Export a List of Alias Members" section, here:

    Create an Alias
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/alias_create_c.html

  • Interesting.

    "These domain names do not appear in the list of predefined content inspection exceptions in the HTTPS proxy action."

    Why, WG ?????
    You have decided to add lots of other domains to the predefined content inspection exceptions list.

  • I know this is a bit of an old thread but came across it while researching a similar error and I knocked together a little powershell to import the microsoft endpoint list linked above, and spit out a csv suitable for importing as an alias.

    My watchguard complained about the format of one of the FQDNs which I amended and the autodiscover link should probably point to your o365 tenant onmicrosoft address(es). Sure you can all figure it out.

    Anyway, hope this is useful for someone else:

    $endpoints = ((Invoke-webrequest https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7).content) | ConvertFrom-Json 
    
    $output = ""
    
    foreach ($endpoint in $endpoints) {
        if ($endpoint.ips) {
            foreach ($ip in $endpoint.ips) {
                if ($ip -like "*:*") {
                        $output += ("ipv6," + $ip + "`n")
                }
    
                else {
                        $ip -split " 0"
                        $output += ("ipv4," + $ip + "`n")
                }
            }
        }
    }
    
    foreach ($endpoint in $endpoints) {
        if ($endpoint.urls) {
            foreach ($url in $endpoint.urls) {
                $output += ("fqdn,", $url +"`n")
            }
        }
    }
    
    $output | set-content mstofirebox.csv
    
  • @CaptainCamden You are legend for that script!

    I still have the Office update issue, but this is an awesome script!

    With the issue, if I give a host unfiltered access to the internet it works fine so it is something in the WG Proxy/Web filtering that is blocking the updates.

  • I am starting to see this today with 2 customers. One was obvious. I installed a new server 2022 and when I went to do updates I received an error code. It started to download but then stopped with the code. Firebox traffic log showed IPS blocking it. Created an Allow Anything rule and unchecked the IPs. Updates downloaded. Same thing on the other client. Both Firewalls up to date.

  • Know the IPS signature number?

  • I don't. It seems to have cleared itself up. I have updated several machines today without issue.

  • There is this new Known Issue:

    IPS signatures 1139797 and 1132092 block HTTP port 80 traffic after upgrade to v12.5.12
    https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000bydhSAA&lang=en_US

    Workaround:
    Temporarily add IPS signature exceptions to allow port 80 traffic through the Firebox.

Sign In to comment.