You'll notice that the screenshot is from the events shown on the agent GUI on the management center. This is because rule 269 does not log by default. Because of this, the denied packets do not show up in the management center event logs. In order to view the logs on the management center, you would need to do one of two things:
Explicitly turn on logging for rule 269
Enable log overrides for a particular group
Once the denied rule shows up in the management center event logs, the denied events can be viewed on the management center. This helps with the troubleshooting process.
The problem is that rule 269 blocks all network traffic not explicitly allowed by another rule. Since rule 269 applies to the "CSA MC Network Security Module", it only affects the management center. This is why WSUS updates work fine with the pre-configured server and desktop rules. In those policies, there is no rule explicitly blocking network traffic. The default action is to allow traffic, so the WSUS update traffic is allowed for desktops and servers.
There are a number of ways to fix the problem for the management center. The easiest method is to use the Wizard in the event log entry for rule 269. The Wizard provides a method of easily creating an exception rule for the specific traffic that was blocked.
The first step is to locate the rule 269 event log entry and click on the Wizard link. This is shown in the red oval in the diagram below
The next step is to click on the "Allow Operation" radio button, provide a justification and click "Finish". This is shown below.
After "Finish" is clicked, the necessary variables and rule are created. The next step is to generate the policy to install the rules. The diagram below shows the variables and rules that will be generated.
After the rule generation, there should now be an exception rule that allows access to the WSUS server to get Microsoft updates. This is shown below.
A closer inspection of the rule shows that it is a granular rule only allowing executable "svchost.exe -k netsvc" to talk to the WSUS server, as a client, on port 80/tcp. This is shown below.
To verify that the rule is really working, you can temporarily turn on logging for the exception rule. This is shown below.
A reboot of the management center should kick off the WSUS update check again. Once this is completed, something similar to the following should be in the event log
After verifying the success of the exception rule, make sure to turn off logging on the exception rule and any other logging that was turned on for troubleshooting purposes above.
No comments:
Post a Comment