Topic Thread

Next Generation Firewall (NGFW)

 View Only
Expand all | Collapse all

Virus policy false positive

  • 1.  Virus policy false positive

    Posted 06-17-2018 21:05

    Hi all. For two weeks have been picking up false positives on windows updates, Cant whitelist certain IPs with the virus feature on the firewall policy, any ideas on how to mitigate?


    Message meets Alert condition
    Virus/Worm detected: Protocol: "HTTP" Source IP:
    Destination IP: Email Address From: Email Address
    date=2018-06-18 time=08:59:22 devname=xxxxxx devid=FG100E4Q17006469 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1529305162 msg="File is infected." action="blocked" service="HTTP" sessionid=72527335 dstip= srcport=54879 dstport=80 srcintf="port1" srcintfrole="lan" dstintf="WAN LINK OUT" dstintfrole="wan" policyid=29 proto=6 direction="incoming" filename="" quarskip="File-was-not-quarantined." url="" profile="default" agent="Windows-Update-Agent/10.0.10011.16384" analyticscksum="b335f5cacec2a70f99aff42470beeb60ee60bad85686640ed04529a60244b0ef" analyticssubmit="true" crscore=50 crlevel="critical"

  • 2.  RE: Virus policy false positive

    Posted 06-17-2018 23:07


    You can configure a firewall policy to allow access to windows update servers and move the policy to the top of the policy list.

    You need to create FQDN address object for the following FQDN's.

    Configure firewall policy without authentication

    From interface Internal to destination Interface External but limit the destination address to a group containing Microsoft update FQDN's

    And move the policy to top of the policy table.


    Deepak Kumar


  • 3.  Virus policy false positive

    Posted 06-17-2018 23:19
    Incredible thanks very much…

    Kind regards

    Marc de Jager
    M : +27 72 318 4607
    O : +27 11 474 2245
    From: Deepak Kumar, Network Admin via Firewall: