Next Generation Firewall (NGFW)

Expand all | Collapse all

Virus policy false positive

  • 1.  Virus policy false positive

    Posted Jun 17, 2018 09:05 PM

    Hi all. For two weeks have been picking up false positives on windows updates, Cant whitelist certain IPs with the virus feature on the firewall policy, any ideas on how to mitigate?


    Message meets Alert condition
    Virus/Worm detected: Protocol: "HTTP" Source IP:
    Destination IP: Email Address From: Email Address
    date=2018-06-18 time=08:59:22 devname=xxxxxx devid=FG100E4Q17006469 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1529305162 msg="File is infected." action="blocked" service="HTTP" sessionid=72527335 dstip= srcport=54879 dstport=80 srcintf="port1" srcintfrole="lan" dstintf="WAN LINK OUT" dstintfrole="wan" policyid=29 proto=6 direction="incoming" filename="" quarskip="File-was-not-quarantined." url="" profile="default" agent="Windows-Update-Agent/10.0.10011.16384" analyticscksum="b335f5cacec2a70f99aff42470beeb60ee60bad85686640ed04529a60244b0ef" analyticssubmit="true" crscore=50 crlevel="critical"

  • 2.  RE: Virus policy false positive

    Posted Jun 17, 2018 11:07 PM


    You can configure a firewall policy to allow access to windows update servers and move the policy to the top of the policy list.

    You need to create FQDN address object for the following FQDN's.

    Configure firewall policy without authentication

    From interface Internal to destination Interface External but limit the destination address to a group containing Microsoft update FQDN's

    And move the policy to top of the policy table.


    Deepak Kumar


  • 3.  Virus policy false positive

    Posted Jun 17, 2018 11:19 PM
    Incredible thanks very much…

    Kind regards

    Marc de Jager
    M : +27 72 318 4607
    O : +27 11 474 2245
    From: Deepak Kumar, Network Admin via Firewall: