SonicWall Blocking Update Downloads

Alex WilsonNetwork Systems Administrator
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.

Sonicwall firewalls come with a whole host of features to help you secure your network and ward off attacks. 

One of the foundations of your configuration should include properly setting up the Gateway Anti-Virus. As good as the Gateway Anti-Virus is, sometimes you run into a few quirks. One of these is that sometimes the Gateway Anti-Virus will block automatic update downloads for your business apps. For example, Adobe, Symantec, Windows Update, and Java. 

It blocks these downloads because they are executable code that is trying to download and launch automatically. 

If you have the Restrict Transfer of packed executable files (UPX, FSG, etc.) setting enabled  for the HTTP protocol settings, it will block those downloads.

You can choose to disable this and lose the protection.

There is a work around that will allow these downloads and allow you to still have the Gateway Anti-Virus protect your network from downloaded executables.


Create a Gateway AV exclusion list

Here is how...

Before you begin always Back Up your SonicWall Settings and Export them to a safe place.

In the Sonicwall go to Security Services > Gateway Anti-Virus and click on the Configure Gateway AV Settings button.

Make sure to check the box for Enable Gateway AV Exclusion List.

You will have two choices for the type of exclusion list to use. Use Address Object list or Use IP Range list.

If you choose to use the IP Address Range list, you will need to know the servers public IP Address range.

You can usually get the DNS names or IP addresses of your applications update servers from their support site or forums.

If all you can find is the DNS name of the server, you can open a command prompt and type in NSLOOKUP followed by the DNS name of the server to get the IP address. 

Make sure that the Use Address Range radio button is checked and add the address to the exclusion list.

Once your addresses are in the list and you save the settings, your downloads should be allowed.

If you choose the Use Address Object list, you will not need the IP addresses of the servers.

To use the Address Object list, you will need to create an Address Object for each server DNS name and add it to an Address Group list.

Here is how

In the SonicWall, go to Firewall > Address Objects and click on the Add button.

Give the Object a friendly name that helps identify it and assign it to the WAN zone.

For the "Type:" select FQDN and for the FQDN Hostname, enter the update servers DNS name.

Don't close the dialog box and continue adding all of the ohter servers DNS names.

When finished click OK.

Next, you will need to add all of the individual Address Objects that you just created into a single Address Group.

Click on the Address Group tab and click on the Add button.

Add your Objects to the group.

Go back to the Configure Gateway AV Settings page and click the Use Address Object radio button.

In the drop down menu, select your Address Object Group and click OK.

You should now be able to run the automatic downloads for your App.

If you need to add more than one App to the exclusion list, either add the additional address ranges or add the new Address Objects to the current Address Group.

Alex WilsonNetwork Systems Administrator

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.