Windows updates may cause denial of access to Internet


System administrator’s are constantly trying to optimize the performance of their networks. Rather than continue to process attempts that are consistently failing, the administrator will block access to devices that repeatedly break the rules. One area this can be done is multiple bad attempts to use a policy that requires user authentication.

It’s a straight forward setting, but there is a potential “gotcha” when using it.

The syntax of the setting is as follows:

config user setting
  set auth-lockout-threshold <int>

The integer value in the setting is the number of times in a minute that a user can make an unsuccessful attempt to go through a firewall policy that requires device or user authentication. Once the threshold is passed, the IP address of the device is blocked and the address is blacklisted. All further traffic from the device will be dropped.

The  symptom that most people will see that indicates a problem with the setup is that a computer will be denied access through a firewall policy because of too many failed login attempts even though the user has not even tried to go on the Internet. This will frustrate the logical analysis part of the troubleshooting process. If the user has made no attempts, how could they have too many failed logins? The problem is we often make the assumption that the attempts have to be made by a user. It’s right there in the name of the setting. We often forget that software will try to contact the Internet on its own. Most of the time, when the FortiGate doesn’t let software go out on the Internet unsupervised it’s a good thing. It is a security device and that’s one of the FortiGate’s jobs.

The most common cause of the inexplicable blacklisting is due to an automated process on a computer sending traffic to the Internet and there is no option to create an interactive login scenario.

A common example of this is the automated Microsoft Windows update process. Windows determines that it hasn’t been updated in a while and sends a request to one of the Microsoft servers. It tries repeatedly to connect but can’t because it needs to authenticate first to go through the firewall policy. After about 1 minute the computer is blacklisted because it exceeded the number of failed attempts set in the auth-lockout-threshold setting.

To stop this blacklisting behavior, the device or user needs to authenticate before accessing the Internet. Once authenticated, the traffic should flow without issue.  A possible work around is to determine what’s causing the failed authentication attempts and add a policy that accepts this traffic. In this policy you can choose to allow or deny the traffic. In the case of Windows updates, you might want to create a policy that allows access to Windows Update servers with no requirement for authentication.

Information on what is needed to configure a firewall for Windows updates can be found here.

Other traffic causing this issue would have to be addressed on a case by case basis as the firewall parameters are likely to be different in each situation.

Bruce Davis

Bruce Davis

Technical Writer at Fortinet
Bruce has been working with computers, and related technology, since before the World Wide Web was a thing. He has worked in system and network administration. He has even dabbled in technical support. He has made the switch to technical writing as part of his deep, dark and dastardly plan to make the arcane machinations of IT technology more easily understood by the poor folks who use it.
Bruce Davis

Latest posts by Bruce Davis (see all)