Google Chrome is widely used browser and it is crucial to deliver Google Chrome Updates for security concerns and performance issues. Keeping google chrome up to date in secured network environment can be a challenge. Network firewalls are configurations can be tricky for some use case scenario.
Disclaimer : In this article I have shown ways to allow google chrome updates to specific network or IP address in a network, and used Sophos XGS firewall for demo. Author will not be responsible for any misconfiguration in firewall leading to security concerns from human or software or any other errors.
Below are the Sites for Google Chrome Updates.
- www.google.com/dl/*
- dl.google.com/*
- google.com/dl/*
- *.gvt1.com
- tools.google.com/service/update2
- clients2.google.com
- update.googleapis.com/service/update2
- clients4.google.com
These sites are required to be allowed to receive updates for google chrome, notice these sites have common domains? Instead of allowing individual sites lets allow Fully Qualified Domain Names (FQDNs) for the domains.
FQDNs for above sites will be :
- *.google.com
- *.gvt1.com
- *.googleapis.com
Note : * indicates wildcard entries that means all sub domains will be allowed for given domains, if you are required to allow only update sites you should check latest sites from google and use them in rules and policies I mentioned below.
Steps to create firewall rules and policy to allow chrome updates in network.
Below guide is for Sophos XGS firewall but it should work for all firewall as long as you understand the logic.
- Create FQDN objects in firewall.
Navigate to Host and Services in Sophos firewall GUI.
Click on FQDN host
Search if there is already a desired FQDN
If required FQDN is not present you can Add a new FQDNs from right hand side add button.
( Optional )As there are three FQDNs we can create FQDN group to categorize and use conveniently. Click on FQDN host group from above ribbon and add new FQDN group.
Name the Group and add FQDNs we already created in previous step.
2. Create Network objects to whom these updates should be allowed.
Navigate to IP host object from ribbon in host and services and add IP host. If you already have the IP host object you can skip this and next step as well.
In IP host object give name and select IP , Network , IP range or IP list as per your requirement. In this case I have used network object and entered Network I want to allow google updates in my infrastructure.
3. Create rule/policy in which only allows google FQDNs to specified network or IPs.
Navigate to Rules and Policies in sophos XGS GUI as shown.
Click on add new rule and Configure below fields and save the rule at a TOP position or at a position where it has precedence over rule which can block traffic to given destinations.
Note : Security objects like Https scanning, application filter, IPS, DNS filter, TLS inspection and other security features should be turned on depending on your firewall vendor just to make sure network firewalls security works at it’s best.
4. Validate our configuration.
In sophos you can use policy tester to validate rules and policies, for any other firewall please refer to vendors documentation.
Navigate to Diagnostics in GUI and click on policy tester as shown.
Finally Validate results using policy tester by inputting required values.
As you can see required domains are allowed to network we specified, google chrome downloads and updates should work now on as expected.
If you liked the content please subscribe to stay updated.
Leave a Reply