As you are probably aware of by now, the PCI DSS requires that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are documented.
Typically this would be done by only allowing the port/protocol/service allowed from a specific source IP address to a specific destination IP address and denying all other traffic. However, some management update services use dynamic IP addresses for their update servers (such as Windows updates and Symantec Endpoint Protection updates) which make this a little tricky. In order to allow traffic to an HTTP or HTTPS server whose IP address dynamically changes on WatchGuard firewalls, you must edit your HTTP-Client proxy ruleset to add HTTP proxy exceptions for the server.
Here is a link to a WatchGuard FAQ describing how to do this for Windows Updates:
For a Symantec Endpoint Protection Management or Live Update server, use the same steps found in the article above and add an exception for *liveupdate.symantecliveupdate.com
Viviana Dragu, PCI QSA
Senior Consultant, PCI Compliance Services