Technical Tip: How to allow iCloud private relay

Go to: 'Policy & Objects' -> 'Firewall Policy' and select 'Create new' to create a new Firewall Policy. Since there is no specific Internet Service for iCloud Private Relay, select all Apple Internet Services as destinations.

After adding the Apple Internet Service, the Firewall Policy will look as below:

Select OK, and the Firewall Policy will be created.

Note:

Make sure this policy is on top of other policies for traffic to hit this and allow traffic as required.

Additionally, add a different firewall policy with the list of URLs:

• configuration.ls.apple.com
• gateway.icloud.com
• gsp85-ssl.ls.apple.com
• iphone-Id.apple.com
• mask-api.icloud.com
• mask-t.apple-dns.net
• mask.icloud.com
• mask-h2.icloud.com

Use this CLI template over the CLI console to create all the relevant address objects, and an address object group "iCloud_PR_group":

config firewall address
    edit 'configuration.ls.apple.com'
        set type fqdn
        set fqdn "configuration.ls.apple.com"
    next
    edit 'gateway.icloud.com'
        set type fqdn
        set fqdn "gateway.icloud.com"
    next
    edit 'gsp85-ssl.ls.apple.com'
        set type fqdn
        set fqdn "gsp85-ssl.ls.apple.com"
    next
    edit 'iphone-Id.apple.com'
        set type fqdn
        set fqdn "iphone-Id.apple.com"
    next
    edit 'mask-t.apple-dns.net'
        set type fqdn
        set fqdn "mask-t.apple-dns.net"
    next
    edit 'mask.icloud.com'
        set type fqdn
        set fqdn "mask.icloud.com"
    next
    edit 'mask-h2.icloud.com'
        set type fqdn
        set fqdn "mask-h2.icloud.com"
    next
    edit 'mask-api.icloud.com'
        set type fqdn
        set fqdn "mask-api.icloud.com"
    next
end
config firewall addrgrp
    edit 'iCloud_PR_group'
        set member configuration.ls.apple.com gateway.icloud.com gsp85-ssl.ls.apple.com iphone-Id.apple.com mask-t.apple-dns.net mask.icloud.com mask-h2.icloud.com mask-api.icloud.com
    next
end

config firewall policy

    edit 2 <----- Policy ID.

        set name "Apple-Private-Relay-Allow"

        set srcintf "TEST123"

        set dstintf "wan" <----- Internet facing interface.

        set action accept

        set srcaddr all <----- Could be specific internal addresses.

        set dstaddr "iCloud_PR_group" <----- Should match the address group created above.

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

    next

     end

There is another way to allow internet while iCloud private relay is being used on end devices. Refer to Troubleshooting Tip: How to fix 'SSL connection is blocked due to unable to retrieve servers certificate' received in the SSL Events and allow cert-probe-failure in the SSL/SSH profile.

Related article:

Technical Tip: How to block iCloud Private Relay from bypassing the Security Inspection