Skip to main content
tanr
tanr
New Member
July 23, 2017
Question

Certificate Inspection (Not Deep) Causes iOS App Store and iCloud Family Sharing to Fail?

  • July 23, 2017
  • 2 replies
  • 22014 views

Hi All,

 

Some new iOS devices are on our network now and will fail to connect to Apple's App Store, or show correct state for their iCloud Family Sharing status, while certificate inspection is turned on.

 

Turning off certificate inspection allowed everything to work, but I thought just plain certificate inspection (not deep inspection) wasn't supposed to cause a problem with Apple's certificate pinning?

 

I thought I read other cases of problems with just certificate inspection, but haven't been able to find it in the forums.

 

Any thoughts or suggestions?

 

Thanks.

    2 replies

    hmtay_FTNT
    Staff
    hmtay_FTNT
    Staff
    July 24, 2017

    Hello tanr,

     

    With certificate-inspection, it should not cause any problems with Certificate Pinning since it is not replacing the SSL Certificate. Can you do a packet capture and look to see if there's any sessions that have the certificate replaced with FGT's certificate? I could check for you too if you can send me the pcap.

     

    Homing

    Headspinning
    Headspinning
    New Member
    November 29, 2017

    We have similar issue with App Store. You will need to do some packet captures to check. Usually is the communication to the Akamai cache that gives problem. Whitelist Akamai range from SSL inspeciton solve it for us but it is far from ideal.

    I am also seeking for root cause and a more secure solution.

    tanr
    tanrAuthor
    New Member
    November 29, 2017

    In my case the problem turned out not to be certificate pinning, but instead that the FortiGate wasn't properly matching iPhone and iPad types.  Instead of matching the policy for mobile devices it was matching a more generic policy for that subnet to the wan.  The more generic policy didn't allow some of the services needed for the iOS devices.

     

    My workaround was to have the policy rule instead match to the specific devices themselves.  This wasn't too bad to do for our small group, but would be a nightmare for a large company.

     

    I tried changing back to matching the device types instead (iPhone and iPad) with 5.4.6 but still see it failing to match sometimes.  It's frustrating because I can't get it to regularly happen, otherwise I would report it as a bug.

     

    Has anybody seen this issue with 5.6.2?

    marcussaunders
    marcussaunders
    New Member
    January 5, 2018

    I am experiencing the same issue with 5.6.3.  ios devices x deep packet.  Anybody found a work around yet?

    Terms & ConditionsAccessibility statement