FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 197383


This article explains that administrators would like to block media downloads via iTunes but allow all other iTunes access.




Administrators can use the Application Control function to achieve certain requirements such as:

iCloud - Block
iTunes.Store - Block
iTunes.Podcast - Block
iTunes.filesharing - Block
iTunes_Broadcast - Block
iTunes.mDNS - Block
iTunes.iMix - Pass
iTunes - Pass
iTunes-Mobile - Pass
iTunes-Appl.Store. - Pass
Apple.Support - Pass
Apple.Ipad - Pass
Apple.Iphone - Pass

But there are no options to block only media downloads.

Expectations, Requirements
By controlling how end-users access iTunes, administrators can execute granular control of what can or cannot be allowed through the firewall.  In this way, an administrator can mitigate security risks and reduce bandwidth consumption on their network.

The following steps outline how to define and apply custom IPS signatures in order to block iTunes media downloads.

The steps below outline adding two custom signatures and applying them to a new IPS sensor. 
Instead, add it to an existing IPS sensor (e.g., the default sensor).

Note: To add or view multiple sensors in the GUI, enable 'Multiple Security Profiles' in 'Features' in the system dashboard.

On the FortiGate web GUI, navigate to Security Profiles > Intrusion Protection.


Define Signature #1

  • Go to ‘View IPS Signatures’ > ‘Create New’.
  • Type a name for this signature -- e.g.,  iTunes_Monitor.
  • Copy and paste the following syntax into the Signature field >> Select OK.

F-SBID( --protocol tcp; --flow from_client; --service http; --parsed_type http_get; --pattern "User-Agent: iTunes"; --context header; --no_case; --tag set,Tag.iTunes.client;)


Define Signature #2

  • Create a second signature >> iTunes_Block
  • Copy and paste this on the Signature field

F-SBID( --protocol tcp; --flow from_server; --service http; --pattern "Content-Type: audio"; --context header; --no_case; --tag test,Tag.iTunes.client;)


Apply the custom signatures to an IPS profile

  • Go to Security Profiles > Intrusion Protection > IPS Sensors.
  • Create a new sensor called 'iTunes_Music_Block'.
  • From the 'Edit IPS Sensor' menu, click on 'Create New' to add a new signature entry.

Add Signature #1

  • Select the 'Specify Signatures' radio button & type iTunes_Monitor in the signature box.
  • Action = Monitor all  > Select OK.

Add Signature #2

  • 'Specify Signatures' > type iTunes_Block
  • Set the Action to Block all > Click OK

Apply the IPS profile iTunes_Music_Block to the firewall policy used for accessing iTunes