Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
haguinaldo
Staff
Staff

Created on ‎02-24-2015 07:46 AM Edited on ‎06-06-2022 12:20 PM By Anonymous

Article Id 197383

Technical Tip: Block media downloads through iTunes

Description

This article explains that administrators would like to block media downloads via iTunes but allow all other iTunes access.


Scope

FortiGate

 

Solution
Administrators can use the Application Control function to achieve certain requirements such as:

iCloud - Block
iTunes.Store - Block
iTunes.Podcast - Block
iTunes.filesharing - Block
iTunes_Broadcast - Block
iTunes.mDNS - Block
iTunes.iMix - Pass
iTunes - Pass
iTunes-Mobile - Pass
iTunes-Appl.Store. - Pass
Apple.Support - Pass
Apple.Ipad - Pass
Apple.Iphone - Pass

But there are no options to block only media downloads.

Expectations, Requirements
By controlling how end-users access iTunes, administrators can execute granular control of what can or cannot be allowed through the firewall.  In this way, an administrator can mitigate security risks and reduce bandwidth consumption on their network.

Configuration
The following steps outline how to define and apply custom IPS signatures in order to block iTunes media downloads.

The steps below outline adding two custom signatures and applying them to a new IPS sensor. 
Instead, add it to an existing IPS sensor (e.g., the default sensor).

Note: To add or view multiple sensors in the GUI, enable 'Multiple Security Profiles' in 'Features' in the system dashboard.

On the FortiGate web GUI, navigate to Security Profiles > Intrusion Protection.

 

Define Signature #1

  • Go to ‘View IPS Signatures’ > ‘Create New’.
  • Type a name for this signature -- e.g.,  iTunes_Monitor.
  • Copy and paste the following syntax into the Signature field >> Select OK.

 
F-SBID( --protocol tcp; --flow from_client; --service http; --parsed_type http_get; --pattern "User-Agent: iTunes"; --context header; --no_case; --tag set,Tag.iTunes.client;)

 

Define Signature #2

  • Create a second signature >> iTunes_Block
  • Copy and paste this on the Signature field

 
F-SBID( --protocol tcp; --flow from_server; --service http; --pattern "Content-Type: audio"; --context header; --no_case; --tag test,Tag.iTunes.client;)

 

Apply the custom signatures to an IPS profile

  • Go to Security Profiles > Intrusion Protection > IPS Sensors.
  • Create a new sensor called 'iTunes_Music_Block'.
  • From the 'Edit IPS Sensor' menu, click on 'Create New' to add a new signature entry.

Add Signature #1

  • Select the 'Specify Signatures' radio button & type iTunes_Monitor in the signature box.
  • Action = Monitor all  > Select OK.

Add Signature #2

  • 'Specify Signatures' > type iTunes_Block
  • Set the Action to Block all > Click OK

Apply the IPS profile iTunes_Music_Block to the firewall policy used for accessing iTunes

 

4415
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.