Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
auppal
Staff
Staff

Created on ‎11-01-2022 04:01 PM Edited on ‎03-11-2025 06:06 AM By Moderator

Article Id 228629

Technical Tip: How to block iCloud Private Relay from bypassing the Security Inspection

Description

 

This article describes that Apple iCloud Private Relay is designed to protect the privacy of users by ensuring that when browsing the web in Safari, no single party—not even Apple—can see both the user and what sites are visited.

 

Private relay tries to find a proxy using domain names and then relays the traffic through those proxies resulting in hiding the traffic.

 

From a security point of view, when this option is enabled on eligible Apple products, it can bypass security controls applied by the administrator such as web filter, application control, etc.

 

To prevent the bypassing of these controls, it is necessary to disable the private relay. However, it is not practically possible to keep control of each user to keep private relays disabled.

 

This document contains the steps to block Private Relay on devices whose traffic is going through the FortiGate and is subjected to security controls like Web filtering.

 

Testing iPhone – 192.168.10.4.

 

Scope

 

Apple iCloud+ Private Relay.

 

Solution

 

Demonstration:

 

Private Relay is disabled.

The normal behavior of web filter blocking the social media websites on an iPhone with Private Relay Disabled.

 

The default Web filter profile is configured to Block Social Media.


image.png

 

Policy to allow and inspect the traffic.

 

image.png

 

A website such as Instagram.com is getting blocked on the browser (chrome).

 

image.png

 

Web Filter Event logs.

 

image.png

 

Private Relay Enabled.

 

image.png

 

After Enabling Private Relay, the website facebook.com is still blocked on the Chrome browser. However, the same websites facebook.com and Instagram.com can be accessed through Safari browser as it is using a Private relay feature.

 

Chrome:

 

image.png

 

Safari:

 

image.png

 

Safari:

 

image.png

 

As seen below, traffic for the Chrome browser is logged, but no traffic from the Safari browser can be seen.

 

image.png

 

 

Solution:

 

Blocking Private Relay.

 

To block the private relay, make sure to:

  • Block certain URLs using Web Filter.
  • Block certain Domains using a DNS filter.
  • Block QUIC using Application Control.

 

Web Filter:

Go to Security Profiles -> Web Rating Override and select 'Create New'.

 

Add the following URL in the custom1 category in web rating overrides and then Block custom1 category in the web filter:

 

image.png

 

Go to Security Profiles -> Web Filter -> Select Profile.

 

image.png

 

DNS Filter:

Go to Security Profiles -> DNS Filter -> Select Profile.

 

Add the following domains to the static DNS filter in the DNS filter profile:

  • *mask.icloud.com*.
  • *mask-h2.icloud.com*.
  • *mask.apple-dns.net*.
  • *mask-api.fe.apple-dns.net*.
  • *mask-t.apple-dns.net*.

 

As per official Apple documentation (Prepare your network or web server for iCloud Private Relay), the best way to block Private Relay using DNS is to return an 'NXDOMAIN' for the above domains instead of the default action which is to redirect the users to a block page.

To make this change, apply the following commands:


config dnsfilter profile
    edit <DNS profile name>
        set block-action block
end

 

See this article for more info: Technical Tip: Various Block option under DNS filter.

 

image.png

 

Application Control:

 

Go to Security Profiles -> Application Control -> Select Profile.

 

Block QUIC in application control.

 

Starting from version 7.2.x, 7.4.x, QUIC in application control can be blocked in the following way:

 

Application Control -> Application and Filter Overrides -> Create new -> Search QUIC and add action to block.

 

228692-1.JPG

 

228-2.JPG

 

Confirm all the Security Profiles are applied to the correct Firewall Policy.

 

image.png

 

After making the above changes, the private relay should be forced to become unavailable.

 

image.png

 

After becoming unavailable, it will work as it works with Private Relay Disabled and all the security controls should be applied now on the traffic.

 

Social Media is blocked even though Private Relay is enabled (though unavailable).

 

image.png

 

image.png

 

Users can still browse other web pages which are not blocked.

 

image.png

 

The Web filter event logs show the traffic for social media as well as websites mentioned above now being blocked.

 

image.png

 

DNS Logs show the domains to be redirected to the block portal.

 

image.png

 

Application control logs showing QUIC being blocked:

 

image.png

 

Because of the above traffic being blocked, the Private relay is forced to be disabled and cannot hide the actual IP address of the user.

 

Related articles:

34191
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.