Description
This article describes that Apple iCloud Private Relay is designed to protect the privacy of users by ensuring that when they browse the web in Safari, no single party—not even Apple—can see both the user and what sites they're visiting.
Private relay tries to find a proxy using domain names and then relays the traffic through those proxies resulting in hiding the traffic.
From a security point of view, when this option is enabled on eligible Apple products, it can bypass security controls applied by the administrator such as web filter, application control etc.
To prevent the bypassing of these controls, it is necessary to disable the private relay. However, it is not practically possible to keep control of each user to keep private relays disabled.
This document contains the steps to block Private Relay on devices whose traffic is going through the FortiGate and is subjected to security controls like Web filtering.
Testing iPhone – 192.168.10.4
Scope
Apple iCloud+ Private Relay
Demonstration
Private Relay is disabled.
The normal behavior of web filter blocking the social media websites on an iPhone with Private Relay Disabled.
The default Web filter profile is configured to Block Social Media.
Policy to allow and inspect the traffic.
The website such as Instagram.com is getting blocked on the browser (chrome).
Web Filter Event logs.
Private Relay Enabled.
After Enabling Private Relay, the website facebook.com is still blocked on the Chrome browser. However, same websites facebook.com and Instagram.com can be accessed through Safari browser as it is using a Private relay feature.
Chrome Safari Safari
As seen below, traffic for chrome browser is logged, however, no traffic from Safari browser can be seen.
Solution
Blocking Private Relay.
To block the private relay, make sure to:
- Block certain URLs using Web Filter.
- Block certain Domains using DNS filter.
- Block QUIC using Application Control.
Web Filter:
Go to Security Profiles -> Web Rating Override and select 'Create New'.
Add the following URL in the custom1 category in web rating overrides and then Block custom1 category in the web filter:
- captive.apple.com
- configuration.Is.apple.com
- iphone-Id.apple.com
- mask-t.apple-dns.net
Go to Security Profiles -> Web Filter -> Select Profile.
DNS Filter:
Go to Security Profiles -> DNS Filter -> Select Profile.
Add the following domains to the static DNS filter in the DNS filter profile:
- *mask.icloud.com*
- *mask-h2.icloud.com*
- *mask.apple-dns.net*
- *mask-api.fe.apple-dns.net*
- *mask-t.apple-dns.net*
Application Control:
Go to Security Profiles -> Application Control -> Select Profile.
Block QUIC in application control.
Confirm all the Security Profiles are applied to the correct Firewall Policy.
After making the above changes, the private relay should be forced to become unavailable.
After becoming unavailable, it will work as it works with Private Relay Disabled and all the security controls should be applied now on the traffic.
Social Media is blocked even though Private Relay is enabled (though unavailable).
Users can still browse other web pages which are not blocked.
The Web filter event logs show the traffic for social media as well as websites mentioned above now being blocked.
DNS Logs show the domains to be redirected to block portal.
Application control Logs showing QUIC being blocked.
Because of the above traffic being blocked, the Private relay is forced to be disabled and cannot hide the actual IP address of the user.
Related articles:
https://support.apple.com/en-ca/HT212614
https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-QUIC-Protocol/ta-p/197661
