Description
This article describes that Apple iCloud Private Relay is designed to protect the privacy of users by ensuring that when browsing the web in Safari, no single party—not even Apple—can see both the user and what sites are visited.
Private relay tries to find a proxy using domain names and then relays the traffic through those proxies resulting in hiding the traffic.
From a security point of view, when this option is enabled on eligible Apple products, it can bypass security controls applied by the administrator such as web filter, application control, etc.
To prevent the bypassing of these controls, it is necessary to disable the private relay. However, it is not practically possible to keep control of each user to keep private relays disabled.
This document contains the steps to block Private Relay on devices whose traffic is going through the FortiGate and is subjected to security controls like Web filtering.
Testing iPhone – 192.168.10.4.
Scope
Apple iCloud+ Private Relay.
Solution
Demonstration:
Private Relay is disabled.
The normal behavior of web filter blocking the social media websites on an iPhone with Private Relay Disabled.
The default Web filter profile is configured to Block Social Media.
Policy to allow and inspect the traffic.
A website such as Instagram.com is getting blocked on the browser (chrome).
Web Filter Event logs.
Private Relay Enabled.
After Enabling Private Relay, the website facebook.com is still blocked on the Chrome browser. However, the same websites facebook.com and Instagram.com can be accessed through Safari browser as it is using a Private relay feature.
Chrome:
Safari:
Safari:
As seen below, traffic for the Chrome browser is logged, but no traffic from the Safari browser can be seen.
Solution:
Blocking Private Relay.
To block the private relay, make sure to:
- Block certain URLs using Web Filter.
- Block certain Domains using a DNS filter.
- Block QUIC using Application Control.
Web Filter:
Go to Security Profiles -> Web Rating Override and select 'Create New'.
Add the following URL in the custom1 category in web rating overrides and then Block custom1 category in the web filter:
- captive.apple.com.
- configuration.Is.apple.com.
- gateway.icloud.com.
- gsp85-ssl.Is.apple.com.
- iphone-Id.apple.com.
- mask-api.icloud.com.
- mask-t.apple-dns.net.
- mask.icloud.com.
- mask-h2.icloud.com.
Go to Security Profiles -> Web Filter -> Select Profile.
DNS Filter:
Go to Security Profiles -> DNS Filter -> Select Profile.
Add the following domains to the static DNS filter in the DNS filter profile:
- *mask.icloud.com*.
- *mask-h2.icloud.com*.
- *mask.apple-dns.net*.
- *mask-api.fe.apple-dns.net*.
- *mask-t.apple-dns.net*.
As per official Apple documentation (Prepare your network or web server for iCloud Private Relay), the best way to block Private Relay using DNS is to return an 'NXDOMAIN' for the above domains instead of the default action which is to redirect the users to a block page.
To make this change, apply the following commands:
config dnsfilter profile
edit <DNS profile name>
set block-action block
end
See this article for more info: Technical Tip: Various Block option under DNS filter.
Application Control:
Go to Security Profiles -> Application Control -> Select Profile.
Block QUIC in application control.
Confirm all the Security Profiles are applied to the correct Firewall Policy.
After making the above changes, the private relay should be forced to become unavailable.
After becoming unavailable, it will work as it works with Private Relay Disabled and all the security controls should be applied now on the traffic.
Social Media is blocked even though Private Relay is enabled (though unavailable).
Users can still browse other web pages which are not blocked.
The Web filter event logs show the traffic for social media as well as websites mentioned above now being blocked.
DNS Logs show the domains to be redirected to the block portal.
Application control logs showing QUIC being blocked:
Because of the above traffic being blocked, the Private relay is forced to be disabled and cannot hide the actual IP address of the user.
Related articles:
