Hi All,
Some new iOS devices are on our network now and will fail to connect to Apple's App Store, or show correct state for their iCloud Family Sharing status, while certificate inspection is turned on.
Turning off certificate inspection allowed everything to work, but I thought just plain certificate inspection (not deep inspection) wasn't supposed to cause a problem with Apple's certificate pinning?
I thought I read other cases of problems with just certificate inspection, but haven't been able to find it in the forums.
Any thoughts or suggestions?
Thanks.
Hello tanr,
With certificate-inspection, it should not cause any problems with Certificate Pinning since it is not replacing the SSL Certificate. Can you do a packet capture and look to see if there's any sessions that have the certificate replaced with FGT's certificate? I could check for you too if you can send me the pcap.
Homing
We have similar issue with App Store. You will need to do some packet captures to check. Usually is the communication to the Akamai cache that gives problem. Whitelist Akamai range from SSL inspeciton solve it for us but it is far from ideal.
I am also seeking for root cause and a more secure solution.
In my case the problem turned out not to be certificate pinning, but instead that the FortiGate wasn't properly matching iPhone and iPad types. Instead of matching the policy for mobile devices it was matching a more generic policy for that subnet to the wan. The more generic policy didn't allow some of the services needed for the iOS devices.
My workaround was to have the policy rule instead match to the specific devices themselves. This wasn't too bad to do for our small group, but would be a nightmare for a large company.
I tried changing back to matching the device types instead (iPhone and iPad) with 5.4.6 but still see it failing to match sometimes. It's frustrating because I can't get it to regularly happen, otherwise I would report it as a bug.
Has anybody seen this issue with 5.6.2?
I am experiencing the same issue with 5.6.3. ios devices x deep packet. Anybody found a work around yet?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.