Hi Graham, 

The list goes on and on with additional devices (apple iphones) so it's not just one device.

What I have done is create a firewall rule that blocks all icloud ip's, and we have informed all users at the location to disable automatic icloud uploads - and that's working good but my question remains: why aren't these sessions blocked via our application control policy that is set to block the application icloud, and as this is clearly possible to do in the gui, can it be done in cli?

Some Application Control signatures require SSL Deep Inspection (they will have a padlock icon next to them in the signatures list). This could be why.

More importantly though I think you need to understand why your Apple devices seemingly aren't able to connect properly to iCloud. They seem to initiate a connection/session and that fails for some reason and then they initiate a new connection/session which fails again and continues to do so creating lots of open/half-open sessions. Each session only has 2-4 packets which tells me there's something going on at the TCP layer.

Can you do a packet capture and see what it shows?

---

@Sam_FTNT wrote:

The simplest way to end the sessions you see is to shift-select them all and then click End Session - End All Sessions will terminate all sessions regardless of the list (or so it seems).

 

Yes, I agree with that and this is what I explained that I did in my initial post, but the question was if this could be done from cli and why my application policy that is set to block iCloud service is not stopping it before it tries to access internet. 

 

If you want to block Apple I would recommend try to block using ISDB. This will block the sessions at L3/L4 before they egress your ISP.

 

config firewall policy
edit 0
set status disable
set name "Block All Apple Internet Services"
set uuid 035a9918-d5a9-51ed-9d57-ff6308a71c81
set srcintf "LAN"
set dstintf "WAN"
set action accept
set srcaddr "all"
set internet-service enable
set internet-service-name "Apple-APNs" "Apple-App.Store" "Apple-DNS" "Apple-FTP" "Apple-ICMP" "Apple-Inbound_Email" "Apple-LDAP" "Apple-NetBIOS.Name.Service" "Apple-NetBIOS.Session.Service" "Apple-NTP" "Apple-Other" "Apple-Outbound_Email" "Apple-RTMP" "Apple-SSH" "Apple-Web"
set schedule "always"
set nat enable
next

---

I do not wish to stop all Apple services, just the iCloud sessions that for some reason is killing the network on these locations - and I have been able to do so by isolating all iCloud IP addresses and blocking them in a firewall policy rule. 

If there was a internet-service just for iCloud service, your above suggestion would work fine (except you are allowing it in your rule) but there is no internet-service that only includes iCloud as far as I can tell. 

-PM

Apologies- yes you can clear sessions with cli and create filters to clear much more precisely; https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-filters-to-clear-sessions-on-a-Forti...

if you do not specify a filter Diag sys session clear will clear all sessions.

there doesn’t seem to be an isolated category for iCloud on ISDB. I will reach out to the ISDB team to see what can be done. 

thanks for your patience. 

Hi, 

Yes, I know that I can clear sessions in cli, but I cannot see how I can clear sessions based on "application" as I can in the gui. The only way I can see would then be to isolate all IP address from GUI and use them in my filter. Not an optimal solution imo.