Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pmh
New Contributor III

End sessions based on application

Hi there, 

 

We are struggling with a high amount of outgoing sessions on one of our sites. Have discovered that ending all sessions by filtering them in fortiview sessions - and ending all sessions more or less fixes our problem. 

 forti-sessions-end.PNG

 

We are actively blocking iCloud (and the other sessions we need to end) under Application control, but still they pop up here and apparently causing problems for our ISP who cannot handle all these sessions as we are on a very low bandwidth connection.

 

First question: Why isn't our application control policy stopping these sessions, and is it possible to do what I am doing here - filter by application and end all sessions - via cli?

 

-PM

16 REPLIES 16
gfleming

I think it would be worthwhile to figure out the root cause of this behaviour. Killing sessions on your Firewall will not kill them on the ISP router.

 

In tandem with root cause investigation you can troubleshoot why app control is not blocking icloud.

 

1. RCI: have you done any packet captures for problematic devices? As mentioned in my previous post the sessions do not have lots of packets so it's probably a TCP handshake gone bad or a RST from server. Gaining insight like this will be helpful to understand what's happening.

 

3. Do you see any blocked traffic in the FortiGate logs regarding these sessions? Do you possibly have multiple ISPs or a HA config where possibly you are getting some asymmetric routing?

 

3. Out of curiosity what DNS servers are you using? Perhaps clients are trying to connect to a distant iCloud server based on DNS geo location?Just a shot in the dark...

 

App Control ISsues:

1. Are you sure the iCloud traffic is hitting the policy what has iCloud disabled in the app control profile?

2. Please check your traffic / utm logs to verify which policies these devices and connections are hitting.

Cheers,
Graham
pmh
New Contributor III

Hi, 

I have not done any packet captures as I have already blocked all session based on the IP addresses with the iCloud destination. Just what would I be looking for if I disable the block-policy and do a packet capture?

 

The logs are effectively blocking iCloud application via the app filters, yes - but I still could see the sessions as the picture in my original post

 

Only one ISP in my setup, but it is controlled via SD-WAN to multiple carriers. 

 

Using Cisco Umbrella as DNS on all devices in question.  

 

-PM

gfleming

Can you provide more details on how there is only one ISP but it is controlled via SD-WAN? Is the ISP doing an Sd-WAN service? Do you know how it's working?

 

If possible can you get the ISP to disable the SD-WAN feature for one site and see if it works better?

 

Also can you temporarily shift away from Cisco DNS for one site (or a few test devices) and use something like 1.1.1.1 or 8.8.8.8 for now?

 

See if anything like that helps alleviate the problem of multiple connection attempts failing to icloud.

Cheers,
Graham
Sam_FTNT
Staff
Staff

From ISDB Team:

 

iCloud hosts part of the service on third-party CDN platforms, which subject to dynamically assigned IP addresses. ISDB is a static IP-based database service, which cannot handle dynamic IPs directly.

 

It is suggested to use FQDN Address for specific domains to distinguish iCloud from other Apple services since it could retrieve the latest IP addresses resolved in customer’s local environment. Here is a document I found online for your reference: https://support.apple.com/en-us/HT210060.

NSE8#3306
Sam_FTNT
Staff
Staff

Here you go:

 

First - create the address objects:

 

config firewall address
    edit "*.apple-cloudkit.com"
        set type fqdn
        set fqdn "*.apple-cloudkit.com"
    next
    edit "*.apple-livephotoskit.com"
        set type fqdn
        set fqdn "*.apple-livephotoskit.com"
    next
    edit "*.apzones.com"
        set type fqdn
        set fqdn "*.apzones.com"
    next
    edit "*.cdn-apple.com"
        set type fqdn
        set fqdn "*.cdn-apple.com"
    next
    edit "*.gc.apple.com"
        set type fqdn
        set fqdn "*.gc.apple.com"
    next
    edit "*.icloud.com"
        set type fqdn
        set fqdn "*.icloud.com"
    next
    edit "*.icloud.com.cn"
        set type fqdn
        set fqdn "*.icloud.com.cn"
    next
    edit "*.icloud.apple.com"
        set type fqdn
        set fqdn "*.icloud.apple.com"
    next
    edit "*.icloud-content.com"
        set type fqdn
        set fqdn "*.icloud-content.com"
    next
    edit "*.iwork.apple.com"
        set type fqdn
        set fqdn "*.iwork.apple.com"
    next
    edit "mask.icloud.com"
        set type fqdn
        set fqdn "mask.icloud.com"
    next
    edit "mask-h2.icloud.com"
        set type fqdn
        set fqdn "mask-h2.icloud.com"
    next
    edit "mask-api.icloud.com"
        set type fqdn
        set fqdn "mask-api.icloud.com"
    next
end

 

Then put them in a group:

 

config firewall addrgrp
    edit "FQDN_Wildcard_Group"
        set member "*.apple-cloudkit.com" "*.apple-livephotoskit.com" "*.apzones.com" "*.cdn-apple.com" "*.gc.apple.com" "*.icloud.com" "*.icloud.com.cn" "*.icloud.apple.com" "*.icloud-content.com" "*.iwork.apple.com" "mask.icloud.com" "mask-h2.icloud.com" "mask-api.icloud.com"
    next
end

 

 

Then make a firewall policy and put this above your other policies. 

 

config firewall policy
    edit 0
        set name "Deny_FQDN_Wildcard_Group"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "FQDN_Wildcard_Group"
        set action deny
        set schedule "always"
        set service "ALL"
    next
end

 

 

NSE8#3306
pmh
New Contributor III

Hi, 

This is basically what I already have done, just with the IP ranges showing under the session list. And it's working great. So far after I implemented the IP blocking policy all iCloud sessions are gone. 

config firewall address
edit "icloud1"
set subnet 17.248.131.0 255.255.255.0
next
edit "icloud2"
set subnet 17.248.185.0 255.255.255.0
next
edit "icloud3"
set subnet 17.248.241.0 255.255.255.0
next
edit "icloud4"
set subnet 17.248.177.0 255.255.255.0
next
edit "icloud5"
set subnet 17.248.176.0 255.255.255.0
next
edit "icloud6"
set subnet 17.248.195.0 255.255.255.0
next
edit "icloud7"
set subnet 17.248.252.0 255.255.255.0
next
edit "icloud7"
set subnet 17.248.176.0 255.255.255.0
next
edit "icloud8"
set subnet 17.248.252.0 255.255.255.0
next
edit "icloud9"
set subnet 17.248.237.0 255.255.255.0
next
end
config firewall addrgrp
edit "GRP_ICLOUD"
set member  "icloud1" "icloud2" "icloud3" "icloud4" "icloud5" "icloud6" "icloud7" "icloud8" "icloud9"
next
end

 

I'd definitely prefer to have one block policy that blocked the application "iCloud" but I guess that is not possible. 

 

Anyway, I think case more or less closed regarding the result, but I still have not found a way of ending sessions from cli based on application or figured out why my application control policy that is set to block iCloud services were not able to stop these sessions from initializing in the first place. 

 

-PM

srajeswaran

Application control/identification works based on the application data transferred, which happens after the successfull 3 way handshake. As per the attached screenshot, the number packets are 2-3 which are transferred during the 3 way handshake and not sure if there is any application data transfer happening.

 

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Labels
Top Kudoed Authors