Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigates blocking iOS/Apple related content
Recently I have upgraded two clients to the newest firmware released for Fortigates, 5.0.5. Both clients heavily utilize iOS in their environments and somewhere along the upgrade path to 5.0.5, iOS traffic seems be down right blocked or they start downloads but the downloads are never successful. By blocked, the user will attempt to download iOS updates, iBooks, applications, etc and either the download never starts and eventually times out or the download does start but only gets a few Mb in before it stops. One client has even reported this extends to Mac users attempting to use iTunes.
Besides the firmware upgrade to 5.0.5, nothing about these clients networks have changed. Each are using different wireless setups, different switching, etc. One client has a Fortigate 100D and the other 2x300C in an Active-Active HA cluster.
During testing with each client, I have disabled everything down to the web filter. With the web filter active, the problems exists but with the web filter disabled, users can download successfully. The traffic and web filter UTM logs show no traffic being blocked. In testing, the web filter was set to allow all and web filter exceptions were placed for common URL' s seen in traffic logs while users browsed to Apple/iOS related applications.
I have attempted to work with Fortinet support on the issue but their solution has been to factory reset each firewall, re-import the config, and follow the firmware upgrade matrix again in case there was corruption in the previous upgrade. They have no been able to indicate that there actually are any signs of corruption and the 300C client firewalls came out of the box only one build behind the most recent release, so I highly doubt there was corruption upgrading one firmware release.
At this point I am contemplating downgrading the firmware on each firewall until I find the most recent release that this problem does not exist but the point of upgrading in the first place was to fix other bugs in the ipsengine and proxyworker processes that were causing issues.
Thanks for any help.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m running 5.0 on my 800c and having a similar issue, I' ve narrowed mine down to the ssl/ssh https inspection that I have turned on for everything. If I shut off the https inspection boom I' m good. Strange issue....but I can' t seem to find the url apple uses to connect you to the app store via mobile or desktop so I can add it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is definitely related to SSL inspection. With web browsers the user could be visiting any HTTPS site so security is based on trusting certificates signed by a CA whose root certificates are installed in the browser....
With the iTunes client it expects a particular certificate to be presented so SSL deep inspection would break this. The only way around is to exempt Apple/iTunes/Webex/Netflix etc from deep inspection.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright allow me to sound stupid but I' m new to the fortigates, how can I exempt things from deep inspection?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can get a list of the category IDs then exempt certain categories via CLI:
#get webfilter categories
then with that list you can add to the exempt list:
config webfilter profile
edit <wf profile>
config ftgd-wf
set exempt-ssl 31 33 49 87
end
end
If you need to exempt just a few sites then you can add those to the Rating Overrides in the GUI and add that custom category to the exempt list in CLI as well.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Technical tip for 'allow' and 'exempt' in the web filter URL filter
Also, exemption from deep inspection