I am looking for advice on how to deal with Adobe Creative Cloud.
Fortinet provided information (Internet Services, etc.) unfortunately seem not complete.
I need to close down all unnecessary traffic from inside to the internet.
One of the policies should deal with Adobe Creative Cloud, but I can't make it work reliably.
I tried a combination of Adobe Internet Services and Security Profiles:
Policy with all Adobe Internet Services and no Security Profile
Adobe Cloud is unreliable and does not connect, lots of timeouts. With some troubleshooting I have found additional IP Addresses that are not in any of the Fortinet provided Internet Services. Examples are *.adobess.com, *,typekit.com, *.astockcdn.net, *.adobejanus.com
Thus I created an additional policy with the aboce FQDN, all using HTTPS
Better, but i probably missed yet another set of IP addresses.
Enhanced the policy with a Security Profile with all categories blocked, adding all I could find on Adobe manually in a Filter Override.
Tested this also with no Adobe Internet Services, but All/All
That prooved not so efficient as expected
Changed the Application Control to let through everything in Monitor mode
This is the current status, but I still have a ALL/ALL rule at the end where apparent Adobe traffic is leaking into.
As I closed down all other traffic, I recognized additional blocks in Policy 0.
Interestingly, those blocked connections were labeled as Adobe...
18.104.22.168 (static.adobelogin.com) -> Amazon-AWS (but not any Adobe Internet Service...)
22.214.171.124 (helpx.adobe.com) -> Akamai-CDN (but not any Adobe...)
126.96.36.199 (bam.nr-data.net) -> New Relic (but not any Adobe...)
there are more..
For some of those I checked Adobe Acrobat DC with procmon looking at the IP connections opened directly on one of the PC's. Obviously I cannot directly link back to the above FQDN's as I only see PTR records in procmon.
Fact is that I, despite using the Fortinet provided Internet Services and the Application Profile, I can't make Adobe Cloud working correctly. But I do not want to keep everything open.
So, what might be your advise on how I can approach this?
The most important two features implied are 'detection' and 'blocking', and we need to find out where it fails.
To correctly detect the HTTPS traffic, you need proxy-mode policy, Application control profile, "deep-inspection" SSL-SSH profile, and possibly Webfilter profile as well.
In some of your tests it seems that you managed to get the detection working, but blocking is effective on other profiles - need to see what security feature is blocking these sites (in logs). Some of the domains may not be allowed by allowing only Adobe (AWS/Akamai..) - these may be used by other sites as well, therefore may fall in the blocking category for those.
This being said, a better approach is to block unwanted specific elements/domains/categories rather than allow only specific domains.
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.