Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IrbkOrrum
Contributor

Created on ‎03-04-2025 06:43 PM

Issue with gracefully blocking iCloud Private Relay

I'm following the directions found here

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-iCloud-Private-Relay-from-byp...

Which are supposed to allow you to block the iCloud private relay but in a somewhat graceful way.  Meaning that the iPhone user should still be able to use their device, it's just not going to route traffic through the private relay.  However, when I follow the directions above the iphone basically stops any internet traffic saying "can't connect to iCloud Private Relay" until I manually turn off the private relay.  I've followed the directions but they don't seem to want to work as intended.

2106
12 REPLIES 12
Jean-Philippe_P
Moderator
Moderator

Created on ‎03-07-2025 05:16 AM

Hello IrbkOrrum, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
1818
0 Kudos
Jean-Philippe_P
Moderator
Moderator

Created on ‎03-11-2025 02:41 AM

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

Thanks,

Jean-Philippe - Fortinet Community Team
1778
0 Kudos
AnthonyH
Staff
Staff

Created on ‎03-11-2025 07:11 AM

Hello IrbkOrrum,

Would you be able to share your DNS Filter, WebFilter, Application Control and firewall policy configurations through screenshots?

Technical Support Engineer,
Anthony.
1759
IrbkOrrum
Contributor
In response to AnthonyH

Created on ‎03-27-2025 09:27 AM

Unfortunately, I'm no longer on site at that location and able to test.

1500
0 Kudos
bwsitadmin
New Contributor
In response to AnthonyH

Created on ‎07-08-2025 01:49 PM Edited on ‎07-08-2025 01:50 PM

We are having the same issues. Users with iCloud Private Relay cannot connect to the internet without disabling. App Control is set to allow everything. We only do basic certificate inspection. We are on 7.2.11 / FortiGate 200f

 

Screenshot 2025-07-08 134522.pngScreenshot 2025-07-08 134621.pngScreenshot 2025-07-08 134737.png

1020
0 Kudos
teddyb
New Contributor II

Created on ‎07-18-2025 02:55 AM

Same here (we are using a pair of FortiGate 121G running 7.2.11).

 

The graceful way would be to trigger "Private Relay Temporarily not available" message which will enable pass-through mode. I've seen it before, but cannot reproduce it.

 

Returning NXDOMAIN for the domains mask.icloud.com, mask-h2.icloud.com, mask.apple-dns.net, mask-api.fe.apple-dns.net and mask-t.apple-dns.net, would not trigger the message but rather block browsing using Safari (returning "can't connect to iCloud Private Relay" message).  The rest (Chrome/apps and etc) should normally work without any issues.

838
0 Kudos
teddyb
New Contributor II
In response to teddyb

Created on ‎07-22-2025 01:49 AM

I think I spoke too soon.  The private relay indeed becomes unavailable if you follow the instructions:

 

Image (3).jpg

771
0 Kudos
bwsitadmin
New Contributor
In response to teddyb

Created on ‎07-29-2025 03:03 PM Edited on ‎07-29-2025 03:06 PM

Private relay shows as available as mine and all internet access doesn't work.

 

Does your web filter and DNS filter look like mine, or am I missing something? Are you blocking proxy/vpn in app control?

 

I am getting nxdomain for 1.mask.icloud.com but mask.icloud.com seems to be resolving. 

 

Thanks!

643
0 Kudos
garci66
New Contributor
In response to bwsitadmin

Created on ‎08-04-2025 12:08 PM

im having very similar issues. So far, un-blocking QUIC seems to sort of make iphones work. Im still doing the DNS blocking of the icloud domains (returning NXDOMAIN). But its very unstable behavior so far.

513
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.