I'm following the directions found here
Which are supposed to allow you to block the iCloud private relay but in a somewhat graceful way. Meaning that the iPhone user should still be able to use their device, it's just not going to route traffic through the private relay. However, when I follow the directions above the iphone basically stops any internet traffic saying "can't connect to iCloud Private Relay" until I manually turn off the private relay. I've followed the directions but they don't seem to want to work as intended.
Hello IrbkOrrum,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Hello IrbkOrrum,
Would you be able to share your DNS Filter, WebFilter, Application Control and firewall policy configurations through screenshots?
Unfortunately, I'm no longer on site at that location and able to test.
Created on ‎07-08-2025 01:49 PM Edited on ‎07-08-2025 01:50 PM
We are having the same issues. Users with iCloud Private Relay cannot connect to the internet without disabling. App Control is set to allow everything. We only do basic certificate inspection. We are on 7.2.11 / FortiGate 200f
Same here (we are using a pair of FortiGate 121G running 7.2.11).
The graceful way would be to trigger "Private Relay Temporarily not available" message which will enable pass-through mode. I've seen it before, but cannot reproduce it.
Returning NXDOMAIN for the domains mask.icloud.com, mask-h2.icloud.com, mask.apple-dns.net, mask-api.fe.apple-dns.net and mask-t.apple-dns.net, would not trigger the message but rather block browsing using Safari (returning "can't connect to iCloud Private Relay" message). The rest (Chrome/apps and etc) should normally work without any issues.
I think I spoke too soon. The private relay indeed becomes unavailable if you follow the instructions:
Created on ‎07-29-2025 03:03 PM Edited on ‎07-29-2025 03:06 PM
Private relay shows as available as mine and all internet access doesn't work.
Does your web filter and DNS filter look like mine, or am I missing something? Are you blocking proxy/vpn in app control?
I am getting nxdomain for 1.mask.icloud.com but mask.icloud.com seems to be resolving.
Thanks!
im having very similar issues. So far, un-blocking QUIC seems to sort of make iphones work. Im still doing the DNS blocking of the icloud domains (returning NXDOMAIN). But its very unstable behavior so far.
User | Count |
---|---|
2675 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.