Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DJninjaNZ
New Contributor II

SSL Anomalies

Is it blocked or exempt? Exempt comes first then we get the ssl-anomalies

 

We are seeing new behavior in 6.4.9, for windows updates this was resolved by importing the CA. But for push.apple.com this was not resolved by importing Apple Public EV Server RSA CA 2 - G1.crt

 

2022-11-16 08_40_11-Window.png

1 Solution
Cajuntank

No, I just have *.apple.com as one of the addresses in my Exempt from SSL Inspection list and that SSL security profile is tied to my normal user data policies...not doing anything special to specifically focus on the Apple network in it's own policy. I did not inquire about your certificate deployment, so not sure if you are using the built-in cert or if you did your own intermediate signed cert from your internal CA (this is how I do it). If you use Safari as your browser, it's not enough anymore to just deploy and trust the root...you also have to deploy and trust the intermediate as well. I will say that I was running 6.4.8 until recently and just updated to 7.0.8, and have run into other sites we deal with that have given me similar reporting responses like you are showing that did not need to be decrypted and have added to the exemption list with success.

View solution in original post

3 REPLIES 3
Cajuntank
Contributor II

Apple typically does not like to be SSL decrypted for the most part, so we have apple.com as one of our exclusions in our deep packet inspection profile. https://support.apple.com/en-us/HT210060 - "Attempts to perform content inspection on encrypted communications between Apple devices and services will result in a dropped connection to preserve platform security and user privacy."

DJninjaNZ
New Contributor II

Thank you @Cajuntank for your reply prior to the firmware upgrade of our FortiGate fleet we have had hostnames exempted for people like apple which is the exempt message. But we still get some grief still, do you exempt with a policy above the outbound all for no cert inspection?

Cajuntank

No, I just have *.apple.com as one of the addresses in my Exempt from SSL Inspection list and that SSL security profile is tied to my normal user data policies...not doing anything special to specifically focus on the Apple network in it's own policy. I did not inquire about your certificate deployment, so not sure if you are using the built-in cert or if you did your own intermediate signed cert from your internal CA (this is how I do it). If you use Safari as your browser, it's not enough anymore to just deploy and trust the root...you also have to deploy and trust the intermediate as well. I will say that I was running 6.4.8 until recently and just updated to 7.0.8, and have run into other sites we deal with that have given me similar reporting responses like you are showing that did not need to be decrypted and have added to the exemption list with success.

Labels
Top Kudoed Authors