Is it blocked or exempt? Exempt comes first then we get the ssl-anomalies
We are seeing new behavior in 6.4.9, for windows updates this was resolved by importing the CA. But for push.apple.com this was not resolved by importing Apple Public EV Server RSA CA 2 - G1.crt
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 11-16-2022 11:03 AM Edited on 11-17-2022 04:34 AM
No, I just have *.apple.com as one of the addresses in my Exempt from SSL Inspection list and that SSL security profile is tied to my normal user data policies...not doing anything special to specifically focus on the Apple network in it's own policy. I did not inquire about your certificate deployment, so not sure if you are using the built-in cert or if you did your own intermediate signed cert from your internal CA (this is how I do it). If you use Safari as your browser, it's not enough anymore to just deploy and trust the root...you also have to deploy and trust the intermediate as well. I will say that I was running 6.4.8 until recently and just updated to 7.0.8, and have run into other sites we deal with that have given me similar reporting responses like you are showing that did not need to be decrypted and have added to the exemption list with success.
Apple typically does not like to be SSL decrypted for the most part, so we have apple.com as one of our exclusions in our deep packet inspection profile. https://support.apple.com/en-us/HT210060 - "Attempts to perform content inspection on encrypted communications between Apple devices and services will result in a dropped connection to preserve platform security and user privacy."
Thank you @Cajuntank for your reply prior to the firmware upgrade of our FortiGate fleet we have had hostnames exempted for people like apple which is the exempt message. But we still get some grief still, do you exempt with a policy above the outbound all for no cert inspection?
Created on 11-16-2022 11:03 AM Edited on 11-17-2022 04:34 AM
No, I just have *.apple.com as one of the addresses in my Exempt from SSL Inspection list and that SSL security profile is tied to my normal user data policies...not doing anything special to specifically focus on the Apple network in it's own policy. I did not inquire about your certificate deployment, so not sure if you are using the built-in cert or if you did your own intermediate signed cert from your internal CA (this is how I do it). If you use Safari as your browser, it's not enough anymore to just deploy and trust the root...you also have to deploy and trust the intermediate as well. I will say that I was running 6.4.8 until recently and just updated to 7.0.8, and have run into other sites we deal with that have given me similar reporting responses like you are showing that did not need to be decrypted and have added to the exemption list with success.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.