Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hyder
New Contributor

Created on ‎03-16-2025 11:48 PM

Unable to block imessage application signature in Fortigate

I'm trying to block iMessage for all iPhone users connecting to FortiAP. We tested both deep inspection and certificate inspection in proxy mode, but it didn’t work. None of the 2000 iPhone users have the Fortinet certificate installed. For testing, we installed FortiNet certificate in one test device, but iMessage was still not blocked.

How can we effectively block iMessage for all iPhone users?

Labels:
180
0 Kudos
7 REPLIES 7
dbhavsar
Staff
Staff

Created on ‎03-17-2025 06:01 AM

Hello @hyder ,

 

From Application Control profile have you tried blocking "Apple.Messages" ?

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-particular-application-using/...

DNB
152
0 Kudos
hyder
New Contributor
In response to dbhavsar

Created on ‎03-17-2025 10:24 AM

Dear @dbhavsar ,

 

We have created the Application Control signature profile Students with 'apple.message' with a block filter, along with 128 other signatures, called within the firewall policy for the student VLAN, which includes certificate inspection. However, the 'apple.message' signature is not functioning as expected. What steps should we take next?"

137
0 Kudos
dbhavsar
Staff
Staff

Created on ‎03-17-2025 01:31 PM

Hello @hyder ,

Have you tried deep packet inspection, and also what mode is configured on the policy [flow/proxy]. You can try creating a test policy and test using Deep packet inspection + Proxy mode and Deep packet inspection + Flow mode. Also what is the version of Fortigate you're using? 

DNB
122
0 Kudos
hyder
New Contributor
In response to dbhavsar

Created on ‎03-18-2025 09:50 AM

Dear @dbhavsar ,

 

The customer initially attempted to use certificate inspection with proxy mode, but it was unsuccessful. Next, we tried deep inspection with proxy mode and deep inspection with flow mode, without installing the certificate on the end devices. The assumption was that the SSL connection would fail, resulting in a block, but instead, the result was no internet access. As a result, we reverted back to certificate inspection with proxy mode.

 

Device model: 401F, firmware: v7.4.5

 

Regards,

92
0 Kudos
AndyNZ
New Contributor III

Created on ‎03-18-2025 03:17 PM Edited on ‎03-18-2025 03:18 PM

@hyder,

 

Are these private individually owned iPhones or company owned iPhones?

 

iPhones have a "WiFi Assist" feature which is enabled by default. This enables them to "fall back" to the mobile network if "WiFi connectivity is poor".

 

The devices you are testing with likely interpret your "block" as "WiFi connectivity is poor" and use the mobile network instead if "WiFi Assist" is enabled.

 

Do you have a test device you can disable "WiFi Assist" and retest to see if your WiFi blocking works?

 

Unless you can manage all of those 2000 devices (eg Microsoft Mobile Device Management or similar products) you may not be able to disable "WiFi Assist" and block iMessages over the WiFi to completely block iMessage sending in your environment.

 

Is that an area you have investigated?

 

Kind Regards,

 

 

 

 

Andy Bailey, Christchurch, New Zealand
Andy Bailey, Christchurch, New Zealand
75
0 Kudos
hyder
New Contributor
In response to AndyNZ

Created on ‎03-18-2025 06:06 PM

Dear @dbhavsar ,

 

Yes it is privately owned Iphone by all the users.

 

we would try with the wifi assist disable feature and test with both the scenarios,  deep inspection with flow based and proxy based with SSL certificate installed.

 

What are the chances that one of these methods will work? Additionally, if some users do not have the SSL certificate installed on their iPhones and the Application Control profile contains 129 signatures, why does iMessage not get blocked by default due to an unsuccessful SSL connection? Instead, why does it result in internet connectivity failure?

 

Regards,

 

35
0 Kudos
AndyNZ
New Contributor III
In response to hyder

Created on ‎03-18-2025 06:29 PM

Hi @hyder,

 

I hope you testing goes well and gives you a way forward.

 

My feeling is that unless you can control the behavior of the end devices you wont be able to block iMessages. By default the iPhone will drop back to the mobile network (or even Satellite networks like Starlink) in order to get iMessages delivered. Here's a link to an Apple Support topic for WiFi Assist:-

 

https://support.apple.com/en-us/102228

 

If they are personally owned devices you can't control that behavior and users could just enable "WiFi assist" to send their messages (even if you got them to turn it off somehow).

 

If these were managed devices then (eg Microsoft inTune etc) you can control the behavior of WiFi assist and also push the certificates required for deep inspection.

 

I could be wrong of course- so testing this is certainly a wise approach.

 

One further question- why do you want to block iMessages? What's the purpose of that approach?

 

Kind Regards,

 

Andy Bailey, Christchurch, New Zealand
Andy Bailey, Christchurch, New Zealand
20
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.