Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hyder
New Contributor

Unable to block imessage application signature in Fortigate

I'm trying to block iMessage for all iPhone users connecting to FortiAP. We tested both deep inspection and certificate inspection in proxy mode, but it didn’t work. None of the 2000 iPhone users have the Fortinet certificate installed. For testing, we installed FortiNet certificate in one test device, but iMessage was still not blocked.

How can we effectively block iMessage for all iPhone users?

8 REPLIES 8
dbhavsar
Staff
Staff

Hello @hyder ,

 

From Application Control profile have you tried blocking "Apple.Messages" ?

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-particular-application-using/...

DNB
hyder
New Contributor

Dear @dbhavsar ,

 

We have created the Application Control signature profile Students with 'apple.message' with a block filter, along with 128 other signatures, called within the firewall policy for the student VLAN, which includes certificate inspection. However, the 'apple.message' signature is not functioning as expected. What steps should we take next?"

dbhavsar
Staff
Staff

Hello @hyder ,

Have you tried deep packet inspection, and also what mode is configured on the policy [flow/proxy]. You can try creating a test policy and test using Deep packet inspection + Proxy mode and Deep packet inspection + Flow mode. Also what is the version of Fortigate you're using? 

DNB
hyder
New Contributor

Dear @dbhavsar ,

 

The customer initially attempted to use certificate inspection with proxy mode, but it was unsuccessful. Next, we tried deep inspection with proxy mode and deep inspection with flow mode, without installing the certificate on the end devices. The assumption was that the SSL connection would fail, resulting in a block, but instead, the result was no internet access. As a result, we reverted back to certificate inspection with proxy mode.

 

Device model: 401F, firmware: v7.4.5

 

Regards,

AndyNZ
New Contributor III

@hyder,

 

Are these private individually owned iPhones or company owned iPhones?

 

iPhones have a "WiFi Assist" feature which is enabled by default. This enables them to "fall back" to the mobile network if "WiFi connectivity is poor".

 

The devices you are testing with likely interpret your "block" as "WiFi connectivity is poor" and use the mobile network instead if "WiFi Assist" is enabled.

 

Do you have a test device you can disable "WiFi Assist" and retest to see if your WiFi blocking works?

 

Unless you can manage all of those 2000 devices (eg Microsoft Mobile Device Management or similar products) you may not be able to disable "WiFi Assist" and block iMessages over the WiFi to completely block iMessage sending in your environment.

 

Is that an area you have investigated?

 

Kind Regards,

 

 

 

 

Andy Bailey, Christchurch, New Zealand
Andy Bailey, Christchurch, New Zealand
hyder
New Contributor

Dear @dbhavsar ,

 

Yes it is privately owned Iphone by all the users.

 

we would try with the wifi assist disable feature and test with both the scenarios,  deep inspection with flow based and proxy based with SSL certificate installed.

 

What are the chances that one of these methods will work? Additionally, if some users do not have the SSL certificate installed on their iPhones and the Application Control profile contains 129 signatures, why does iMessage not get blocked by default due to an unsuccessful SSL connection? Instead, why does it result in internet connectivity failure?

 

Regards,

 

AndyNZ
New Contributor III

Hi @hyder,

 

I hope you testing goes well and gives you a way forward.

 

My feeling is that unless you can control the behavior of the end devices you wont be able to block iMessages. By default the iPhone will drop back to the mobile network (or even Satellite networks like Starlink) in order to get iMessages delivered. Here's a link to an Apple Support topic for WiFi Assist:-

 

https://support.apple.com/en-us/102228

 

If they are personally owned devices you can't control that behavior and users could just enable "WiFi assist" to send their messages (even if you got them to turn it off somehow).

 

If these were managed devices then (eg Microsoft inTune etc) you can control the behavior of WiFi assist and also push the certificates required for deep inspection.

 

I could be wrong of course- so testing this is certainly a wise approach.

 

One further question- why do you want to block iMessages? What's the purpose of that approach?

 

Kind Regards,

 

Andy Bailey, Christchurch, New Zealand
Andy Bailey, Christchurch, New Zealand
hyder
New Contributor

Dear @dbhavsar 

 

Despite testing both deep inspection with proxy mode and deep inspection with flow-based mode, iMessages were still sent successfully. The test iPhone had the certificate installed, WiFi Assist, and mobile data disabled, yet messages continued to go through (even in flight mode with WiFi only).

 

Additionally, no Apple message logs appeared under security events or forwarded traffic. (only like Apple.services or iCloud - all are pass)

 

The goal is to block sending images, texts, and other content via iMessage. Please advise on further steps to enforce this policy effectively.

 

Regards.

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors