- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- How to deal with Adobe Creative Cloud?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to deal with Adobe Creative Cloud?
I am looking for advice on how to deal with Adobe Creative Cloud.
Fortinet provided information (Internet Services, etc.) unfortunately seem not complete.
I need to close down all unnecessary traffic from inside to the internet.
One of the policies should deal with Adobe Creative Cloud, but I can't make it work reliably.
I tried a combination of Adobe Internet Services and Security Profiles:
- Policy with all Adobe Internet Services and no Security Profile
- Adobe Cloud is unreliable and does not connect, lots of timeouts. With some troubleshooting I have found additional IP Addresses that are not in any of the Fortinet provided Internet Services. Examples are *.adobess.com, *,typekit.com, *.astockcdn.net, *.adobejanus.com
- Thus I created an additional policy with the aboce FQDN, all using HTTPS
- Better, but i probably missed yet another set of IP addresses.
- Enhanced the policy with a Security Profile with all categories blocked, adding all I could find on Adobe manually in a Filter Override.
- Tested this also with no Adobe Internet Services, but All/All
- That prooved not so efficient as expected
- Changed the Application Control to let through everything in Monitor mode
- This is the current status, but I still have a ALL/ALL rule at the end where apparent Adobe traffic is leaking into.
- As I closed down all other traffic, I recognized additional blocks in Policy 0.
Interestingly, those blocked connections were labeled as Adobe...
Examples are
13.224.92.48 (static.adobelogin.com) -> Amazon-AWS (but not any Adobe Internet Service...)
2.21.22.155 (helpx.adobe.com) -> Akamai-CDN (but not any Adobe...)
40.126.31.136 (www.tm.a.prd.aadg.akadns.net) -> Suspect Adobe usage, but I'm not sure
162.247.242.19 (bam.nr-data.net) -> New Relic (but not any Adobe...)
there are more..
For some of those I checked Adobe Acrobat DC with procmon looking at the IP connections opened directly on one of the PC's. Obviously I cannot directly link back to the above FQDN's as I only see PTR records in procmon.
Fact is that I, despite using the Fortinet provided Internet Services and the Application Profile, I can't make Adobe Cloud working correctly. But I do not want to keep everything open.
So, what might be your advise on how I can approach this?
Thanks
Dan
Labels:
- Labels:
-
FortiGate
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dan,
The most important two features implied are 'detection' and 'blocking', and we need to find out where it fails.
To correctly detect the HTTPS traffic, you need proxy-mode policy, Application control profile, "deep-inspection" SSL-SSH profile, and possibly Webfilter profile as well.
In some of your tests it seems that you managed to get the detection working, but blocking is effective on other profiles - need to see what security feature is blocking these sites (in logs). Some of the domains may not be allowed by allowing only Adobe (AWS/Akamai..) - these may be used by other sites as well, therefore may fall in the blocking category for those.
This being said, a better approach is to block unwanted specific elements/domains/categories rather than allow only specific domains.
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Labels
-
FortiGate
6,454 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.