topic Re: Apple services not working with HTTPS inspection in Firewall and Security Management

Apple services not working with HTTPS inspection

Austin_Ponten — Mon, 15 May 2023 08:26:25 GMT

Hi, First post so I will do my best 🙂

The environment is R80.40 Take196

The issue:

We are trying to perform HTTPS Inspection for our trusted client networks for a customer. The problem arises when Apple per their post here https://support.apple.com/en-us/HT210060 state "Attempts to perform content inspection on encrypted communications between Apple devices and services will result in a dropped connection to preserve platform security and user privacy."

So, we created exceptions for this in the policy. I followed the guidelines listed in these:

https://community.checkpoint.com/t5/Security-Gateways/Apple-and-HTTPS-Inspection/m-p/176059/highlight/true#M32177

https://support.checkpoint.com/results/sk/sk108191

https://support.checkpoint.com/results/sk/sk112994

The First two links did not help, as the redirects via AKAMAI Tech did not get caught by the Bypass exceptions no matter how many *apple.com domains or certificates were added.

The last link where in step 3 it states to:

"Create a Network object that specifies the relevant AKAMAI network (based on the example above - 88.221.0.0/16)"

Does in fact make the exception for inspection work, but my client nor I find this as a valid solution as Apple is not the only tenant for AKAMAI Tech.

The question I present to the community is: How can I perform content inspection on ONLY Apple-related traffic WITHOUT compromising my internal client networks?

I can provide additional information if needed, and thanks for reading my first post 🙂

-A

Re: Apple services not working with HTTPS inspection

G_W_Albrecht — Mon, 15 May 2023 09:38:32 GMT

I woud suggest to contact TAC to get an official solution !

Re: Apple services not working with HTTPS inspection

Sorin_Gogean — Mon, 15 May 2023 10:49:15 GMT

Hello @Austin_Ponten ,

Can you be more specific on the problem you're seeing?

I was setting up recently several Apple Cache servers and you can see below the firewall rules we have for those boxes.

(we have HTTPS Inspection enabled for ALL HTTPS 443 traffic)

The custom objects are below (no REGEXP):

apple.com object	c.apple.news object	App Store Object
.apple.com .apple.com .icloud.com .icloud.com appleid.cdn-apple.com .cdn-apple.com *.cdn-apple.com	c.apple.news .apple.news *.apple.news	apps.mzstatic.com .mzstatic.com .mzstatic.com .icloud-content.com .icloud-content.com

With all those settings, I can tell you that I see the Apple Cache machines, being able to communicate with Apple Cloud, and the packages are downloaded/validated without any issues.

Thank you,

Re: Apple services not working with HTTPS inspection

Austin_Ponten — Mon, 15 May 2023 11:30:12 GMT

Hi thanks for the quick reply. Yes, I initially went to TAC to get help and after a bit of testing and labbing gave me the following answer "Unfortunately, without having the proper ranges for AKAMAI, it is trickier to find a way to bypass only the specific services without the knowledge of the specific IP addresses for AKAMAI." and closed the case.

-A

Re: Apple services not working with HTTPS inspection

Austin_Ponten — Mon, 15 May 2023 11:36:39 GMT

Hi, Thanks for your quick reply.

I followed your suggestions to a T as a test for our implementation, but for us, our Mac users cannot initiate a software update, run iTunes, download or search apps in the store etc. (all Apple-related user content).

The thing is, that out of 10 connection attempts, I would say maybe 1-2 will actually work as the traffic is not redirected via AKAMAI and the user is able to reach iTunes or the App Store using the exceptions I had made either from your suggestion or a combination of 17.0.0.0/8, domains, and certificate additions.

The problem is slightly different I guess than those Apple cache machines I'm afraid..

-A

Re: Apple services not working with HTTPS inspection

the_rock — Mon, 15 May 2023 11:49:59 GMT

I worked for some time with customer who has 95% of their environment Mac books and Mac minis, so Im fairly familiar with this. Sadly, I dont have access to their environment currently, so will see if I can find some screenshots/notes about how we made this work. I do recall we added whatever we could find when searching Apple in updatable objects for https inspection bypass, and then also added all Apple IP ranges to be allowed as well.

Re: Apple services not working with HTTPS inspection

G_W_Albrecht — Mon, 15 May 2023 11:58:45 GMT

So all is clear - official solution is to use IPs / IP Ranges.

Re: Apple services not working with HTTPS inspection

Sorin_Gogean — Mon, 15 May 2023 12:18:04 GMT

Hello @Austin_Ponten ,

I don't remember any AKAMAI addressing while looking for the Apple traffic permissions .

The example I give you, with Apple Cache, as you addressed issues with Apple traffic, and Apple Cache is ONLY Apple traffic - packages and updates .

On those failure, can you show some logs - I really don't get it why ppl are so shy in showing logs 😕 - as those can point us other to other ideas.

Thank you,

Re: Apple services not working with HTTPS inspection

the_rock — Mon, 15 May 2023 12:30:45 GMT

K, found it from my notes...so here is what we bypassed and worked fine.

Andy

Sadly, you cant add much from updatable objects, as this is only thing that pops up and in all honestly, its utterly useless.

Re: Apple services not working with HTTPS inspection

G_W_Albrecht — Mon, 15 May 2023 12:34:09 GMT

Not useless, but only usable on SMB appliances ! Akamai has an Updateable Object...

Re: Apple services not working with HTTPS inspection

the_rock — Mon, 15 May 2023 12:37:05 GMT

I had client tell me before they had TAC add it for them for SMB as well and it did absolutely nothing. Anyway, you are correct, Akamai updatable object is there, so that may help, for sure.

Re: Apple services not working with HTTPS inspection

Austin_Ponten — Mon, 15 May 2023 12:49:01 GMT

Hi, It is more out of laziness that I wasn't showing any logs as I don't have access to a test Mac user readily. I did procure a history log from last week's testing that displays the problem at hand.

It shows the user attempting to reach Software updates from Apple, but the destination is akamaitechnologies.com which gets inspected since it is not defined in the Bypass exceptions for Apple and then it is dropped.

-A

Re: Apple services not working with HTTPS inspection

the_rock — Mon, 15 May 2023 12:52:13 GMT

Just create custom app category and add *akamai* and make sure its allowed in regular layer, as well as https inspection policy and test.

Andy

Re: Apple services not working with HTTPS inspection

Austin_Ponten — Mon, 15 May 2023 12:56:18 GMT

That might work yes, but the whole point that I am trying to do is to avoid this "any any" rule, As far as I am aware Apple is not the only company that uses Akamai as a CDN and I would like to not create a larger exception than needed.

I don't know what specific customers they have, but my first Google result is https://www.appsruntheworld.com/customers-database/products/view/akamai-cdn

-A

Re: Apple services not working with HTTPS inspection

Austin_Ponten — Mon, 15 May 2023 13:01:01 GMT

I have done a variant of this, including the custom objects that @Sorin_Gogean had suggested, but not the exact looking one as yours, I will add this to the policy and see if there is any change. You only had this destination custom app object in the rule then?

-A

Re: Apple services not working with HTTPS inspection

the_rock — Mon, 15 May 2023 13:02:18 GMT

Yep and I forgot *icloud*, it was there as well.

Andy

Re: Apple services not working with HTTPS inspection

Sorin_Gogean — Mon, 15 May 2023 13:17:15 GMT

I see, so your issue was not with the firewall access permissions, but the HTTPS Inspection part.

On our side we're having this rule - see below - and on the Custom Applications we're setting a 2nd category "HTTPS_Inspection_Bypass" that is set here not to be inspected.

You DO NOT NEED to except AKAMAI as you think, since all calls are done towards apple.com or similar domains, like I showed you in the previous screenshots/tabels .

Thank you,

Re: Apple services not working with HTTPS inspection

Austin_Ponten — Mon, 15 May 2023 13:39:12 GMT

Interesting. Yes I have the Custom App object for Apple, but what is in the custom category HTTPS_Inspection_Bypass that you use to catch Apple-related traffic that I might be missing?

-A

Re: Apple services not working with HTTPS inspection

Austin_Ponten — Mon, 15 May 2023 13:41:57 GMT

I tried this and removed all my other bypass rules that I was testing with and such, and the first test worked! I won't call the Nobel org just yet, but if this does end up lasting the next 24 hours I will almost have more questions than answers...

Thanks for the input!

-A

Re: Apple services not working with HTTPS inspection

the_rock — Mon, 15 May 2023 13:46:11 GMT

Glad to hear. BUT, here is what I will tell you...with customer I was talking about, we made exact same rules in ordered layer (where fw and url/app[ control blades were enabled, as they came from Cisco, so did not feel comfortable with multiple ordered layers) and https inspection policy, meaning we bypassed that custom object with 17.0.0.0/8 range, *apple*, *itunes* and *icloud* and all worked fine. I dont have access to their environment, as they feel comfortable fixing their own CP issues now and dealing with TAC if needed, but Im happy to take screenshots in my lab to demonstrate, as it would be very similar to how they have it.

Let me know if thats needed, but if not, keep us posted.

Andy