Description
This article describes the steps to resolve problem when connecting to an application in icloud with deep inspection enabled.
Useful links:
Fortinet Documentation
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/Certificates.htm
External
https://www.ssllabs.com/ssltest/
https://www.digicert.com/help/
https://www.fortinetguru.com/2016/06/installing-a-ca-root-certificate-and-crl-to-authenticate-remote...
https://www.apple.com/certificateauthority/
Solution
Troubleshooting Steps
Verify the traffic log to understand why traffic is blocked/dropped.
Go to Log & Report -> Forward Traffic and check the Details tab for the corresponding traffic.
Check the Security tab for information on hostname matched.Verify the host (fmip.icloud.com) on https://www.ssllabs.com/ssltest/ or https://www.digicert.com/help/
The Apple Root CA (Self-signed) who signed fmip.icloud.com is not trusted by any browsers except Apple.Solution:Download the 4 Apple Root CA certificates from https://www.apple.com/certificateauthority/ and install on FortiGate by following How to install CA Root Certificate.Workaround:Allow ‘Untrusted SSL Certificates’ and enable ‘Allow Invalid SSL Certificates’ under SSL/SSH Profile used in the policy. However, this is not recommended.
