Created on 08-20-2019 04:52 AM Edited on 01-31-2022 09:44 PM By Anonymous
Description
This article describes the steps to resolve problem when connecting to an application in icloud with deep inspection enabled.
Useful links:
Fortinet Documentation
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/Certificates.htm
External
https://www.ssllabs.com/ssltest/
https://www.digicert.com/help/
https://www.fortinetguru.com/2016/06/installing-a-ca-root-certificate-and-crl-to-authenticate-remote...
https://www.apple.com/certificateauthority/
Solution
Troubleshooting Steps
Verify the traffic log to understand why traffic is blocked/dropped.
Go to Log & Report -> Forward Traffic and check the Details tab for the corresponding traffic.
Check the Security tab for information on hostname matched.Verify the host (fmip.icloud.com) on https://www.ssllabs.com/ssltest/ or https://www.digicert.com/help/
The Apple Root CA (Self-signed) who signed fmip.icloud.com is not trusted by any browsers except Apple.Solution:Download the 4 Apple Root CA certificates from https://www.apple.com/certificateauthority/ and install on FortiGate by following How to install CA Root Certificate.Workaround:Allow ‘Untrusted SSL Certificates’ and enable ‘Allow Invalid SSL Certificates’ under SSL/SSH Profile used in the policy. However, this is not recommended.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.