Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Fortigate's blocking iOS traffic

Posted on 2014-01-26
4
2,738 Views
Last Modified: 2014-02-14
Recently I have upgraded two clients to the newest firmware released for Fortigates, 5.0.5.  Both clients heavily utilize iOS in their environments and somewhere along the upgrade path to 5.0.5, iOS traffic seems be down right blocked or they start downloads but the downloads are never successful.  By blocked, the user will attempt to download iOS updates, iBooks, applications, etc and either the download never starts and eventually times out or the download does start but only gets a few Mb in before it stops.  One client has even reported this extends to Mac users attempting to use iTunes.

Besides the firmware upgrade to 5.0.5, nothing about these clients networks have changed.  Each are using different wireless setups, different switching, etc.  One client has a Fortigate 100D and the other 2x300C in an Active-Active HA cluster.

During testing with each client, I have disabled everything down to the web filter.  With the web filter active, the problems exists but with the web filter disabled, users can download successfully.  The traffic and web filter UTM logs show no traffic being blocked.  In testing, the web filter was set to allow all and web filter exceptions were placed for common URL's seen in traffic logs while users browsed to Apple/iOS related applications.

I have attempted to work with Fortinet support on the issue but their solution has been to factory reset each firewall, re-import the config, and follow the firmware upgrade matrix again in case there was corruption in the previous upgrade.  They have no been able to indicate that there actually are any signs of corruption and the 300C client firewalls came out of the box only one build behind the most recent release, so I highly doubt there was corruption upgrading one firmware release.

At this point I am contemplating downgrading the firmware on each firewall until I find the most recent release that this problem does not exist but the point of upgrading in the first place was to fix other bugs in the ipsengine and proxyworker processes that were causing issues.

Thanks for any help.
0
Comment
Question by:vthelp
  • 2
  • 2
4 Comments
 
LVL 1

Expert Comment

by:Zabo1
ID: 39810576
do you have a rule that allows iOS devices access to time.apple.com over ntp?
0
 

Author Comment

by:vthelp
ID: 39811086
I can try this in testing tomorrow with one of the clients.  Is this something that is critical to iOS updates and applications in order for them to work?  If it is and the firewalls are blocking this, any clue as to why I might not be seeing that in any of the UTM logs?

I have worked with previous Fortigate firmware releases that caused similar issues like this, blocking certain traffic but showing nothing in the logs and it was a huge time sink tracking down the resolution, just like this one has been.

Thanks again.
0
 
LVL 1

Accepted Solution

by:
Zabo1 earned 500 total points
ID: 39817645
i know that it is critical to iOS to have access to time.apple.com, not sure why it's not showing in your Fortigate firewall logs.  some firewalls you have to specify a deny rule in order for blocked traffic to show in the log.
0
 

Author Closing Comment

by:vthelp
ID: 39859393
Fortigate ended up finding there was a bug in FortiOS 5 patch 5 and after upgrading to patch 6, the issue was resolved.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPv6 NAT to IPv4 28 66
Interface traffic report in FortiAnalyzer 1000D 4 24
Sonicwall guest user accounts 2 21
Domain Administrator locked out "Again" 7 53
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question