Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 28 subscribers
  • Views 1727 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall silently blocking Apple MDM push services

LHerzog

We had issues with the FQDNs

gateway.push.apple.com

api.push.apple.com

on our XG v17.5 MR12


Those FQDN contain very huge lists of IP Addresses. Maybe even dynamic changing. And I guess that's a problem for the XG.

Used by Apple mobile devices in combination with our MDM solution.

We created a FW rule for our MDM Srv to allow several Services, including 443/HTTPS to those FQDN. Logging enabled.

The MDM Admin always complained, he could still not connect to the Apple devices with his MDM even if there were no blocked packets logged on the firewall.

Even on shell with drop-packet-capture I was not able to find blocked packets.

I was only able to see the packets in GUI Packet Capture. they were shown as "Consumed", not Dropped or Violation. No idea, what that's the exact meaning of this is here...?

The only solution here was to allow the whole Apple Subnet 17.0.0.0/8 instead of the FQDN names listed above. This is mentionened on several references for MDM solutions. Also There is a Sophos KB KB117650 thats about this range.

Is this a known problem with large FQDN ranges? I only knew about those limitations in the good old UTM times, some years ago.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi  

    Thank you for reaching out to the Community! 

    XG firewall will update FQDN to the corresponding IP address when it gets the request from the client for the domain. If the client sends a request with the destination IP address, the FQDN firewall rule will not see this traffic. 

    Could you please verify if the client is sending traffic with the destination domain or an IP address by running Wireshark on the workstation? 

    Thanks,

  • 0 in reply to FormerMember

    Hi H_Patel,

    i checked quickly with ipconfig -displaydns and netstat -ano.

    There was in fact no DNS resolution. The program (Baramundi) seems to communicate with static IPs. I could see in netstat 17.188.168.8:443.

     

    But I think beside the initial issue here, there may be a design issue in DNS resolution in our case. I you look at the following scheme, you can see, that the IP for a FQDN a LAN machine is requesting at it's internal DNS server is never directly resolved by the XG firewall.

    The XG firewall uses also the internal DNS server but in cases where the FQDN have such huge IP lists like here Apple, I think the XG may miss some IPs.

     

    I would expect it would be better, if we forward the name resolution queries of the DMZ DNS Server to the XG firewall and switch the XG DNS forwarder from internal DNS server to the ISP and Google DNS Servers. So that our DMZ DNS and XG DNS caches have the same name/IP entries. Then use domain routes in XG DNS for the internal domains. Do you agree here?

     

    And can you please find out if there is a limitation in the number of IPs that can be resolved for a FQDN by Sophos XG?

  • FormerMember
    0 FormerMember in reply to LHerzog

    Hi  

    If the client is sending the request with an IP address of the destination application/server then the FQDN rule will not see this request. In that case, you have to create a rule with the destination server IP or network to bypass the filters on the firewall. Changing the DNS server will not help as long as the client sends the request with the IP address.

    What is the model number of your firewall?

    Thanks,

  • 0 in reply to LHerzog

    Hi,

    what are your web exceptions? Please review the FDQN group for Apple to see what IP address ranges are used.

    Too overcome (I am home user) my apple devices failing to connect to the Apple server I had to create a firewall rule specifically allowing access to the FQDN Apple group with all firewall checking disabled, no HTTP/s scanning eg no proxy. Further there is a range of services I added to the rule to further restrict/control access.

    What you are seeing is that the Apple services do not like being scanned but are not dropped by the firewall they just fail to function on the end device.

    Ian

  • 0 in reply to FormerMember

    Hi,

    the model is XG430.
    Of course, a client should use FQDN - if it uses IP, it may not have been linked with the FQDN based rule on the firewall.
    My experience is, that the XG is checking FQDN IPs from time to time in the background. But of course, it has to do it in time when a DNS client of the XG requests the address.
    It there a IP limitation for FQDN resolution?

    The server in this case is not enabled for XG Web Security. It only uses Firewall rules. For othermachines all the Apple stuff has been put  into Web Security exceptions.