Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1102 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internet Reinstall MacOS Fails when going through firewall

Brian1941

In my home LAN I have an XG-125w with SFOS 18.5.  My MacBook Pro had a corrupted disk so I had to erase it and do an internet reinstall of MacOS.  This procedure downloads a new copy of the operating system and then installs it.  To get started, I made a debug rule bypassing everything and also made a do not decrypt rule. Next, I initiated the internet reinstall process.  If you’re not familiar with Macs, this procedure is handled through firmware since the disk is erased.

The internet procedure should take about two hours.  However, the time to complete kept increasing, it went to 22 hours when I killed it.  I tried this again with the same results.  

Next, I physically bypassed the firewall entirely by taking it out of the connection and the procedure worked just fine.

Any ideas why this worked? I bypassed decryption and had an allow everything rule yet it still failed.

thanks.



This thread was automatically locked due to age.
  • 0

    Hi,

    Apple software does not like any form of decryption.  I have two firewall rules setup (IP4 and IPv6) that allow my Apple devices open access to all Apple sites using a range of ports.

    You will find all the Apple sites in the SSL/TLS exception list.

    Ian

  • 0 in reply to rfcat_vk

    Thanks, but I had a ‘do not decrypt rule’ set for everything on the MacBook in addition to those Apple sites.  That’s one of the confusing issues here.

  • 0 in reply to Brian1941

    Hi Brian,

    the rule needs to have no web and application settings. I can post my rules if that would help?

    ian

  • 0 in reply to rfcat_vk

    Sure, that would be good, thanks.  But my firewall rule is for debugging so everything is turned off.  Dunno, this is crazy.  I noticed in the SSL/TLS log viewer that there are some websites that were decrypted during the reinstall process before physically bypassing the XG that have apple or iCloud (besides the apple.com or Cloud.com sites) in the server names:

    www-mail.icloud-sandbox.com
    edge-022.usbos2.icloud-content.com
    cdn.apple-cloudkit.com
    api.apple-cloudkit.com


    I don't know If that was the issue or not.

  • 0 in reply to Brian1941

    Hi,

    I think you have nailed it with those sites. Add them to the SSL/TLS exception list.

    Ian

  • 0 in reply to rfcat_vk

    Another oddity is after the restore from Time Machine was complete, the SSL decrypt certificates were missing from the MacBook Pro keystore.  I went through the menus on the XG to download them, but couldn't find them.  Luckily, I had a backup which I tried to add to the XG CA list, but I got an error message stating that the certificate was already installed...but it didn't show up in the certificate listing.