Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1281 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

apple.com URL Filtering Exception

Chris Boucher

We have a URL Filtering Exception for all apple.com traffic. See below.

^([A-Za-z0-9.-]*\.)?apple\.com\.?/

Is it possible to craft/recreate the above to apply the exception to all apple.com traffic except music.apple.com ?

Therefore blocking music.apple.com while still covering any other apple.com service/site they have/add in the future.

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    you would create an fqsn for music.apple.com, create a rule with the FQDN at the top of you rule list and set to drop traffic.

    Apple sites do not like to be decrypted and scanned so rather than create exceptions you create a new rule based on the Apple.com etc fqdns and set that as the second rule in your firewall list.

    If need I will post my apple rule?

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    If you could post your rule that would be really helpful? Thanks

  • 0 in reply to Chris Boucher

    Hi,

    The web exception are needed even if you are not scanning and decrypting apple traffic, some part of the XG does not follow the no web, no application and SSL/TLS ignore policies.

    I did include a couple of other Apple sites because I was not sure at the time they were part of the Apple IP group.

    I have Apple rules in IP4 and IPv6 firewall rules.

    Ian

    Just discovered a flaw in my disabling the Apple exceptions because there are a couple of non Apple sites that appear to be used by the App store that i have added to the exception list.

    Further, found some more holes in my Apple setup while trying out ideas for you.

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Chris Boucher

    Hi,

    The web exception are needed even if you are not scanning and decrypting apple traffic, some part of the XG does not follow the no web, no application and SSL/TLS ignore policies.

    I did include a couple of other Apple sites because I was not sure at the time they were part of the Apple IP group.

    I have Apple rules in IP4 and IPv6 firewall rules.

    Ian

    Just discovered a flaw in my disabling the Apple exceptions because there are a couple of non Apple sites that appear to be used by the App store that i have added to the exception list.

    Further, found some more holes in my Apple setup while trying out ideas for you.

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to rfcat_vk

    Hi,

    another thought crossed my mind as to why I have the firewall rule and policies as shown above, I found the the Apple photo app would not download photos correctly even with the execeptions in place.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Strangely enough, I couldn't get the Apple Mac store to work until I unchecked the 'Use web proxy instead of DPI engine" box in the firewall rule even though I have the following web exceptions:

    updates.cdn-apple.com

    ^([A-Za-z0-9.-]*\.)?apple\.com\.?/

    ^([A-Za-z0-9.-]*\.)?cdn-apple\.com\.?/

    ^([A-Za-z0-9.-]*\.)?mzstatic\.com\.?/

    ^([A-Za-z0-9.-]*\.)?apple\-cloudkit\.com\.?/

    ^([A-Za-z0-9.-]*\.)?icloud\-content\.com\.?/

    ^([A-Za-z0-9.-]*\.)?icloud\.com\.?/

    ^([A-Za-z0-9.-]*\.)?iicloud\-sandbox\.com\.?/

    Any ideas why I had to uncheck the box to get the Apple Mac store to work?

  • 0 in reply to Brian1941

    Hi Brian,

    because of the range of ports used by Apple. I have a list of active ports as part of my firewall rule, it is not the full list of ports shown on the Apple site. Web proxy covers web ports while DPI covers in theory all ports but not UDP.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?