XG Firewall Apple TV+ Connection Issues

Have you tried looking at the various logs on the XG to see if you spot anything? In my case, I use DPI as much as possible, so the first place I look when a problem occurs is in that log, and then add exceptions as necessary (in the SSL/TLS inspection rules, as a group).

I block QUIC entirely on my network and never have problems. (It's a problem if you turn on QUIC blocking, because devices already using it might not adapt, but when I rebooted those devices and they came back up and sensed QUIC was blocked, they fell back to non-QUIC -- as they should -- and worked. But I don't have any Google devices, and Google may force your hand because they don't want you watching what they do on your network.

Do you have the "Use web proxy instead of DPI" on to try to not use DPI for this test? I'm not sure that this totally overrides your SSL/TLS inspection rules, and would suspect that.

Do you have any endpoint software running on your Android device that might be blocking things? (Thinking your Android Device might be a TV, though, which wouldn't have endpoint software on it.)

Are you using clientless users and requiring Known Users in your firewall rule? Are you running IPv4/IPv6 dual-stack? You don't have any exclusions on the firewall rule and the firewall rule is scheduled for All The Time?

Have you tried looking at the various logs on the XG to see if you spot anything? In my case, I use DPI as much as possible, so the first place I look when a problem occurs is in that log, and then add exceptions as necessary (in the SSL/TLS inspection rules, as a group).

I block QUIC entirely on my network and never have problems. (It's a problem if you turn on QUIC blocking, because devices already using it might not adapt, but when I rebooted those devices and they came back up and sensed QUIC was blocked, they fell back to non-QUIC -- as they should -- and worked. But I don't have any Google devices, and Google may force your hand because they don't want you watching what they do on your network.

Do you have the "Use web proxy instead of DPI" on to try to not use DPI for this test? I'm not sure that this totally overrides your SSL/TLS inspection rules, and would suspect that.

Do you have any endpoint software running on your Android device that might be blocking things? (Thinking your Android Device might be a TV, though, which wouldn't have endpoint software on it.)

Are you using clientless users and requiring Known Users in your firewall rule? Are you running IPv4/IPv6 dual-stack? You don't have any exclusions on the firewall rule and the firewall rule is scheduled for All The Time?

Hi,

all apple device will not put up with decrypt and scan, they need an exception or a rule that allows their traffic through. I have a specific rule for the Apple devices that only allows them to connect to Apple sites. If you review thew SSl/TLS exception list you willl find it has exceptions for APPLe networks. Further the XG calssification system mis-classifies some of the Apple traffic which depends on how strict your rules are might be causing part of your issue.

My network has mac mini.MBPs, ipad , timemachine and iPhones all using the FQDN except rule for IP4 traffic and IP addressing for IPv6 traffic. As Wayne advised QUIC is not used and is blocked.

Ian

Edit:- and I forgot an Apple TV.

In my case, I'm using an AppleTV, which does access Apple sites, but using it to do Youtube and Amazon Prime Video, and neither of those services tolerate DPI either. I had to add their servers to exception lists and every couple of months they'd bring another one online and things would break and I had to add it... so I eventually just exempted the AppleTV (via clientless user).

Plus Youtube appears to use its image server to insert pixel trackers in websites so I shut that down on my laptops, but have to allow it on the AppleTV or I don't get thumbnails of videos. :-(

From memory I have most streaming services exempted from scanning.

ian

Hi rfcat,

The SSL/TLS scanning was the one item I overlooked.  It seems that even with Web protection disabled, those rules still get applied.  In any event, I went through the complete list of domains listed at https://support.apple.com/en-us/HT210060 and noted the differences.

In short, it appears that the default exemption rule for Apple Update does capture many of the domains listed.  There are a few that are missed.  I didn't add all the missed domains but picked a few that looked important such as:

• *.icloud.com
• *.apple-mapkit.com
• *.axm-usercontent-apple.com
• *.apple-cloudkit.com
• *.entrust.com
• *.digicert.com
• *.apple-livephotoskit.com
• *.apzones.com
• *.icloud-content.com
• *.networking.apple

I created another exemption rule with regex listings for each of those domains.  Both Apple Music and Apple TV+ came up.  I've been streaming a movie for about 50 minutes which is 3x longer than I've managed previously.  I would say that this issue is now solved (until the next server list update from Apple).

For my purposes, it would have been very handy to have been able to provide a network range instead of regex values since I could have just entered the entire Apple block of 17.0.0.0/8 and be done with it (like I did for the firewall rule).

Thank you all for you suggestions.

Well, it seems that Apple is determined to prevent me from accessing any paid content.

Last night, the movie Finch intermittently started and stopped every 10 minutes so I stopped watching it.  Today things seemed to work fine as I managed to finish watching Finch but then it and Apple Music/iTunes became unavailable and remain so.

Going through the logs there isn't a single blocked packet anywhere from any device.

I the only thing that I can think of is I am missing something in my TLS exclusion list.  I cannot see what I could be missing.  Here is my list:

I likely have too many domains listed, but I have no way of knowing which ones are critical for streaming.

Hi,

what you are experiencing is the applications do not like the packets being decrypted, there is no packet drop.

For my Apple rules I use the web proxy, I tried using SSL/TLS and had too many failures. Also I do limit the number of ports that can be accessed and modify the list when a failure occurs. 

Ian

Ok, to summarize:

I created a firewall rule for all traffic to the Apple IP address range since every device in the house can access Apple TV+.  In that rule I set "Web Filtering" to "None", "App Control" to "None" and "IPS" to "None".  This should mean that none of those security options are deployed (therefore no SSL/TLS) on the Apple IP address range.

The logs seem to show that while a number of connections are made to the Apple IP address range, those addresses are not used for streaming.  It appears that Apple uses Akamai, AWS and a variety of other services for streaming.  Those servers are then caught by my standard LAN to WAN firewall rule which employs web filtering and will involve SSL/TLS scanning.  If those servers don't like their packets scanned, that would lead to issues.

I don't know how to capture all the possible servers Apple might be using for streaming in order to put them into my Apple Service firewall rule.  Instead, it is likely best to just disable SSL/TLS inspection.  Or am I missing something?

Hi,

here is my Apple access firewall rule.

The above rules seem to work for most sites the AppleTV, I haven't tried them all. The rule sits above the general access to the internet rule.

Ian

Thank you for sharing Ian,

This is both interesting and confusing since your rule appears identical to mine.  I will take a detailed look at this tomorrow.

I forgot to add the FQDN configuration.

I have a FQDN group which comprised of two wildcard FQDNs.

As best as I can determine these cover all Apple sites (today).

Ian