Noticed a lot of DNS requests being treated as threats. Come to find it’s related to Apple’s iCloud Private Relay. Should I be adding this as a DNS exception in my Anti-Spyware policies?
Same, all of our iCloud private relay users started reporting major connectivity issues, even without URL filtering & threat protection. Started roughly ~3-4 weeks ago.
We recently ran in to this. Cause iPhones and iPads to have issues across the whole site.
The answer is going to depend on your environment. Apple dns and iCloud private relay are proxy/avoidance software, palo is telling the truth there.
In our environment, we were comfortable with the possible security risk.
We block private relay. Users are prompted to turn it off for our wifi when they connect. Depends on what you want to do with it.
Trying to track down some intermittent connectivity issues with a couple of Mac users so may put in an exception for them and see if it clears their issues.
I’ve had three customers reporting issues today with this. Not sure if root cause is PANW or Apple update
We noticed this as well. Mask.apple-dns.net was flagged and caused our Prisma gateways to crash. We don’t use Private Relay, but apple devices sure as shit use it even when it’s not enabled. We were seeing roughly 4 million hits per day. We had to exempt it from the flags to restore functionality. The change on Palo’s side was made 1/31.
Private relay stopped working on our guest network a few weeks ago. It looked like PA changed how it’s categorized. DNS requests were getting flagged as proxy avoidance and sinkholed by anti spyware.
We put in a DNS exception for mask.apple-dns.net in the anti spyware profile. We also allowed urls mask.iCloud.com/ and mask-h2.iCloud.com/ through url filtering.
Seeing the issue this week!
Same here. Also, iCloud hitting the PAN EDL for malicious IP’s.
I think you can use your MDM to disable private relay on company WiFi (per-ssid). If not users can just turn it off in the WiFi setting.
Same, I added the domain in the exception list. In my network all the iPhone are user devices in a separated network so I don’t care so much to block that.
Adding DNS exceptions to Anti-Spyware profile is the solution that allows iCloud Private Relay to function as intended.
However, depending on use case you might find it more appropriate to have the iPhone/iPad’s not use private relay at all so you can continue to inspect traffic (K-12, for example).
Apple has published guidance for how to do it
https://developer.apple.com/icloud/prepare-your-network-for-icloud-private-relay/
Make the following resolve to NXDOMAIN or “NOERROR no answer”
Easiest way is just create empty zones in your company/org DNS server for those two exact FQDN’s. Don’t create an empty zone for apple.com (or you’ll break a bunch of other Apple services), just those two FQDN’s.
Am doing it. Works well.
iPhone/iPad’s notice quickly instead of users experiencing weird timeout/slowness with browsing and using the Mail app. When the phone notices (quickly), it prompts the user to “load content anyway” given Private Relay is no longer available.
If it is guest or un-managed devices we don’t do much filtering.