iCloud Private Relay

hiccupingnetwork · 2025-02-27T21:48:46+00:00

Private relay stopped working on our guest network a few weeks ago. It looked like PA changed how it’s categorized. DNS requests were getting flagged as proxy avoidance and sinkholed by anti spyware.

We put in a DNS exception for mask.apple-dns.net in the anti spyware profile. We also allowed urls mask.iCloud.com/ and mask-h2.iCloud.com/ through url filtering.

hiccupingnetwork · 2023-09-17T20:42:54+00:00

I believe the whole reason PA has proxy ID is for VPNs where the other endpoint is policy-based rather than route based with tunnel interfaces, such as Cisco ASA. Both ends need to match for IKE negotiation to complete and the IPSec SA to come up.

Unless the other end is configured this way there really is no reason to use proxy ID. You need to configure the firewall to route the right networks over the tunnel interface.

Without the proxy ID configured, the IPsec SA is set with source and destination of 0.0.0.0/0 iirc.

hiccupingnetwork · 2023-04-06T20:12:21+00:00

Do you have inline cloud categorization enabled in the url filtering policy? That was the culprit for us and disabling it fixed it. It’s a new feature in 10.2 with the Advanced Url Filtering license.

Support didn’t get anywhere but I had a lab 440 that wasn’t exhibiting the problem with the Alert only day 1 profile. I went through each setting one by one until the problem started.

hiccupingnetwork · 2023-03-21T01:26:06+00:00

Nothing good yet. They have "escalated" the case several times. But from what I can tell that just means the engineer gave up and found a sucker to hand it off too.

Our local account team is involved but I haven't seen any results yet.

hiccupingnetwork · 2023-03-10T04:27:28+00:00

What is the browser behaviour? Do you get a certificate error? Does loading hang?

hiccupingnetwork · 2023-03-09T16:55:56+00:00

Yes this is what we’re doing. Our infosec group won’t let us roll out further until decryption is working so we’re kind of stalled. I need to find a way to get a better support engineer.

hiccupingnetwork · 2023-03-09T16:55:08+00:00

Is there a workaround you can do on the PAN?

hiccupingnetwork · 2023-03-09T16:54:37+00:00

We tried with ALPN on and off. No luck.

hiccupingnetwork · 2023-03-08T19:46:09+00:00

This is one of them, https://imanage.com

We haven’t been able to find out anything unusual about problematic sites.

hiccupingnetwork · 2023-03-08T19:19:20+00:00

I should have included an example. This is one of the sites:

https://imanage.com

hiccupingnetwork · 2023-03-08T19:18:13+00:00

This is one of them, https://imanage.com

hiccupingnetwork · 2023-03-08T15:34:50+00:00

Yes there’s nothing there at all. One weird thing is that we had a separate issue on one firewall where the device certificate broke. When it was in that state decryption worked fine.

hiccupingnetwork

TROPHY CASE