Can you confirm which version of the Firewall you are running?
Does the download process fail immediately or after a period of time? If it's the latter is it roughly the same each time it fails?
Unfortunately I don't have any Apple products on my own network to perform any comparative testing. However, I regularly download DVD-sized ISOs (I'm assuming that IOS isn't quite that large) without any problem.
My guess is that the update process may be using ports 80 or 443, but isn't adhering to the protocol RFC which is causing the Firewall to deny the connection and for the download to fail. If this is the case I would expect to see "Protocol Violation" audit records appearing when one of these devices tries to perform an update.
Thanks for the response. The version is 7 ( I meant to put that in the intial post). It fails after a long period of time. typically the same point every time for each of the downloads. I start getting a lot of dup acks from the firewall, but this link is not congested. yea this is like 100mb no a 4gb iso. It's using port 80.
My next step is to drop the application defense to none and check it. To your point of the RFC violation, I would think the protocol violation would still be triggered with no application defense and the way around that would be a packet filter? That would be an interesting decision for someone.
No - if you've moved the slider bar in the rule down to the bottom, it should be acting as a packet filter. Therefore the only RFC checks I would imagine it will try to perform is to ensure that is at least sized and shaped like a TCP packet. Having re-read your response, I get the feeling that it's currently in the middle. As I understand it, this disables the layer-7 side of things, but it will still use a transparent proxy service to handle the connection.
You've said version 7, but not the patch level. You may need to raise a ticket with McAfee support to get to the bottom of this. They may recommend that you install a hotfix, and they'll be able to tell you which one.