Playstation 4 Pro not able to download

Question

I just got a PS4 Pro yesterday and got it hooked up and some network features work fine, but I am not able to download an update to a game disc I bought or download games from Playstation Plus. I have found some articles to configure my UTM (version 9.408-4). I have set up a web filter exception for my static IP assigned PS4 going to these websites. I even tried disabling the web filter for a time to test if that was the cause. 
 ^https?://([A-Za-z0-9.-]*\.)?playstation\.net/ ^https?://([A-Za-z0-9.-]*\.)?playstation\.com/ ^https?://([A-Za-z0-9.-]*\.)?playstation\.org/ ^https?://125\.199\.254\.51 ^https?://198\.107\.*\.* ^https?://184\.84\.65\.* ^https?://173\.230\.216\.* ^https?://50\.19\.100\.125 ^https?://209\.251\.*\.* ^https?://([A-Za-z0-9.-]*\.)?loris-e\.llnwd\.net/ ^https?://([A-Za-z0-9.-]*\.)?playstation\.de/ 
 In the firewall live log there is a lot of traffic from several IP's trying to come in on port 443 and going to several different ports from around 45000's to 65555's. I have the PS4 allowed to all ports going out, but not sure why all this traffic appears to be originating from outside and all going to 443 directed to the PS4 static IP. I have created almost 70 NAT rules pointing any traffic from outside going to 443 and redirecting it to each individual port that I see in the Live Log. It is still not working. There has to be a better more secure way to do this. Has anyone else done something to get this to work? Let me know any other questions you have about my config if that will help.

William Warren · Accepted Answer

There is two ways to handle this: 
 1. Create a physiclaly separate wifi network and then put that entire wifi netowrk into the proxy byupass area of the web protection of the utm. 
 2. Assign your playstation a static ip inside the utm and put it inside the proxy bypass area of the web protion. 
 
 I have a guest wifi network on it's own interface where my IOT lives(phones, tv's, consoles, mobile devices..etc etc etc) and that is where all of this stuff lives. You simply cannot build enough exceptions into the prosy for it to work correctly for a variety of reasons. The biggest one is that the http proxy has a DNS issue that prevents proper reverse resolution of IP addresses. Because ip addresses do not always get properly resolved by the proxy categorization fails and the exceptions will not work. As the ip addresses of the various CDN nodes you get your data from change this causes your exceptions to be non-effective. I have a more than 1 year ticket going with Sophos on this but I have been told multiple times I am wrong despite proof I am correct. I have since given up as the last time i asked a question to the technical support folks it has gone unanswered for more than 2 years with sophos repeatedly closing the ticket.