We'd love to hear about it! Click here to go to the product suggestion community
I have followed this https://community.sophos.com/kb/en-us/125061
and still I can't get netflix to work, why? only works when I disable web scanning in the rule number 6
In reply to TheBalmasque:
I've been doing a little more investigation with my Sony TV, and an Apple TV device.
Firstly, the specific issue with Web scanning and Netflix video playback revolves around malware scanning. Netflix video streaming happens over HTTP. It makes extensive use of byte range requests via the Range: HTTP header. These are not compatible with HTTP malware scanning. XG does try to automatically make exceptions to this when we know it's streaming media traffic, but unfortunately Netflix traffic is very hard to distinguish from regular traffic. This is made harder because the Smart TV Netflix video streaming app uses IP addresses in the URL instead of a hostname, and provides no other HTTP headers to go on.
If malware scanning is disabled, Netflix works fine.
We can't disable malware scanning for all traffic of course. One way to do this for Netflix traffic alone by specifying traffic in a firewall rule, using FQDN objects to try and pick up any IP addresses associated with the various Netflix domains, and disabling HTTP scanning. But as you've found, it doesn't always work.
For FQDN objects to work, there has to be a DNS lookup for the corresponding domain that returns the IP address. I spent some time capturing traffic between my TV and my XG firewall today, and found that much of the time, there were NO DNS responses corresponding to the IP addresses that Netflix used to get video content. In some cases, those IPs were already recorded against the FQDN object on my XG, but I can only assume that's because some other Netflix client (a web browser, maybe, or a mobile app) accessed the content in a different way.
So I think the reason why you're finding it doesn't always work, is that the TV must be getting the IP addresses provided directly from other Netflix transactions and not DNS. If you watch the traffic generated by the Netflix app, there is also a lot of HTTPS traffic that is presumably powering the menu system and controlling access to the content.
What I did notice was that URLs used to access the video playback were pretty consistent in format. They look like this:
Another way to skip malware scanning is to use a Web Exception. Web exceptions can use regular expressions to match URLs. When I created an exception that excludes scanning for the following regular expression, I was able to watch Netflix videos again, regardless of whether the IP address was known or not:
This expression matches any URL with four 1-3 digit numbers in the hostname part, and also matches the first three parameters in the URL.
Perhaps this will help in your case?
In reply to RichBaldry:
In reply to Michael Dunn:
@RichBaldry : Thank you very much for your investigation. I didn`t know the FQDN objects are "learing" new ip adresses when an other device access Netfilx, very interesing.
@Michael Dunn: Hello, sorry i dont understand the following phrase: On the XG command line, run the following.
What command should i run to to restart the IP collection service?
Tomorrow i will try to follow your steps. Thank you very much in advance.
Sorry, must have forgotten to paste in the command. I edited the above post.
service -ds nosync fqdnd:restart
This is a service that watches all DNS requests, learning new IP addresses on an FQDN and putting it into a memory cache. This is cleared if you restart the service. This will watch all DNS requests, so if your TV, your phone, and your computer all do DNS requests to Netflix, it learns them all. In testing this, in order to be pure, try to only do one device at a time. This service does not know anything about DNS requests that occur before it started. Therefore if you start Netflix on your TV, which does DNS requests, then reboot your XG, the XG will not know about any of the DNS that the TV did. In THEORY the TV should be using the TTL (time to live) to re-do the DNS requests periodically, so that over time the XG learns all the IPs, even ones that are from before it booted. One GUESS is that the TV is doing DNS requests and caching the results a really long time so that the XG never learns them. That is why I want a full power cycle of the TV, to try to force it to do the DNS requests while the XG is monitoring.
Thank you for the command line. It worked for me. All adresses are gone and now they are collecting again.
Under *.nflxvideo.net now there is 1 IP adress:
I started with Test 1:
With my range exceptions it worked. All videos go through without any errors. When i turn of my exeptions the videos didnt start anymore with an error message from netflix.
Here are some logs:
There are some IP-adresses from my range exception like 220.127.116.11. This ip-adress is not coverd by the netflix fqdn-objects.
As you see there is a lot traffic in FW 2.
When i go to the logs i see the following:
There are several hits for the firewall ID3 which is my http-scanning rule. I dont see the FW 2 logs even there is traffic encountered.
I am having the same problem connecting to Netflix from Roku devices.
If I add the Sophos XG v16 web exceptions, it works fine. The second I turn them off, to test the v17 fix...it kills Netflix (only my Roku devices).
In reply to Joshua Mallow:
I think the main problem is, that there are some IP-addresses (like 18.104.22.168) not associated with the netflix fqdn-objects.
But i'm excited to hear some new infos from the Sophos team.
The problem does seem to be on the collection of IP addresses into FQDN objects. I'm trying to get an expert in this area to take a deeper look.