PlayStation 4 cannot download updates: Inavlid Traffic

Hi all,

I have a problem with my PS4. I cannot download updates for any game since I started using Sophos XG.

I've found the following answer in the board and that definitely was one issue.
https://community.sophos.com/products/xg-firewall/f/web-protection/74816/playstation-4-unable-to-download-updates

According to the post, I've added the suggested URLs to the web exception list.

After that, I was able to download something. But still the PS4 fails to download the remaining 60MB of that update.
I enabled logging and found out, that some requests coming from the PS4 (10.0.0.65) are blocked due to invalid traffic.

But I totally do not understand why that is happening, as the rule does allow everything from LAN to WAN for every service anytime.

I've 3 other rules, but I disabled them and the problem still occurs. The additional rules does also not affect LAN to WAN.

Does anybody understand what is here happening and how I can solve that?
As you see in the first screenshot, there are also some allowed packets from the PS4.

thanks,
caldi

  • Have you tried turning off 'Block unrecognized SSL protocols' in Web / Protection?

    I don't know if this will help but it was my first thought :-)

  • In reply to Rick Leslie:

    Thanks for your reply. I was not aware of that setting.
    In fact the "Block unrecognized SSL protocols" is not enabled.

    "Block invalid certificates" was enabled. I disabled it for testing, but got the same result.

  • In reply to Rick Leslie:

    I added the remaining IPs. I've already added most of them, based on the other post in this forum.
    I was not able to add it the exact same way as it is described in the post. Sophos says it is not a valid address. I removed the https prefix ...

    Now I've the following exception list:

    • ^184\.84\.65\.*
    • ^50\.19\.100\.125
    • ^209\.251\.*\.*
    • ^([A-Za-z0-9.-]*\.)?playstation\.net/
    • ^198\.107\.*\.*
    • ^125\.199\.254\.51
    • ^([A-Za-z0-9.-]*\.)?loris-e\.llnwd\.net/
    • ^([A-Za-z0-9.-]*\.)?playstation\.de/
    • ^173\.230\.216\.*
    • ^([A-Za-z0-9.-]*\.)?playstation\.org/
    • ^([A-Za-z0-9.-]*\.)?playstation\.com/

    I also would expect that there are some logs for the web filtering, but everything green here since I've added the exceptions.

    But unfortunately, the problem still exists.

  • In reply to caldicot:

    I'm not sure but I suspect that the IP address entries should be listed as:

    184.84.65.*

    50.19.100.125

    209.251.*.*

    Or

    184.84.65.*/*

    50.19.100.125/*

    209.251.*.*/*

    I have tried both types and they are accepted as valid in the exceptions list but I don't have a PS4 to test the results.

  • In reply to Rick Leslie:

    I always thought, that these entries are regular expressions.
    If this is true, it would be a difference if the "." is escaped "\." or not.

    Do you think that the problem is related to the web filter?
    I am confused, as I would have expected some log statements in the web filter log. But it seems that the firewall (policies) are blocking these packages. Am I wrong?

  • In reply to caldicot:

    Hi again caldicot,

    I'm not sure where the problem lies and I've only just started using the XG myself, having used Cyberoam for around 10 years. I just thought I'd suggest a couple of things that I would try but it seems they have been unsuccessful. At this point I would be doing what you are doing and ask the forum for help... Hopefully someone with a deeper knowledge of the XG system will pick this up and be able to help you from here.

  • In reply to Rick Leslie:

    Hallo Rick,

    thanks for your help. Your input is of course appreciated.
    I am not too familiar with all that firewall stuff, so I am glad you suggested some things I can test. :-)

    As you said, hopefully someone with more experience will pick it up :-)

    Best

  • Hey,

    the solution with the exclusions didn't work for me.

    I solved the issue by switching Application Filter and Web Filter on #Default_Network_Policy both from "Allow All" to "None".

     

    Check this, that worked for me.

     

    Greets

  • In reply to Matthias Roth:

    What is the difference between “Allow All” and “None”? To me it would seem like having a policy set to ‘None’ is the same as ‘Allow All’, but apparently not if it’s causing issues with PS4 downloads.

  • In reply to shred:

    Same situation...

  • In reply to shred:

    I'm not sure but I found this answer by Michael Dunn. He explains how the policies work. 

     

    https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/83833/web-policy-and-filtering-not-working-at-all/314394#314394

     

    Maybe it is something that happens when both of the policys are set to "Allow all". 

     

    End of the post by Michael Dunn:

    "EDIT: Update/Clarification.  Web Policy also applies the first rule that matches, whether it is allow or block.  Allow does mean Allow, not "continue processing".  This makes a difference if Rule 1 is allow Document Files and Rule 2 is block Adult sites.  If someone downloads a pdf from an adult site, it will be allowed."

     

    I'm also new to Sophos XG and firewalls itself, so I also would like to know why this happens.

     

    Greetings

     

  • In reply to shred:

    Did the solutions work for you?

  • In reply to Matthias Roth:

    I know some people don't agree with me but I am going to ask everyone on this thread, why are you scanning PlayStation traffic? Is there a playstation virus out that you think sophos is going to protect you against? Are there any PUAs that playstation installs that sophos protects you against? Do you surf using your playstation where you need webfiltering to block adult or other sites? If the answer to any of these questions is no then why are you guys scanning playstation traffic with http scanner or using webcategorization/application control?

    Create a simple firewall rule, don't scan http/s, don't do categorization and use a customized LAN to WAN IPS policy. I keep on seeing thread after thread of my console not working after this and that and yet nobody ever says whey are they scanning console traffic. I have playstions, xbox, roku, amazon firesticks, nest thermostats, amazon echo, various IOT plugs and switches and all of them function properly and I don't scan any of their traffic for viruses or web categorization. Whats the point? If you don't trust a chinese manufacturer for the websites it may connect to, don't buy that product or block the offending website. Why is all traffic being scanned when it will only affect you negatively and you will hardly get any extra protection by creating more work for yourself?

    Seriously... why are you guys scanning playstation network?

  • In reply to Matthias Roth:

    I actually don’t have a PS4, I’m just trying to understand the difference between selecting “Allow All” vs “None” for a Web Policy, and why selecting “Allow All” would cause issues with your PS4 downloads but not “None”. That post from Michael Dunn explains the first part (difference between the two settings) but it still doesn’t make sense why “Allow All” is affecting your PS4 downloads.

    What I did for my Xbox One is create a firewall rule  (above all my other firewall rules) that basically has everything turned (Scan HTTP, IPS, policies). That way my Xbox One traffic is “unfiltered” to avoid any issues but the rest of my traffic is still being “filtered” by the default allow LAN to WAN rule settings.