Web content filtering breaks Hulu and Netflix.

There are numerous posts with an identical issue.  None have an actual solution, at least not one that Sophos has recommended.  Seems like there should be a checkbox or an easy policy to allow this sort of traffic.  The rules I've seen posted in here seem to be reporting mixed results.  Sophos, please provide DETAILED instructions for allowing Hulu, Netflix, iTunes, Amazon, and any other mainstream streaming services through your HTTP, HTTPS, Malware, Web Content Filters.

Thank you!!!

  • This list did the trick for me.

    ^https?://([A-Za-z0-9.-]*\.)?ne?t?fli?x(img|ext|video)?\.(com|net)/
    ^http?://[A-Za-z0-9.-]*netflix.com/
    ^http?://[A-Za-z0-9.-]*nflximg.com/
    ^https?://([A-Za-z0-9.-]*\.)?nflximg\.com\.?/
    ^https?://([A-Za-z0-9.-]*\.)?nflxvideo\.net\.?/
    ^https?://([A-Za-z0-9.-]*\.)?netflix\.com/
    ^http?://([A-Za-z0-9.-]*\.)?netflix-*.vo.llnwd.net/.*
    ^https?://secure\.netflix\.com/*
    ^https?://uiboot\.netflix\.com/*
    ^http?://23.246.[0-63].*
    ^http?://37.77.1(8[4-9])|(9[0-1])].*
    ^http?://45.57.([0-1][0-1][0-9])|(12[0-7]).*
    ^http?://64.120.(12[8-9])|(1[3-9][0-9])|(2[0-4][0-9])|(25[0-5]).*
    ^http?://66.197.(12[8-9])|(1[3-9][0-9])|(2[0-4][0-9])|(25[0-5]).*
    ^http?://108.175.(3[2-5,8,9])|(4[0-4,6,7]).*
    ^http?://185.2.22[0-3].*
    ^http?://185.9.(188)|(19[0-1]).*
    ^http?://192.173.(6[4-9])|([7-9][0-9])|(10[0-9])|(11[0-7]).*
    ^http?://198.38.(9[6-9])|(10[2-3,8-9])|(11[0-9])|(12[0-5]).*
    ^http?://198.45.(4[8-9])|(5[2-8])|(6[1-3]).*

    Ip-ranges might change over time. Check them at :

    http://ipinfo.io/AS2906#blocks

  • In reply to JohnnySlos:

    This worked great for me behind a Sophos UTM! Do you have any idea how many hours I've wasted on trying to get a Netflix solution working?! Our fitness center members & after school program staff are going to be stoked!

  • In reply to JohnnySlos:

    Where do you put this exactly? I was under the impression it would go into Protection > Web Protection > Web Content Filter and then down in the HTTP Scanning Rules section by adding a rule but you can't just paste this rule in there.

    I have actually found in the logs its actually invalid traffic being dropped causing the issue and its the IPS/IDS causing the issue but there is no information on the signatures to know what rules to enter.

  • In reply to AnthonyBortolotto:

    Web filtering options > Exception list worked for me. I posted a screenshot in another thread

  • In reply to JohnSmith5:

    Yeah UTM is easy, I was looking for XG instructions as its in the XG category.

  • In reply to AnthonyBortolotto:

    Anthony,

    if you have a Policy where Web Filter is applied and HTTP and/or HTTPS scan is on, you have to edit the web filter and add exceptions in this way:

    https://community.sophos.com/products/xg-firewall/f/129/p/75503/290316#290316


    See the thread above.

    If IPS is blocking that traffic, inside the Log Viewer you see the signature ID matched, so remove that one from your IPS policy. By default all onboard IPS cannot be customized.

  • I take it from reading this, that Netflix et al is stil broken behind Sophos XG?

    (NOT UTM9, but XG)

    I tried it again and still seems the same issue that was there months and months ago.

    As asked at the start of the post, any chance we can get a step by step solution to get Netflix and so on working with Sophos XG and Webfilter enabled?

  • In reply to psykix:

    I'm running the XG in VMWare and was able to get Netflix working using a combination of tricks.  One was to add URL exceptions to the web filter policy, and the other was to create device user groups and apply a separate policy to that group of devices with all filtering turned off.  This fixed the issues for media devices, and the filter policy fixed it for mobile clients (like an iPhone).  

    I came from the UTM 9 home version, and it has been a bumpy ride converting everything.  I spent weeks becoming familiar with the UTM (which I LOVED) but that 50 IP limit was killing me as I was always just over the threshold with a 5 person family (and I'm an IT engineer so I have lots of gadgets).  Anyway, it is possible to get netflix working, but it would be nice if the interface made it easier to do so.  I feel like I've had to hack a few things to get basic features to work.  The UTM was a bit more intuitive once you got your bearings.  

  • In reply to JoeChurch:

    It works fine, until I enable malware scanning. That's what seems to break it.

    I'll have a play at creating another rule above that one with the malware scanning off for the iOS devices and see what happens.

  • In reply to JohnnySlos:

    I'm having trouble adding Regex as posted by Johnny Slos. I receive error: "Enter valid domain name." https://community.sophos.com/products/xg-firewall/f/129/t/15675#pi394filter=all&pi394scroll=false references the same issue, with Sophos staff suggesting updates. My pattern successfully updates at the default 2 hour interval. Attempting to add HTTPS scan exceptions for Netflix. Sorry to beat a dead horse, but can anyone help out? Thanks,

    Nate

  • Jhawk44:

    Were you able to get this to work?

    --

    Dan

  • In reply to Dan K. Snelson:

    Nope.   still an issue

  • In reply to JohnnySlos:

    Zombie thread: but I wanted to say that almost a year later, this still works with UTM 9.409-9.  Thanks!

  • In reply to TimothyTrace:

    Same here! On UTM 9.411-3 and we still had the same issue by March 2017. Application Control seems to have absolutely 0 impact on allowing NetFlix.

    This list works great. Thanks a lot!

  • I got this working on Sophos XG with both the Netflix App on Android and in the browser with the following regex. It is basically using the same stuff that worked for Sophos UTM with the docco of Sophos XG here: https://community.sophos.com/kb/en-us/125061

    Basically once the http and https bits are removed, the error about an invalid web address goes away and it works fine.

    ^([A-Za-z0-9.-]*\.)?ne?t?fli?x(img|ext|video)?\.(com|net)/
    ^[A-Za-z0-9.-]*netflix.com/
    ^[A-Za-z0-9.-]*nflximg.com/
    ^([A-Za-z0-9.-]*\.)?nflximg\.com\.?/
    ^([A-Za-z0-9.-]*\.)?nflxvideo\.net\.?/
    ^([A-Za-z0-9.-]*\.)?netflix\.com/
    ^([A-Za-z0-9.-]*\.)?netflix-*.vo.llnwd.net/.*
    ^secure\.netflix\.com/*
    ^uiboot\.netflix\.com/*
    ^23.246.[0-63].*
    ^37.77.1(8[4-9])|(9[0-1])].*
    ^45.57.([0-1][0-1][0-9])|(12[0-7]).*
    ^64.120.(12[8-9])|(1[3-9][0-9])|(2[0-4][0-9])|(25[0-5]).*
    ^66.197.(12[8-9])|(1[3-9][0-9])|(2[0-4][0-9])|(25[0-5]).*
    ^108.175.(3[2-5,8,9])|(4[0-4,6,7]).*
    ^185.2.22[0-3].*
    ^185.9.(188)|(19[0-1]).*
    ^192.173.(6[4-9])|([7-9][0-9])|(10[0-9])|(11[0-7]).*
    ^198.38.(9[6-9])|(10[2-3,8-9])|(11[0-9])|(12[0-5]).*
    ^198.45.(4[8-9])|(5[2-8])|(6[1-3]).*