Netflix 4K and v17

Ugh! Been having problems on my LG OLED Netflix app. 1080p worked fine but when I viewed 4K it would get about 15+ mins into a show and then start giving an error.  If you tried to resume it would play about 3 secs and error again.  FINALLY traced it to v17 (MR2 or MR3).  I had Web Filter: Allow All.  As soon as I changed to to None it worked fine.  Tried the Netflix exception and still had the problem. I had been running v16.05 until v17 MR2 came out and had no problems. Weird.

  • In reply to Michael Dunn:

    It sometimes happens during runtime when one of the big players update their CDNs for example. This happens quite often with Netflix when streaming videos that might not be cached in locations nearby but in the US for example.


    My FW is running for 14 days and has already built up a cache of 10438 IPs, yet. (Apple iCloud, Amazon Video, Netflix, Whatsapp and some iOS Apps)

    When "debugging" strange behavior in blackboxed clients this is often a bit confusing with the way it works right now.

    It's simply not working as reliable as the web exceptions, although it's seems to work way faster then a huge list of regex hosts and it's a very nice feature. (And IMHO that's why this thread occured.)

    Although I cannot give a suggestion on how to improve this behaviour. I can confirm your opinion that keeping the cache won't be a solution...

  • In reply to Dom Nik:

    I am lost on the logic of fqdn. Cache TTLs shouldn't have any effect on firewall behavior and yet it does. I thought the main reason to go with fqdn instead of application control was due to the fact that app control needed a few packets to classify an application which could then potentially bypass the firewall or get blocked while those initial packets are being sniffed. 

    I have always said fqdn is a bandaid to the problem and clearing the cache by restarting the firewall or restarting the DNS service and not taking into account that TTL (if the client decides to cache something longer than the assigned TTL) creates too many problems. I suppose a workaround could be to make the fqdn entries static to overcome the reboot/service restart cache flush but most cdns these days have TTL of 5 minutes already so I don't know how to fix this. 

    I still think layer7 should be doing this and not DNS.

  • In reply to Billybob:

    Hi Billybob
    Application control sees the video stream as a video stream.  I don't think it detects it as the NetFlix application.  I've looked at it - the HTTP request don't even have a User Agent that declare itself to be NetFlix, there is very little at the layer7 that can tell this is NetFlix (and not some other video stream).
    However even if it were detected as NetFlix, currently there is no way for application control to "potentially bypass the proxy" (as you put it) or change web policy.  We do not currently have a way of saying "If the application is NetFlix then turn off Web Proxy antivirus scanning" or "then allow the traffic through the firewall skipping the web proxy"  which is what would be needed.
    So layer7 (eg deep packet inspection) cannot detect the Netflix video stream and even if it can, we cannot build a rule around it (though with some changes it might be possible).
    The UTM has had "DNS Host" and "DNS Group" for a long time.  Admin create an object that collects IP address.  Then they go to the Transparent Mode Skiplist and add the DNS Group object.  This basically creates a hidden firewall rule that allows the traffic without going through the proxy. 
    The XG is doing the exact same thing.  The two differences is that rather than a "transparent mode skiplist" they need to explicitly create the firewall rule.  The other difference is that after v17 it will allow wildcards in the hostname.  UTM and XG v16 were limited to "" while v17 allows "*".
    Anyone who is happy with using the UTM's "transparent mode skiplist" should be happy with this feature - it is configured differently but it ultimately does the same thing while being slightly more powerful with wildcard support.
    AFAIK (and I'm not an expert here) the DNS TTL is not an issue.  The client (eg TV) has the same DNS TTL, so after a 5 minute TTL the client does another DNS request which refreshes both the client and the XG.
  • In reply to Michael Dunn:

    Michael Dunn
    Application control sees the video stream as a video stream.  I don't think it detects it as the NetFlix application.  I've looked at it - the HTTP request don't even have a User Agent that declare itself to be NetFlix, there is very little at the layer7 that can tell this is NetFlix (and not some other video stream).

    ... So layer7 (eg deep packet inspection) cannot detect the Netflix video stream


    And yet SG sees this as netflix doing layer7
    Heck even a chinese router knows what netflix is
    and we are running NGFW that doesn't know netflix and thinks its file transfer? Wasn't the reason for moving from iptables to snort openAppID was to get better control and more insight into the traffic. Whats the point of having synsec, snort openAppID, and being called NGFW if the firewall doesn't know netflix? If I have to run an agent on my endpoint and then say foo is generating netflix traffic then we are not moving forward at all and my firewall with all its bells and whistles is as dumb as a 15 year old NAT router. 
    Sorry for being completely off topic but just because XG can't do it doesn't mean it can't be done. 
    Edit: Forgot to add the insight provided by XG on the traffic my roku is generating
      hmmmm, I wonder who is transferring all those files???? Great news, very little streaming media traffic so everyone is being productive.
     Oh never mind, its roku streaming Netflix or amazon or hulu or who knows what. better start running whois on those IPs that we have in that colorful reportZip it!
  • In reply to Billybob:

    I think you proved that I'm wrong.  :)  I made a guess that both UTM and XG cannot detect the streams as Netflix, and you showed that at least UTM can.


    I'm not a expert in the IPS / App Control stuff - though I know more than average.  All this is sparking some more internal discussion about what we could do.

    I agree that nothing is impossible.

  • In reply to Michael Dunn:

    Hi Michael, first let me apologize for the post above. It comes across as rude and offensive now that I am reading it after a few days. That was definitely not my intent. You are one of the few sophos employees that engage with us on regular basis and my intention was not to prove you or anyone else wrong. I am always grateful to sophos for the software that they provide and every time I get involved in a discussion, its with the hope to make the software better for all of us. 

    XG has great potential and I like it more now that I use it as my main firewall. My main complaints about its shortcomings are not because I want to bash sophos or XG in particular, its because we are not in v5/6 era of astaro where they took a bunch of open source daemons and tied them together with proprietary gui. A few open source firewalls provide functionality pretty close to what SG/XG offers now for free. Its a matter of how much you want to get your hands dirty and ofcourse the av scanning capabilities that only sophos can provide. I don't want sophos to get comfortable and take their foot off the gas while others are catching up. I want cutting edge technology that I know sophos is capable of providing if it focuses on what it does best.

    I am all for new technologies and there is nothing wrong with snort openAppID. I cringe at the fact that sophos already knows how to classify certain things and then they go and try to redo something that has already been done by their own products. This has been happening over and over when you compare SG and XG where it seems that SG never existed and sophos doesn't even know what its own products are capable of.

    Again, thank you for contributing to this forum and I for one always appreciate your feedback and expert insights.



  • In reply to Billybob:

    No problem - I have often sent things that, when I read them after, did not use the... best tone.
    I know little about snort or openAppID or the underlying data that either UTM or XG uses in the packet-sniffing.  I mostly know what the http proxy does.
    I also have a particular hate for NetFlix.  They connect directly to IPs, every country has its own list of IPs, they do not use a user-agent, they say the mimetype is "application/octet-stream", and they use range requests.  And because NetFlix is viewed as a "home" application, and it is mostly Home License (eg free) users complaining about it, yet it is also high profile, it has a struggling priority level.