Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

v18 - Exclusions by application

Hi Community,

today I've updated from v17 to v18. I had a first look to DPI and SSL/TLS inspection rules. After a first look, I'm missing one of the two standard SSL/TLS inspection rules. I'm missing "Exclusions by application". I've found some information about the rule in the community and it was also shown in the video "Firewall Rules in v18", so for my understanding this rule should be there and visible.

How do I exclude applications from DPI scanning? I have a problem using Netflix on my TV. Using DPI I can watch some minutes before it stops. I hope this can be fixed with the missing inspection rule.

Thanks and best regards,

Tim



This thread was automatically locked due to age.
  • Sophos decided to drop Application for now in SSLx.

    https://community.sophos.com/products/xg-firewall/f/recommended-reads/118245/ssl-tls-inspection-rules-and-synchronized-applications

     

    For netflix, the Exception for URL should be Enough (Netflix). 

     

    __________________________________________________________________________________________________________________

  • Good to know, thanks for the information! 

  • NetFlix has always had trouble with proxies because NetFlix uses range requests which cannot be virus scanned and are therefore blocked when virus scanning is enabled, and they are poor at identifying themselves as NetFlix traffic which means it is hard to exclude them by default. Please see the pre-v18 KB125061 for more information.
    community.sophos.com/.../125061


    With v18 there is an additional problem. Netflix is using pipelined requests which are not supported by DPI mode. A pipelined request is where the client opens one connection, sends a request and then sends a second request before the reply to the first response arrives. It is not used very often because of poor support and no performance gain when it is supported, and is disabled by default in browsers.

    See here for more information:
    stackoverflow.com/.../why-is-pipelining-disabled-in-modern-browsers

    HTTP pipelines are supported within the traditional web proxy because it does head-of-line blocking, which de-pipelines and forces the requests in order. That means the pipeline doesn't get any performance gain, which is why no one uses pipelining. Except apparently Netflix. Admittedly, streaming video is one area that pipelining may make sense.

    There are currently three workarounds. These were posted in EAP but I never got feedback/confirmation that all three worked. Eventually I will integrate this into the KB.

    1) Create a firewall rule with destination network "Netflix" that does not have any Web policy or malware scan. This is the same configuration as KB125061 (solution 1) but in 17.5 it uses proxy mode and in 18.0 it uses DPI engine.

    2) Create a firewall rule with destination network "Netflix" that has Web policy=Allow All, do not scan for malware, use proxy. This is similar to KB125061 (solution 1) but it make sure it uses the web proxy and therefore 18.0 behaves like 17.5.

    3) Use existing firewall rules (don't create anything special), that are Use Proxy. Create AV exceptions as per the KB. This is the same as KB125061 (solution 2) just making sure that it uses the web proxy so that 18.0 behaves like 17.5.


    If you have a TV and you don't care about malware scanning any traffic on that device you can use Solution 1 or 2 specifying your TV as the source network instead of the Netflix destination.

  • Thank you, I've already found your post in another thread.

    I've decided to try option two.

     

    I'll let you know if it works for me.