Firewall rule does not work as expected

Question

Hello, 
 I'm really not new to the XG system, but right now I got no clue what's going on. I defined a firewall rule (Test) in my 'exeptions' group. The rule ID is #2: 
 
 The destination is a FQDN-hostgroup "Origin" with several FQDN-hosts associated: 
 
 The "IP-collector" for the domain "ea.com" for example, works flawless and it collects all the associated IPs automatically: 
 
 But when I now start a origin game like "BFV" the "Test" rule (#2) will not be triggered like expected. Instead of the Test rule, the rule with ID6 is triggered: 
 
 As you can see, this is a rule I defined under the "Web-Filter" group. It's my HTTPS-scanning rule. 
 
 BTW: I use the DPI engine instead of proxy and already defined exeptions for the domains "ea.com" etc. destinations... 
 What I am doing wrong? Maybe it's really something simple I don't see right now... 
 Thank you.

TheBalmasque · Accepted Answer

Finally I found the culprit:

This was an application filter rule causing the connection to fail: Thunder VPN (Very high risk - Proxy and tunnel - Application). 
 Thank you all for your input. I hope this thread can help anyone in the future with troubleshooting errors like this....

Prism · Answer

This is the usual behavior if you're relying on FQDN for Firewall rules. (It's a bit unreliable) 
 One other thing, using a full domain is much more reliable than wildcards on XG for FQDN's. (This is from personal experience while dealing with SD-WAN.) 
 If you want to bypass Origin traffic from being scanned or decrypted then it's much better to use the Web Exceptions than creating a Firewall Rule with FQDN's. 
 Also, what issues you're currently having with Origin and Battlelog? I'm doing TLS Inspection (Decryption) and still managed to (login) play BF4 and BF5 as expected. (Even with Proton on Steam)

LuCar Toni · Answer

The problem is, some apps like games are very poorly designed. There are couple of them, which uses a IP to connect to. And i am not talking about a DNS record, instead, they connect to https://IP , which is very bad. SFOS does not categorize a IP, as it is nearly impossible to tell, what this IP actually is (Could be CDN, could be a Host etc.). 
 Therefore, sometimes, (especially in Home segments) you have to collect such IPs for exceptions. IoT / Games are the worst scenario for HTTPs Decryption, as those development departments basically do not expect anybody in between the communication. Therefore they simply implement a solution (poorly implemented). 
 If you look left/right, you will find dozen of such examples. World of Warcraft for example connects to a IP as well as Authentication service. Rocket leagues server are always IPs, so the Match making is giving you a plain IP, which you have to connect to. 
 Web exceptions only work for SNI related traffic. Likely they do not even give a SNI in such requests. You can see the SNI in Logviewer.

Firewall rule does not work as expected

Top Replies