Sophos XG Home edition and Battle.net

the neverending story with sophos generally.

horror with microsoft exceptions, also many other programms.

for blizzard / battlenet I have the following urls in exceptions configured:

^([a-zA-Z0-9.-]*\.)?origin-[A-Za-z]\.akamaihd\.net/

^([a-zA-Z0-9.-]*\.)?eaassets([0-9])*-[A-Za-z]\.akamaihd\.net/

^([a-zA-Z0-9.-]*\.)?akamaihd\.net/

^([a-zA-Z0-9.-]*\.)?blizzard\.com/

^([a-zA-Z0-9.-]*\.)?blzddist1-a.akamaihd\.net/

^([a-zA-Z0-9.-]*\.)?battle\.net/

That was the fix. Thanks man. Do you run Sophos at home?

sorry, am i stupid?

Which exactelly was the solution?

Web protection exceptions, firewall policies or a combination of both?

web exception:

ah yes, so the list from me worked? if so it would be nice to mark that also as solution... ;) for several games and clients there are different exceptions.

the mentioned ports from rfcat did they got any relevance in any policy?

SSL/TLS exceptions (Web -> URL Groups) should be good enough and you don't need that Reg-Ex stuff, just add the domains:

SSL/TLS exceptions (Web -> URL Groups) should be good enough and you don't need that Reg-Ex stuff, just add the domains:

This. Shouldn't be using the old-school web proxy, but rather the new DPI inspection, and when you use that this URL group is sufficient. No need for crazy regex's.

Hi,

rather than using the SSL/TLS exclusion list which is updated and overwritten with each firmware release, create an FQDN group for the battle.net URLs and create a firewall rule at the top of your list similar to this

Source LAN, network PC LAN, destination WAN, network FQDN group, allow all services, log and enable IPS LAN to WAN.

I suspect some battle.net sites don't use URLs but IP addressing, so you can create a Battle IP address group and add that to your firewall rule.

Ian