Thread Info
  • State Suggested Answer
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 14960 views
  • Users 0 members are here
Options
Suggested

XG Beta2 + RC1 Netflix no longer working with Beta 1 no Problems

Sten Freund

Hello,

after Update to beta 2 and to RC1 Netflix no longer Working, it breaks @ 25%

doawngreade to beta 1 and all is ok.

 

I use the new fqdn feature and i have try it without any aktivation of vscan or webfilter.

 

Greets

Parents Reply Children
  • 0 in reply to DomNik

    Hi DomNik,

    same Problem with Any and no filters. See the Screenshots.

  • 0 in reply to Sten Freund

    Hmm this is strange.

    It's working with Any destination for my FireTV Stick, while the old way for v16 descripted in https://community.sophos.com/kb/en-us/125061 stopped working in v17. (reason unknown, but that's another topic...)

     

    For video streaming in general I've the following generic vscan web exception - maybe this is the key?

    ^([A-Za-z0-9.\-/=,_~$+!'%\?\*\(\)]*)?\.mp4

    ^([A-Za-z0-9.\-/=,_~$+!'%\?\*\(\)]*)?\.m4v

  • 0 in reply to Sten Freund

    Sten, that is a pure firewall rule without any scanning and your netflix should work with this configuration. Reboot your netflix device and double check any other configuration changes because an ALLOW ALL rule changes your firewall into a simple NAT router and shouldn't affect streaming.

    What Domnick is suggesting using fqdn rules is described in the old XG exceptions KB article. At the bottom, they have a revised section on how to use netflix streaming by using NETFLIX as destination on your firewall rules https://community.sophos.com/kb/en-us/125061 Currently there is a known bug in webfiltering that breaks fqdn netflix filtering https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-feedback/95909/fw-log-could-not-assocate-packet-to-any-connection-when-ips-enabled/352142#352142 but I don't think your issue is related since you are not using any filtering.

    EDIT: @ DomNik, I don't understand the logic behind fqdn rule since in my opinion (that sophos really doesn't care about) application control should be able to do this. This is a real head scratcher since application rules can be updated with a pattern update but it will need a firmware update to change the fqdn rule (I maybe wrong but thats what it looks to me)

  • 0 in reply to Billybob

    Billybob said:

    EDIT: @ DomNik, I don't understand the logic behind fqdn rule since in my opinion (that sophos really doesn't care about) application control should be able to do this. This is a real head scratcher since application rules can be updated with a pattern update but it will need a firmware update to change the fqdn rule (I maybe wrong but thats what it looks to me)

     

     
    Hi Billybob,
     
    I manually added a lot of wildcard fqdns (Apple iCloud, Microsoft Update, etc.) with the idea to shorten the (huge) list of web exceptions with all the domains that mostly don't rely on complex regex statements.
     
    However after implementing some FW rules on top of my list to skip http/s scans for these specific services, I found out that these rules are not applied very often although the IPs are matching according to the FW log. There must be some kind of bug in here.
    A good example is *.mail.me.com which I applied to my IMAPS/SMTPS business rule. After doing this, iCloud Mail is completely broken although the IPs and fqdns are displayed correctly in the logs.
     
    Why I don't use Application control here: I simply don't like this feature to do FW rules based on it. Some applications aren't recognized, the iCloud apps are very complex and hard to figure out, you cannot add custom entries etc.
     
    Best Regards
    DomNik
  • 0 in reply to Billybob

    Hi,

    the fact is that Netflix wont work with this test rule.

     

    the Normal rules are with fqdn exaptions.

     

    today there is a new Update for the RC1-67 and i would Try it in evening.

     

    greets

  • 0 in reply to Billybob

    Billybob said:
    application control should be able to do this

    Application control signatures require some traffic to be processed before we can make a decision, and we need to make decisions sooner than that on whether to proxy and scan it. The regex exceptions  essentially try to make a decision earlier than appcontrol can. It works after the decision to proxy is made, but before the decision to av scan. The FQDN option does the same thing, but can make that decision before we decide to proxy, and is much cleaner than the ugly regex needed for exceptions. It also lets you apply traffic shaping and user restrictions more powerfully than appcontrol alone.

  • 0 in reply to AlanT

    Thanks for the explanation of the logic and I like the fqdn functionality as a bandaid better than the global regex rules that apply to the whole firewall but the problem remains. You have to create a rule that passes all the traffic that you want and then you have to embellish that rule with a bandaid of another rule that says in case of Netflix don't do any scanning.

    I am not arguing the functionality as application control rules are only provided by sophos and we can't write them ourselves. Atleast we have an option to write fqdn rules fairly easily to bypass streaming / IOT services. But the fact remains, this looks like a bandaid to a problem that should be handled more elegantly by application control or something similar.

  • 0 in reply to Billybob

    Billybob said:
    But the fact remains, this looks like a bandaid to a problem that should be handled more elegantly by application control or something similar.

    I can't argue with that, and I agree, It's not the final solution for addressing cloud apps. It is a big step towards a better solution for this particular problem, though.

  • 0 in reply to AlanT

    Hi,

    i have delete all rules and make a new one with the 17 GA and now it works.

     

    Greets

Unfiltered HTML