Thread Info
  • State Suggested Answer
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 14960 views
  • Users 0 members are here
Options
Suggested

XG Beta2 + RC1 Netflix no longer working with Beta 1 no Problems

Sten Freund

Hello,

after Update to beta 2 and to RC1 Netflix no longer Working, it breaks @ 25%

doawngreade to beta 1 and all is ok.

 

I use the new fqdn feature and i have try it without any aktivation of vscan or webfilter.

 

Greets

Parents
  • 0

    Hi Sten,

    I'm experiencing similar problems with the new fqdn wildcard feature, but was not yet able to give a good reproducable example of it.

    Is it working if you replace the Netflix FQDN group with "Any" for the related FW rule?

     

    Best Regards

    DomNik

  • 0 in reply to DomNik

    Hi DomNik,

    same Problem with Any and no filters. See the Screenshots.

  • 0 in reply to Sten Freund

    Hmm this is strange.

    It's working with Any destination for my FireTV Stick, while the old way for v16 descripted in https://community.sophos.com/kb/en-us/125061 stopped working in v17. (reason unknown, but that's another topic...)

     

    For video streaming in general I've the following generic vscan web exception - maybe this is the key?

    ^([A-Za-z0-9.\-/=,_~$+!'%\?\*\(\)]*)?\.mp4

    ^([A-Za-z0-9.\-/=,_~$+!'%\?\*\(\)]*)?\.m4v

  • 0 in reply to Sten Freund

    Sten, that is a pure firewall rule without any scanning and your netflix should work with this configuration. Reboot your netflix device and double check any other configuration changes because an ALLOW ALL rule changes your firewall into a simple NAT router and shouldn't affect streaming.

    What Domnick is suggesting using fqdn rules is described in the old XG exceptions KB article. At the bottom, they have a revised section on how to use netflix streaming by using NETFLIX as destination on your firewall rules https://community.sophos.com/kb/en-us/125061 Currently there is a known bug in webfiltering that breaks fqdn netflix filtering https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-feedback/95909/fw-log-could-not-assocate-packet-to-any-connection-when-ips-enabled/352142#352142 but I don't think your issue is related since you are not using any filtering.

    EDIT: @ DomNik, I don't understand the logic behind fqdn rule since in my opinion (that sophos really doesn't care about) application control should be able to do this. This is a real head scratcher since application rules can be updated with a pattern update but it will need a firmware update to change the fqdn rule (I maybe wrong but thats what it looks to me)

  • 0 in reply to Billybob

    Billybob said:

    EDIT: @ DomNik, I don't understand the logic behind fqdn rule since in my opinion (that sophos really doesn't care about) application control should be able to do this. This is a real head scratcher since application rules can be updated with a pattern update but it will need a firmware update to change the fqdn rule (I maybe wrong but thats what it looks to me)

     

     
    Hi Billybob,
     
    I manually added a lot of wildcard fqdns (Apple iCloud, Microsoft Update, etc.) with the idea to shorten the (huge) list of web exceptions with all the domains that mostly don't rely on complex regex statements.
     
    However after implementing some FW rules on top of my list to skip http/s scans for these specific services, I found out that these rules are not applied very often although the IPs are matching according to the FW log. There must be some kind of bug in here.
    A good example is *.mail.me.com which I applied to my IMAPS/SMTPS business rule. After doing this, iCloud Mail is completely broken although the IPs and fqdns are displayed correctly in the logs.
     
    Why I don't use Application control here: I simply don't like this feature to do FW rules based on it. Some applications aren't recognized, the iCloud apps are very complex and hard to figure out, you cannot add custom entries etc.
     
    Best Regards
    DomNik
Reply
  • 0 in reply to Billybob

    Billybob said:

    EDIT: @ DomNik, I don't understand the logic behind fqdn rule since in my opinion (that sophos really doesn't care about) application control should be able to do this. This is a real head scratcher since application rules can be updated with a pattern update but it will need a firmware update to change the fqdn rule (I maybe wrong but thats what it looks to me)

     

     
    Hi Billybob,
     
    I manually added a lot of wildcard fqdns (Apple iCloud, Microsoft Update, etc.) with the idea to shorten the (huge) list of web exceptions with all the domains that mostly don't rely on complex regex statements.
     
    However after implementing some FW rules on top of my list to skip http/s scans for these specific services, I found out that these rules are not applied very often although the IPs are matching according to the FW log. There must be some kind of bug in here.
    A good example is *.mail.me.com which I applied to my IMAPS/SMTPS business rule. After doing this, iCloud Mail is completely broken although the IPs and fqdns are displayed correctly in the logs.
     
    Why I don't use Application control here: I simply don't like this feature to do FW rules based on it. Some applications aren't recognized, the iCloud apps are very complex and hard to figure out, you cannot add custom entries etc.
     
    Best Regards
    DomNik
Children
No Data
Unfiltered HTML