Hello,
after Update to beta 2 and to RC1 Netflix no longer Working, it breaks @ 25%
doawngreade to beta 1 and all is ok.
I use the new fqdn feature and i have try it without any aktivation of vscan or webfilter.
Greets
Hello,
after Update to beta 2 and to RC1 Netflix no longer Working, it breaks @ 25%
doawngreade to beta 1 and all is ok.
I use the new fqdn feature and i have try it without any aktivation of vscan or webfilter.
Greets
Hi Sten,
I'm experiencing similar problems with the new fqdn wildcard feature, but was not yet able to give a good reproducable example of it.
Is it working if you replace the Netflix FQDN group with "Any" for the related FW rule?
Best Regards
DomNik
Hi DomNik,
same Problem with Any and no filters. See the Screenshots.
Hmm this is strange.
It's working with Any destination for my FireTV Stick, while the old way for v16 descripted in https://community.sophos.com/kb/en-us/125061 stopped working in v17. (reason unknown, but that's another topic...)
For video streaming in general I've the following generic vscan web exception - maybe this is the key?
^([A-Za-z0-9.\-/=,_~$+!'%\?\*\(\)]*)?\.mp4
^([A-Za-z0-9.\-/=,_~$+!'%\?\*\(\)]*)?\.m4v
Sten, that is a pure firewall rule without any scanning and your netflix should work with this configuration. Reboot your netflix device and double check any other configuration changes because an ALLOW ALL rule changes your firewall into a simple NAT router and shouldn't affect streaming.
What Domnick is suggesting using fqdn rules is described in the old XG exceptions KB article. At the bottom, they have a revised section on how to use netflix streaming by using NETFLIX as destination on your firewall rules https://community.sophos.com/kb/en-us/125061 Currently there is a known bug in webfiltering that breaks fqdn netflix filtering https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-feedback/95909/fw-log-could-not-assocate-packet-to-any-connection-when-ips-enabled/352142#352142 but I don't think your issue is related since you are not using any filtering.
EDIT: @ DomNik, I don't understand the logic behind fqdn rule since in my opinion (that sophos really doesn't care about) application control should be able to do this. This is a real head scratcher since application rules can be updated with a pattern update but it will need a firmware update to change the fqdn rule (I maybe wrong but thats what it looks to me)
Billybob said:EDIT: @ DomNik, I don't understand the logic behind fqdn rule since in my opinion (that sophos really doesn't care about) application control should be able to do this. This is a real head scratcher since application rules can be updated with a pattern update but it will need a firmware update to change the fqdn rule (I maybe wrong but thats what it looks to me)
Hi,
the fact is that Netflix wont work with this test rule.
the Normal rules are with fqdn exaptions.
today there is a new Update for the RC1-67 and i would Try it in evening.
greets
Billybob said:application control should be able to do this
Application control signatures require some traffic to be processed before we can make a decision, and we need to make decisions sooner than that on whether to proxy and scan it. The regex exceptions essentially try to make a decision earlier than appcontrol can. It works after the decision to proxy is made, but before the decision to av scan. The FQDN option does the same thing, but can make that decision before we decide to proxy, and is much cleaner than the ugly regex needed for exceptions. It also lets you apply traffic shaping and user restrictions more powerfully than appcontrol alone.
Thanks for the explanation of the logic and I like the fqdn functionality as a bandaid better than the global regex rules that apply to the whole firewall but the problem remains. You have to create a rule that passes all the traffic that you want and then you have to embellish that rule with a bandaid of another rule that says in case of Netflix don't do any scanning.
I am not arguing the functionality as application control rules are only provided by sophos and we can't write them ourselves. Atleast we have an option to write fqdn rules fairly easily to bypass streaming / IOT services. But the fact remains, this looks like a bandaid to a problem that should be handled more elegantly by application control or something similar.
Billybob said:But the fact remains, this looks like a bandaid to a problem that should be handled more elegantly by application control or something similar.
I can't argue with that, and I agree, It's not the final solution for addressing cloud apps. It is a big step towards a better solution for this particular problem, though.
Billybob said:But the fact remains, this looks like a bandaid to a problem that should be handled more elegantly by application control or something similar.
I can't argue with that, and I agree, It's not the final solution for addressing cloud apps. It is a big step towards a better solution for this particular problem, though.
Hi,
i have delete all rules and make a new one with the 17 GA and now it works.
Greets
