Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 9171 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Netflix on apple TV

Daan

Since i deployed the XG in my netwerk, Netflix streaming on my apple TV 3 is no longer working.

You can browse the shows etc, but as soon as you hit play, you get an error message.

I checked the community and was redirected to this kb article that suposedly fixes this: https://community.sophos.com/kb/en-us/125061

 

Unfortunately after applying this, it's still not working.

The only way to get netflix to work is to either to create an exception rule on the IP of my apple TV to bypass scanning, or to disabled HTTP scanning all together.

 

Creating a rule with Netflix as a service does not work.

 

As my apple tv has DHCP address, I don't like the IP approach, and disabling HTTP scanning entirely, well yeah...

 

So is anybody aware what to do in this case in order to make it work, perhaps by making some changes in the FQDN for netflix?

 

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    you need to disable scanning of streaming. How did you define netflix in your rule?

    Well you setup a rule for netflix which does not have scanning enabled. Scanning a streaming video or audio is not going to work.

    the rule would look like this - source LAN -> appletv -> any service -> destination WAN -> netflix, MASQ, log traffic initially to help with debug. Any service can be refined from the logs after you have the application running.

    Ian

  • 0 in reply to rfcat_vk

    I did make the rule before as you stated

     

     

    This rule as created in the screenshot does not work for me.

    However when I change Destination networks Netflix to Any, it works.

    Therefore my judgement is that the Netflix destination network is not correctly defined.

     

    The problem is, I do not see anything useful in the log viewer, so I have no clue on how to fix it.

  • 0 in reply to Daan

    Can you show us, what is in your netflix rule? Not the Web policy rule, the Host object. 

  • 0 in reply to LuCar Toni

    Is this what you are after? 

     

  • +1 in reply to Daan

    (at a guess)

    Please make sure that the Apple TV and the XG are getting DNS from the same location.

     

    Netflix uses those domains listed, and if you get DNS from 8.8.8.8 you will get the video streams hosted on Netflix servers.

    However some ISPs will also have their own "local" Netflix servers to reduce network congestion.  When using the ISP's DNS server the video hostnames redirect to a ISP-owned server with a different IP.

    I know that this is problematic with Roku TVs because they ignore the DNS given to them by the DHCP server and hardcode to use specific ones, which means Roku TVs will never use the ISP-owned servers.

    Netflix is also quite annoying that (depending on the platform) it makes connections directly to IPs rather than hosts.  So the proxy just sees GET http://1.2.3.4/somestream .

     

    If the 17.x method of doing things listed in the KB is not working, the 16.x version may still work.  This turns off AV scanning for all the Netflix-owned domains and IP ranges, however if it actually connecting to a ISP-owned IP it wont work as written.  You would need to determine the IPs that your ISP uses and include them with additional (carefully written) regex.

  • 0 in reply to Michael Dunn

    I just had some time to check, and indeed the DNS server on the apple TV and the sophos is different.

    I'm going to perform some tests now after setting same DNS

  • 0 in reply to Daan

    I just performed the test.

    On Sophos:

    DNS 1: 1.1.1.1

    DNS 2: 8.8.8.8

    DNS 3: 195.x.x.x local provider DNS

     

    On apple TV i set fix IP and fix DNS to 1.1.1.1

    I reboot apple tv and try: result  NOK

     

    I change the DNS server on Apple TV to the IP of the Sophos XG, again result NOK

     

    So unfortunately DNS change does not fix my issue. 

  • 0 in reply to Daan

    So when it fails,

    Please go to Log Viewer.  Switch to detailed view (icon).  Select Web Filter.

    Under search enter in
    status_code="416"

     

    Are there any entries from the time of the test?  If so, paste them here.

     

    If there are not, remove the search and paste any relevant lines from the time of the test.

     

    If there are no lines at all from the test then...  Maybe the firewall rule is working and something else is going on.

     

    Also...  just to make sure that we are not in a "is it plugged in" scenario, the firewall rule for Netflix is above the Web policy ones and is turned on, right?  Can you give a screenshot of the list of firewall rules?

  • 0 in reply to Michael Dunn

    I just did a fresh test for you and made a new screenshot of rule order and rule details

     

    messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="2" user="" user_group="" web_policy_id="12" web_policy="" category="IPAddress" category_type="Acceptable" url="45.57.20.137/ content_type="application/octet-stream" override_token="" response_code="" src_ip="10.10.10.17" dst_ip="45.57.20.137" protocol="TCP" src_port="49274" dst_port="80" bytes_sent="603" bytes_received="4684" domain="45.57.20.137" exception="" activity_name="" reason="" user_agent="AppleCoreMedia/1.0.0.12H606 (Apple TV; U; CPU OS 8_4_2 like Mac OS X; nl_nl)" status_code="416" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="176966496" app_name="" app_is_cloud="0"

     

Reply
  • 0 in reply to Michael Dunn

    I just did a fresh test for you and made a new screenshot of rule order and rule details

     

    messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="2" user="" user_group="" web_policy_id="12" web_policy="" category="IPAddress" category_type="Acceptable" url="45.57.20.137/ content_type="application/octet-stream" override_token="" response_code="" src_ip="10.10.10.17" dst_ip="45.57.20.137" protocol="TCP" src_port="49274" dst_port="80" bytes_sent="603" bytes_received="4684" domain="45.57.20.137" exception="" activity_name="" reason="" user_agent="AppleCoreMedia/1.0.0.12H606 (Apple TV; U; CPU OS 8_4_2 like Mac OS X; nl_nl)" status_code="416" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="176966496" app_name="" app_is_cloud="0"

     

Children
  • 0 in reply to Daan
    Pulling out some relevant parts:
    fw_rule_id="2"
    web_policy_id="12"
    url="http://45.57.20.137/
    src_ip="10.10.10.17"
    dst_ip="45.57.20.137"
    status_code="416"
     
    So you see the url= (slightly message up in the cut and paste) is http://45.57.20.137/
    The fw_rule_id is 2, which matched to your screenshot it the Lan to Wan rule.
     
    On a command line
    # dig +short -x 45.57.20.137
    ipv4_1.lagg0.c015.bru001.ix.nflxvideo.net.
     
    And then you can do the reverse:
    dig +short ipv4_1.lagg0.c015.bru001.ix.nflxvideo.net.
    45.57.20.137
     
    Also that IP falls in the IP range that form the regex version of this.  So that is an IP actually owned by netflix.
    ^45\.57\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))\.[0-9]

    But...  and this is the interesting thing.  That Allow Netflix rule has caught 5.85 GB of traffic.  So it is as least working some of the time.
    Aside from removing the Scan FTP and temporarily removing the Source of Apple TV, I don't see anything that could be wrong in the rule.
     
    I recall hearing some problems that some people were having where they would have to play a video, have it fail, then play it again to have it work.  They thought the problem was that it takes the XG awhile to "learn" to IPs from watching traffic.
     
    I'm going to ask someone else familiar with this method to see if he has any ideas.
     
    However - if you use the Exception method listed in the KB this would be working.
     
  • 0 in reply to Michael Dunn

    First of all, don't be confused by the traffic caught, because when I want to watch netflix, I disable the Netflix host group exception, and allow ALL destinations for the IP of my apple IP.

    That traffic is of course counted within the same rule.

     

    So well yeah, I'm at a loss currently on why this does not work.

    I don't know if it's relevant or not, but my device is in bridge mode

  • 0 in reply to Daan

    This KB describes two methods:

    https://community.sophos.com/kb/en-us/125061

    The FQDN method is "better" but seems not to be working for unknown reasons.

    The Exception method should work for you.

     

    If you just want it to work, please use the exception method.

    However...  If you want to debug the FQDN method, please log a support ticket.  I suspect that it will have to be escalated to the development teams where they can investigate more deeply.  Currently we have heard that method it is not working for a limited number of people but we haven't had any customer be in direct contact with the development teams who can determine the exact cause.  So if you have time and want to help improve the product, it would be nice if you do that.

  • 0 in reply to Michael Dunn

    Well to be honest, the FQDN method should work, especially as it's projected as the solution as of version 17.

    Just as a reference I will also try a test with the regex when I have a spare moment.

     

    I do want to add one more detail. I have the issues with my Apple tv 3. I noticed by accident that netflix on my Ipad is working like a charm, without adding any special rule ...