SOPHOS XG 19 Streaming issue (HBOMAX)

Sounds like you have a boatload of problems, some of which are unexplainable with the information provided. For example, how are you determining that connections to Google are occurring and are you able to determine what machine is making those connections and what protocols/ports are being connected to? (That is, if your default DNS is Google, you might expect a boatload of connections to port 53. If Google is your default search engine in browsers, as people type in the URL bar it may be sending queries to Google as well. Then there's QUIC and other Google tricks occurring.)

In terms of HBOMAX, I've had somewhat similar issues with Youtube and for me it's always SSL decryption. In v19, there's a global switch to turn off decryption and that might be a good first experiment: turn it off temporarily while trying HBOMAX and see if all is well. If it works without decryption, then that's the problem. Then turn decryption back on. (It's always the problem for me.)

To fix decryption issues, I go to the Log Viewer and watch the TLS logs for anything related to the streaming service (Youtube in my case) while using the application on my AppleTV. Add items, as appropriate, to the TLS exception group until things work. I also block ads and trackers manually and blocked ytimage.com (or something like that) which is evidently used to track you but also holds thumbnails for all those videos you're previewing.

Recently, we had another problem crop up and after doing my debugging I finally decided to fix the problem for the long-haul by making the AppleTV a clientless user (assign a static IP address in DHCP so it's consistent) and then exempting the user from TLS. (I also used this to set up Traffic Shaping for the AppleTV. This is not as simple as you might think, though.)

Note that the AppleTV, under some circumstances, can present three MAC addresses to get three IP addresses from DHCP. The one will be the well-known MAC address that you can see in the AppleTV menus. The other two are random. I'm not sure how they are used and whether they cause problems with my clientless user approach. In my case, I have clientless users for everything I care about and my firewall rules to route to the WAN require (clientless) users, so I'm simply blocking the random (dynamic DHCP) AppleTV addresses from communicating, and it all seems to work.

(I say "under some circumstances" because it consistently does so for me, but most people don't seem to see it. In my case, I'm using eARC on the AppleTV and have a pair of HomePods as its output, so maybe one of those two uses cause it to grab multiple IPs. Not sure.)

Sounds like you have a boatload of problems, some of which are unexplainable with the information provided. For example, how are you determining that connections to Google are occurring and are you able to determine what machine is making those connections and what protocols/ports are being connected to? (That is, if your default DNS is Google, you might expect a boatload of connections to port 53. If Google is your default search engine in browsers, as people type in the URL bar it may be sending queries to Google as well. Then there's QUIC and other Google tricks occurring.)

In terms of HBOMAX, I've had somewhat similar issues with Youtube and for me it's always SSL decryption. In v19, there's a global switch to turn off decryption and that might be a good first experiment: turn it off temporarily while trying HBOMAX and see if all is well. If it works without decryption, then that's the problem. Then turn decryption back on. (It's always the problem for me.)

To fix decryption issues, I go to the Log Viewer and watch the TLS logs for anything related to the streaming service (Youtube in my case) while using the application on my AppleTV. Add items, as appropriate, to the TLS exception group until things work. I also block ads and trackers manually and blocked ytimage.com (or something like that) which is evidently used to track you but also holds thumbnails for all those videos you're previewing.

Recently, we had another problem crop up and after doing my debugging I finally decided to fix the problem for the long-haul by making the AppleTV a clientless user (assign a static IP address in DHCP so it's consistent) and then exempting the user from TLS. (I also used this to set up Traffic Shaping for the AppleTV. This is not as simple as you might think, though.)

Note that the AppleTV, under some circumstances, can present three MAC addresses to get three IP addresses from DHCP. The one will be the well-known MAC address that you can see in the AppleTV menus. The other two are random. I'm not sure how they are used and whether they cause problems with my clientless user approach. In my case, I have clientless users for everything I care about and my firewall rules to route to the WAN require (clientless) users, so I'm simply blocking the random (dynamic DHCP) AppleTV addresses from communicating, and it all seems to work.

(I say "under some circumstances" because it consistently does so for me, but most people don't seem to see it. In my case, I'm using eARC on the AppleTV and have a pair of HomePods as its output, so maybe one of those two uses cause it to grab multiple IPs. Not sure.)

Just for testng to see what XG was doing I put it behind an appliance for about 2 weeks with nothing else connected to it and log all traffic coming from the xg wan port, did packet captures, the port is UDP 53 and the address are for example (google.ee google.be google.ac)

Turn off SSL decryption temporarily using global switch, have exceptions in place, firewall rule with static ip for apple tv no webfilter app or ips enable for the apple tv. Still got the error cannot connect above.

I watch the TLS logs and allowed all hbo and hbomax, but still no luck
would you mind sharing your manually block ads and trackers list. you can send it in a PM

Every other streaming app work but HBOMAX it start to load but get cant connect to hbomax so i connect the apple tv to hotspot and hbomax work.

So the XG us querying DNS to get IP addresses. When you say the "addresses are" do you mean the addresses being looked up, or the addresses to which the DNS queries are going? It is a little strange that it seems so obsessed with Google (whether looking up Google addresses around the world or looking up at Google DNS servers around the world.

In terms of TLS, (or anything else) it's not just HBO and HBO Max addresses that you need to allow. They could be pulling their actual data from AWS servers or Akamai servers, etc. And they might be doing tracking/ads and so won't work if you interfere with those connections. (Which is why I eventually went with an (clientless) user approach to exceptions, which so far seems to be working though I haven't deleted all servers from the Web TLS exception list yet either.)

Have you tried packet capturing from the AppleTV? The HBOMAX app could be doing something just really weird and refusing to work if it doesn't see what it expects to see. (Like broadcasting to the LAN and expecting replies or trying to contact a dozen tracking sites or doing DNS lookups to IP addresses they keep secret.) You are using an HBO Max app on the AppleTV, is that correct?

My ad blocking isn't very scientific. I have an actual ad blocker on my laptop and I basically go through the Top 100 or so and type them into the Sophos. I have less than 100 so far and like I said it's a bit quirky. It probably doesn't do much, but I figure the software that I run on my laptop doesn't protect the AppleTV or my phone, so why not try to catch a few things. I don't think many show up in any Sophos log, if any.

I'd also add that I am researching STUN because of some weird things I'm seeing and I suspect that the Sophos does symmetrical NAT which I believe pretty much keeps STUN from easily working. And it may be that HBO won't do other workarounds if it finds the low-hanging STUN fruit not working.

Also, if you go to the non-Advanced Shell on the Sophos you might want to try the drop-packet-capture command to see if HBO is doing other stuff to your public IP ("the appliance") and aborting if things don't work the way they expect.

The lots-o-DNS-queries issue sounds like the following. (I changed the link to the deeper topic, which I think begins to talk about the upstream DNS TTL.) It may be a combination of using SafeImage (or whatever Google's tool is called) and perhaps an upstream DNS server that sets a very low DNS TTL...

community.sophos.com/.../sophos-xg-making-a-significant-amount-of-dns-queries-to-www-google-com

Older:

community.sophos.com/.../sophos-xg-making-a-significant-amount-of-dns-queries-to-www-google-com

I did drop-packet-capture to see what hbomax was doing
no drops/block going to external.

look in log Invalid packet being block inbound

2022-05-31 18:34:22 Invalid Traffic Denied N/A 0 Port2 13.32.208.119 x.x.x.x 443 53009 TCP 0 Open PCAP Invalid packet.

2022-05-31 09:42:38 Invalid Traffic Denied N/A 0 Port2 54.230.31.183 x.x.x.x 443 63334 TCP 0 Open PCAP Invalid packet.

Thanks for the links did try those settings google conections down to
about 2369 in 2 days not using safesearch

Is their anyone who has hbomax working