Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 36 replies
  • Subscribers 33 subscribers
  • Views 85549 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I really want to like this product, but...

psykix

If I'd purchased this for deployment in my place of work, then I'd be looking for a refund.

1) The webfilter issues are a show stopper. I wanted to use the webfilter to enable malware/antivirus scanning on the gateway. As soon as I enable the webfilter, then Youtube, Netflix, and the kids Amazon Fire TV boxes are all rendered useless. This has been posted about several times, and there is no response.

2) My connections shows interface status up, gateway down, but it's not down. I've tried with a straight and also a crossover cable - no difference. It's working so why is it saying it is down? Must be a bug.

3) How on earth do you get the performance indicator to stay green? I'm running it on ESXi 6 and have given the box 2 cores (and even tried 4) and 6Gb of RAM. Still it's flagging performance as orange.

4) Can't get email notifications to work using my normal Microsoft Exchange hosted server. Notifications from other applications BEHIND the Sophos XG firewall work, so why don't they work from Sophos itself?

5) Support is pretty much non-existent. It just seems to consist of users helping users, and at the moment it's like the blind leading the blind - none of us can figure the product out properly and most of us are not exactly networking novices. That should be telling you something about your product.

Rant over.



This thread was automatically locked due to age.
  • 0 in reply to Big Ray

    My pleasure, sir.

    Netflix on a mobile device behind XG with HTTPS filtering on.... challenge accepted. I'll be back behind the device tomorrow... I'll let you know how it goes.

    I found a thread talking about what exemptions to add for UTM9 for Netflix. I'll be doing something to the effect of this:

    Protection > Web Protection > Web Categories
    Create a new category - Known good/Bypass filter (or something like that)

    Add sites/keywords there, per the article I found re the utm. Probably something like
    nflximg.com
    nflxvideo.net
    vo.llnwd.net
    netflix.com

    then

    Protection > Web Protection > Web Content Filter
    Under HTTPS exceptions
    Add. Type a name.
    Under Bypass - add new item - add the category just created. Click save.

    I'll probably stop and test it there - but if necessary, I'll also add regex rules under HTTP Scanning Rules similar to:
    ^https?://[A-Za-z0-9.-]*netflix-*.vo.llnwd.net/
    ^https?://[A-Za-z0-9.-]*nflximg.com/
    ^https?://[A-Za-z0-9.-]*nflxvideo.net/
    ^https?://[A-Za-z0-9.-]*netflix.com/

    I have seen a few posts griping about regex not working properly - so I may run into that - but this is what I plan to try - and we'll see what it does.

    I would like to see regex and category-based scanning exemptions moved into either the global policies list or Web Filter Policies - because then I could apply user-based filtering to the exemptions - for example - clientless users get to bypass filtering on netflix, youtube, and facebook (mobile facebook breaks HORRIBLY) but keep it for the desktop/laptop folks for which certificates could be easily imported. Joys of feature requests....

  • 0 in reply to WayneBoyles
    Well I sent an email to support as you described and no luck, See below for there response-

    Thank you for contacting Sophos Technical Support. We highly appreciate your interest for the Sophos XG firewall Home edition. To received further assistance for your XG firewall home, please continue on the link portal I have provided:

    https://community.sophos.com/ and register your email address to obtain help from our community since Sophos Technical support is purely for second level/ Partners and distributors only. Thank you and have a great day!

    Regards,

    Bien Carlo Bermudez
    Sophos Technical Support
    www.sophos.com/.../technical-support.aspx

    Support Knowledge Base: community.sophos.com/kb
    Follow us on Twitter @SophosSupport
    Sophos Community (discussion forums): https://community.sophos.com

    SOPHOS - Security made simple
  • 0 in reply to ChavousCamp
    You go ChavousCamp, We are counting on you to get Netflix working. I am not sure what thread you where talking about for the Regex exemptions but have a look at Drashnas blog for a great list regex entries for many things that work great in UTM9-
    drashna.net/.../
  • 0 in reply to Big Ray
    That's a better one than the one I found. Mine was an old forum post here: www.astaro.org/.../50903-exception-rule-netflix-streaming.html

    Drashna's is much more thorough. I'll look through his when I get ready to do this.
  • 0 in reply to ChavousCamp
    My pleasure. The old Sophos forums are a bit of a mess when it comes to all the suggestions regarding Netflix not working. Chris the owner of Drashna blog belongs to one of the forums that i am pretty active in called
    homeservershow.com and I must say he does great work, You can trust that everything you read on that blog I sent you has been tested and works. If you get this working your going to make a lot of peaple very happy this holliday season, myself included.

    If you get a chance have a look at the frustration about the new XG Firewall regarding Netflix not working as well as other things. See the link below to a thread I started on the HSS, My forum name is itGeeks
    homeservershow.com/.../index.php
  • 0 in reply to Big Ray
    Ok, so I won't say "challenge completed" yet - because I cheated to get it working... still working on the webfilter side, but here is one SURE-FIRE way to get it to work while keeping filtering on for the majority of users...

    So we'll say... CHALLENGE PENDING for now - and use this to get it working!

    1) Create a clientless users group
    Objects > Identity > Groups
    Add.
    Enter a group name.
    Group Type: Clientless
    Quarantine Digest: Disable
    Save.

    2) Create Clientless users for each exempt device.
    Objects > Identity > Clientless Users
    Add (or add range, if they are in a specific range)
    Enter a username - something descriptive for the device (ex: ccamp-iphone)
    IP Address: the internal ip address
    Group: The clientless group you created in step 1
    Name: Some name. Descriptive. "My Iphone"
    Email: fake an email address. Next version won't require this.
    Description: More useless description info. Not required.

    Click the plus sign if you need to add additional devices.

    Click save.

    3) Create security policy
    Security Policies
    Click on your HTTPS filter rule, click the plus sign, click "Above (User/Network Rule)"
    About this rule---
    Name: Allow Clientless to Bypass Filter
    Identity---
    Match Rule based on user identity: On
    User or Groups: Clientless Group created in step 1
    Source---
    Zone: Lan
    Networks: Any
    Services: HTTP,HTTPS, others if you need them, but these suffice for this walkthrough
    Destination---
    Zone: WAN
    Networks: Any
    Malware Scanning---
    Scan FTP OFF
    Scan HTTP OFF
    Decrypt & Scan HTTPS OFF

    Save.

    This bypasses the specific clientless devices you created from the webfilter entirely. This is actually a reasonably good solution - and may be the "best" solution for roku/appletv/chromecast and other fixed devices that do not regularly leave your network.

    This is NOT the best solution for mobile devices, but it will work. The best solution for mobile devices would be to either FIX the damned web filter (still working on it) or create a separate wireless network for them.
  • 0 in reply to ChavousCamp
    First I would like to say I am grateful for all your hard word on this, I further more agree that Sophos just needs to fix this very old streaming problem, This was a problem in UTM9 as well but at least we could fix it with regex entries and NOT have to completely bypass devices like we do now to get it working. Does none of the Sophos employees have mobile devices and use services such as Netflix? That would be mind blowing if they did not. It seems to me that Sophos does not want anyone using such services if using there product.

    No I mean no harm in what I am about to say & again I am very great full for your hard work but is what you posted not the long-hand way of solving the Netflix problem vs what we are already doing in a short-hand way? The way I solved the Netflix problem is easy, I created a policy for all my mobile devices called streaming devices and I just turned off HTTP and HTTPS scanning and I disabled the web filter and Netflix works. Am I missing something with your way of doing this? Just seems like a lot of extra work with no benefit unless I am missing something?
  • 0 in reply to Big Ray
    The difference is in the reports you get. Your way works - and is the quickest way. My way lets you easily identify the ip addresses with user names/descriptions if/when you run traffic reports. Either works.

    And before we throw Sophos under the bus for their HTTP/S filtering - lets ask ourselves - is any vendor ACTUALLY PRODUCING a true HTTP and HTTPS filter that works *well* with highly advanced streaming services like netflix? The answer is likely no. Netflix in particular is a very odd bird due to the way it streams using direct IP addresses instead of host names that can easily have regex or string comparisons done against them.

    I may open a support ticket on this and see what support says. I may also put my challenge on hold until the new version is released in January/February... see what they fix/change. I don't expect them to FIX it outright, but they very may well change something that either breaks whatever I come up with *OR* fix something else (like regex) that allows me to make things actually work.
  • 0 in reply to ChavousCamp
    Thank you for the detailed explanation. That would be great if you could enter a support ticket. I think the more we hound Sophos to get this fixed once and for all the better. I look forward to any updates you may have.

    Thanks again for taking the time...
  • 0 in reply to ChavousCamp
    Hi ChavousCamp,
    Unrelated to Netflix, Do you know to fix I am having trouble with Windows downloading new Insider builds when the device is behind XG, The only way I can download the new builds is to disable HTTP and HTTPS scanning. When I go into the logs XG does not show anything blocked. What do I have to do to fix this so I don't have to DISABLE HTTP scanning?

    Thanks