Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 40 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 96629 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Streaming Services Blocked

StephenBurton

"Reopening" this thread since it is a ongoing issue. As others have already experienced, I'm running into the same streaming issues. Netflix, PluralSite, and other streaming services won't work on AppleTV, Wii, Samsung Smart TVs, Apple iPad, and Apple iPhones but does through a web browser. Also, audio streams won't stream properly (constantly restart) and PlayStation updates won't download properly (get 175% download messages before throwing an error).  Lastly, I cannot login to some banking websites and have difficulties with content downloading on other reputable sites.

So, as others have, I created a profile which filters based off of MAC address and has malware scanning and web scanning is turned off - so essentially everything that you want in a modern security appliance turned off. Most of the systems began to work, but Netflix on the Wii still does not work (streams get to 100% but never start. I also tried the Netflix filters used on the UTM but as other have experience this does not work on the XG).

Also as others have experienced, no useful log files are created as to what it getting blocked, either Malware or web filtering of any type kills any stream (even simple filters such as blocking webmail will kill a stream - seems to be a issue with the scan engine itself and nothing to do with the content.) 

Obviously this is a serious issue that needs to be addressed as I can purchase a $50 firewall from Walmart that will work better than the XG currently is. Don't get me wrong, I'm a Sophos fan, but this has been an ongoing problem for way too long. What's the plan for this to be fixed? My definition of "fixed" is the ability to have malware scanning and web filtering enabled on devices that stream content. It needs to work this way because a large number of devices stream content and disabling malware scanning and/or web filtering is not on option. 

Has anyone else had better luck with streaming content on the XG with security enabled? I'd like to move back to the UTM firewall, however streaming doesn't work that well on that platform either. 



This thread was automatically locked due to age.
  • 0
    I think you are mistaken if you think your $50 box is scanning your streaming video. To scan a continuous scan is not really possible as there is no start and no end as well usually doesn't contain executable code. If you want to scan streaming stuff you would have to download it, store it and then scan it, then view it. What size chunks of video do you want to handle, very jittery.
  • 0
    This sounds very much like the issues that used to be in UTM 9.2+

    This was the workaround

    www.sophos.com/.../121646.aspx
  • 0 in reply to IanMorehouse
    The point I was making is that a $50 firewall handles streaming content better than the XG in it's current state. The XG should be able to handle any streaming content without needing to shut down malware of web filtering capabilities. Also, it should handle it without needing to add exceptions. There are other major firewall vendors that handle streaming data just fine without needing to create special rules or turn off security engines in order for that type of data to flow. Also, because the XG forces you to turn off any "next gen" capabilities in order to stream data, it's no better than a standard $50 firewall.
  • 0 in reply to TimGrantham
    Thanks TimGrantham for including the link. I did know about this workaround and tried it on the XG which didn't work. But the deeper question is why you would even need to add such an exception. Streaming data is very common and shouldn't require a work around. As well, adding these exceptions to a device then opens that device up to other vulnerabilities. For example, an iPad could have that exception but then, is open to malware with other apps and no web filtering would be enabled. This is not a good solution for an enterprise level, next gen firewall.
  • 0
    i have the same prooblem. The streaming over UTM work very good, a in the XG-OS not. In the log a not informationen.
  • 0
    I have been streaming the ABC iview and abc fm through the XG to my mac book pro without any issues. My link is 5/1 approx more like 4.5/800k most days. I can also view facebook stuff that people send me on my ipad without any stuttering or pauses.
    I have by pass the check rule enabled for streaming which also works in the UTM. The rest of the web traffic follows the policy settings. I have scan realtime enabled and audio and video scanning disabled.
  • 0 in reply to StephenBurton
    Stephen,

    That's a very good question, the only thing I can think of is the way that the AntiVirus scanner is working causes interference to the AppleCoreMedia protocol - for example, ACM will be requesting the data in segments (IIRC), the AV scanner will see this as downloaded files and try to scan it, which will cause a delay and cause the iPad, AppleTV etc to fail streaming.

    There is also an issue with streaming to mobile devices MP4 video, and I've found that I've needed to add another exception.

    This will only effect antivirus scanning, the rest of the functions that the firewall provides are unaffected.

    Also keep in mind that these $50 firewalls are normally just a NAT based firewall, they don't have any IPS, UDP&TCP flood protection, anti-portscan etc.

    For the time being, I've rolled back to a UTM 9.x based solution at home, XG just had too many inconsistencies for me to warrant it as a viable solution, I have no doubt that in the future it will be a great product, just not at this current moment in time, and I suspect that once they have released the migration told from UTM 9 to XG, we will see this as a good product.

    I don't even think that XG is EAL 4+ yet, where as UTM 9 is - for me, selling this product hasn't been viable as most businesses I recommend this product to have a requirement for it to be EAL 4+.
  • 0
    i found the problem. You must in "service" the IPS stop, then is the streaming services OK.
  • 0 in reply to FrankPatzig
    Interesting, I have the IPS setup for WAN to LAN, but if you read the help it should LAN to WAN which to me is the wrong way around. Why would you be checking traffic flowing from the LAN to WAN to protect the LAN objects, when you should be protecting the LAN objects with scanning traffic flowing from WAN to LAN.
  • 0 in reply to IanMorehouse
    Ian - I've wondered the same thing. I've tried both directions, however any streaming content doesn't work with IPS enabled and or web filtering enabled. I would assume that the setting would be WAN to LAN - I'd be interested to know how the protection works when set to LAN to WAN.