Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 35 subscribers
  • Views 36779 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Firewall Home Edition Netflix

BradlyBirdwell

I installed Sophos XG about 3 weeks back.  Until last Thursday I had no problems with the device.  I haven't had a chance to dive in and tweak it to better protect my home network but that is for a different discussion.  Right now my problem is the inability to use Netflix.  It started Thursday night and I just assumed it was the internet or Netflix having issues so I just went to bed.  Friday it was giving me the same error.  It will login to Netflix (on any of my tv's, xboxes, blu-ray players, ect) with no issues but when you click play it says it can not play this title right now.  If I plug in my cheep Belkin router everything works great.  

Please remember I am new to the sophos interface and am still learning.  Is there a way I can exclude netflix traffic from any sort of filtering??  I usually consider my self pretty good with technology but the way sophos is setup I can't find the correct place to put an exclusion.

Any help is greatly appreciated.



This thread was automatically locked due to age.
  • 0
    Depends on how you have your XG configured...

    If you have HTTP filtering, av scanning, and Decrypt & Scan HTTPS turned ON, Netflix will generally freak out on any device other than a PC... and even on the PC, it will freak out if you don't have the XG's certificate installed. Known issue. Fix pending. We'll see how well it works, because quite frankly, you may still have a certificate policy on the set-top boxes... but we'll see.

    The best way to handle it right now is exclude the device from any filtering. This is *generally* ok, as we're talking about set-top boxes that really don't need to be subject to HTTP/HTTPS filtering.

    Per sophos staff, you can also setup a FQDN-based policy exception, but I haven't tried that, and it doesn't address some of the way netflix works its magic.

    This is NEARLY guaranteed to work... and is something I suggested to others previously:

    1) Create a clientless users group
    Objects > Identity > Groups
    Add.
    Enter a group name.
    Group Type: Clientless
    Quarantine Digest: Disable
    Save.

    2) Create Clientless users for each exempt device.
    Objects > Identity > Clientless Users
    Add (or add range, if they are in a specific range)
    Enter a username - something descriptive for the device (ex: ccamp-iphone)
    IP Address: the internal ip address
    Group: The clientless group you created in step 1
    Name: Some name. Descriptive. "My Iphone"
    Email: fake an email address. Next version won't require this.
    Description: More useless description info. Not required.

    Click the plus sign if you need to add additional devices.

    Click save.

    3) Create security policy
    Security Policies
    Click on your HTTPS filter rule, click the plus sign, click "Above (User/Network Rule)"
    About this rule---
    Name: Allow Clientless to Bypass Filter
    Identity---
    Match Rule based on user identity: On
    User or Groups: Clientless Group created in step 1
    Source---
    Zone: Lan
    Networks: Any
    Services: HTTP,HTTPS, others if you need them, but these suffice for this walkthrough
    Destination---
    Zone: WAN
    Networks: Any
    Malware Scanning---
    Scan FTP OFF
    Scan HTTP OFF
    Decrypt & Scan HTTPS OFF

    Save.

    This bypasses the specific clientless devices you created from the webfilter entirely. This is actually a reasonably good solution - and may be the "best" solution for roku/appletv/chromecast and other fixed devices that do not regularly leave your network.

    This is NOT the best solution for mobile devices, but it will work. The best solution for mobile devices would be to either FIX the damned web filter (Sophos is working on it) or create a separate wireless network for them.
  • 0

    Thanks a lot for the information, i will try it in other pryects that i have instead than in Clínica Dental Murcia. Lovely!

  • 0 in reply to sachingurung

    Thanks, the linked article worked for me. One question, if it blocked Netflix why didn't that show up say in control center as a blocked app? If things get blocked should it show me?

  • 0 in reply to sachingurung

    I tried this on my SophosXG v17 box, but several box sets would not play but others would. I'm guessing that the FDQN group may need more values to be added perhaps.????

    My workaround was to enable my VM Hub 3 wifi and to just connect the TIVO box via wifi directly to the VM HUB which is before my Sophos Box and negates any firewall.

  • 0 in reply to sachingurung

    Following steps for V17 it does not work.

  • 0 in reply to Ryan Alexander

    The v17 instructions are newer and less proven.

    Can you provide a screenshot of all parts of the netflix firewall rule?  Is the firewall rule a higher priority than your other web traffic firewall rules?

    If you go to NetFlix and then look in the Log Viewer for "Web Content" do you see the traffic to netflix?  If you do then your firewall rule is not correctly taking effect.

  • 0 in reply to Michael Dunn

     

    I put the netflix rule at the top, so that it triggered before the general rule.  Web log shows direct hits to IPs rather than domains, I wonder if things are different because I'm in Canada?  I know Netflix has different content for each country, but I'm not sure how their network infrastructure plays out to assist that.  Here's a screenshot of the web log for the Roku device (works if I turn off web filtering, of course):

     

  • 0 in reply to Ryan Alexander

    I noticed that the /24 shown above (209.148.214.0/24) is owned by my ISP (Rogers, one of the big three in Canada) - I added that IP range to the netflix rule and things are now working.  It appears my ISP is playing a little DNS magic with connections to Netflix.

     

    Thanks Mike for your guidance.

     

  • 0 in reply to Ryan Alexander
    As far as I know (or suspect), NetFlix co-locates some gear at different ISPs in order to offload traffic to their backbone.  I'm wondering if the ISP fiddles with DNS so that devices accessing NetFlix resolve to "local" gear rather the main NetFlix servers.
     
    Can you check something for me?  I want to know if the DNS resolution by your TV/XBOX/whatever is different than the DNS resolution by your XG.
     
    For example, you have a ADSL modem that is running a DNS server, that resolves up to the DNS by your ISP (Rogers).  Your TV etc use the DNS provided by the ADSL modem, therefore they are getting DNS resolution from Rogers.
    But your XG firewall, are you also resolving to your ADSL modem or to the Roger's DNS server, or do you resolve to Google or OpenDNS or something?
     
    If it turns out that your TV and your XG are resolving to different DNS servers, can you as a test change it so they resolve to the same place.  Remove your extra IP from the FQDN host and see if that allows NetFlix to run now that they resolve to the same thing.