Sophos XG Firewall Home Edition Netflix

Question

I installed Sophos XG about 3 weeks back. Until last Thursday I had no problems with the device. I haven't had a chance to dive in and tweak it to better protect my home network but that is for a different discussion. Right now my problem is the inability to use Netflix. It started Thursday night and I just assumed it was the internet or Netflix having issues so I just went to bed. Friday it was giving me the same error. It will login to Netflix (on any of my tv's, xboxes, blu-ray players, ect) with no issues but when you click play it says it can not play this title right now. If I plug in my cheep Belkin router everything works great. 
 
 Please remember I am new to the sophos interface and am still learning. Is there a way I can exclude netflix traffic from any sort of filtering?? I usually consider my self pretty good with technology but the way sophos is setup I can't find the correct place to put an exclusion. 
 
 Any help is greatly appreciated.

sachingurung · Accepted Answer

Refer: https://community.sophos.com/kb/en-US/125061 . 
 Thanks

ChavousCamp · Answer

Depends on how you have your XG configured... 
 
If you have HTTP filtering, av scanning, and Decrypt & Scan HTTPS turned ON, Netflix will generally freak out on any device other than a PC... and even on the PC, it will freak out if you don't have the XG's certificate installed. Known issue. Fix pending. We'll see how well it works, because quite frankly, you may still have a certificate policy on the set-top boxes... but we'll see. 
 
The best way to handle it right now is exclude the device from any filtering. This is *generally* ok, as we're talking about set-top boxes that really don't need to be subject to HTTP/HTTPS filtering. 
 
Per sophos staff, you can also setup a FQDN-based policy exception, but I haven't tried that, and it doesn't address some of the way netflix works its magic. 
 
This is NEARLY guaranteed to work... and is something I suggested to others previously: 
 
1) Create a clientless users group 
Objects > Identity > Groups 
Add. 
Enter a group name. 
Group Type: Clientless 
Quarantine Digest: Disable 
Save. 
 
2) Create Clientless users for each exempt device. 
Objects > Identity > Clientless Users 
Add (or add range, if they are in a specific range) 
Enter a username - something descriptive for the device (ex: ccamp-iphone) 
IP Address: the internal ip address 
Group: The clientless group you created in step 1 
Name: Some name. Descriptive. "My Iphone" 
Email: fake an email address. Next version won't require this. 
Description: More useless description info. Not required. 
 
Click the plus sign if you need to add additional devices. 
 
Click save. 
 
3) Create security policy 
Security Policies 
Click on your HTTPS filter rule, click the plus sign, click "Above (User/Network Rule)" 
About this rule--- 
Name: Allow Clientless to Bypass Filter 
Identity--- 
Match Rule based on user identity: On 
User or Groups: Clientless Group created in step 1 
Source--- 
Zone: Lan 
Networks: Any 
Services: HTTP,HTTPS, others if you need them, but these suffice for this walkthrough 
Destination--- 
Zone: WAN 
Networks: Any 
Malware Scanning--- 
Scan FTP OFF 
Scan HTTP OFF 
Decrypt & Scan HTTPS OFF 
 
Save. 
 
This bypasses the specific clientless devices you created from the webfilter entirely. This is actually a reasonably good solution - and may be the "best" solution for roku/appletv/chromecast and other fixed devices that do not regularly leave your network. 
 
This is NOT the best solution for mobile devices, but it will work. The best solution for mobile devices would be to either FIX the damned web filter (Sophos is working on it) or create a separate wireless network for them.