Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 37 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 134973 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall and Netflix

Daniel Bingham

I have recently changed my home network from a SG VM to XG VM running on ESXi

 

I am getting errors when running Netflix via Apple TV

 

To try get around this, I created a new firewall policy as follows:

  • Rule Name: Bypass Web
  • Source Zones: LAN
  • Source Networks and Devices: Bypass MAC's (with a MAC List with my ATV's in there)
  • Destination Zones: WAN
  • Destination Network: Any
  • Services: Any
  • Match known users: Unchecked
  • All Malware Scanning: Unchecked
  • Advanced:
    • Intrusion Prevention: None
    • Traffic Shaping Policy: None
    • Web Policy: None
    • Application Control: None
    • Apply Web Category based Traffic Shaping Policy: Unchecked
    • Apply Application based Traffic Shaping Policy: Unchecked
    • Rewrite source address (Masquerading): Checked

Even in the firewall log I get all green:

 

What am I doing wrong?

 

Thanks



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Daniel Bingham

    please refer to this kb in creating clientless users: https://community.sophos.com/kb/en-us/123039

     

    let us know how it goes

     

    regards

     

    Rap

  • 0 in reply to Ashen1

    Thanks Rap,

     

    So I created a clientless user as per your KB, thank you. It was in a different place than the KB.

    Configure --> Authentication --> Clientless Users

     

    I created it as Apple TV - Username ATV - IP address 192.168.1.111 - Clientless Open Group - Traffic Shaping: High Guarantee User - Quarantine Digest: Disable

     

    I then created a User/Network Rule:

    Position Top (as i am pretty sure the XG reads Top to Bottom)

    Source Zone: LAN

    Source Network: Home (192.168.1.0/24)

    Destination Zones: WAN

    Destination Networks and Services: Any

    Identity - Match Known users with "ATV" listed as a user or group

    All Malware scanning unchecked

    All advanced set to "none" with only NAT & Routing as Rewrite Source address

    Log Firewall Traffic: Checked

     

    Does that look correct to you? If so, I will give it a try.

    Thanks!

  • +1 in reply to Daniel Bingham

    hi Daniel,

     

    kindly edit the destination network, your current setting is "any" it seems all outbound traffic will pass through this rule and supersede bottom firewall policies,

     

    hence, put the ip address of netflix in the destination network or fqdn instead of any.

     

    let us know how it goes,

     

    regards

     

    Rap 

  • 0 in reply to Ashen1

    Hi Rap,

     

    Thanks for the pickup but Netflix uses multiple IP's and multiple FQDN's so how did you achieve this as I am unsure how I can put one single IP address into there?

  • 0 in reply to Daniel Bingham

    when you configured a fqdn, xg would automatically resolve all ip that associates with netflix. give it a try, let us know how it goes

     

    regards

     

    rap

  • 0 in reply to Ashen1

    OK, Thanks; so a quick google search found:

    1. netflix.com
    2. nflximg.com
    3. nflximg.net
    4. llnwd.net

    So I added those 4 under System --> FQDN Host

     

    Then Created a Host Group Called Netflix Host Group

     

    Then added that host group under Destination Networks.

     

    I will give this a try shortly.

     

    Thanks

  • 0 in reply to Ashen1

    Rap, it looks like all of your suggestions helped!

    The rule is working perfectly!!! 

     

    Thanks so much!

     

     

    I should also make note of one unrelated matter for anybody starting out

    Protect --> Intrusion Prevention --> DOS & Spoof Protection --> DOS Settings --> TCP Flood absolutely kills my connection. I go from 96/38mb to 1/1mb

     

  • 0 in reply to Daniel Bingham

    Hi All, 

    Have updated the Netflix list and also check the Drop packets if any via command. 

    console drop 'host <Src Address>

    ^https?://([A-Za-z0-9.-]*\.)?ne?t?fli?x(img|ext|video)?\.(com|net)/
    ^http?://[A-Za-z0-9.-]*netflix.com/
    ^http?://[A-Za-z0-9.-]*nflximg.com/
    ^https?://([A-Za-z0-9.-]*\.)?nflximg\.com\.?/
    ^https?://([A-Za-z0-9.-]*\.)?nflxvideo\.net\.?/
    ^https?://([A-Za-z0-9.-]*\.)?netflix\.com/
    ^http?://([A-Za-z0-9.-]*\.)?netflix-*.vo.llnwd.net/.*
    ^https?://secure\.netflix\.com/*
    ^https?://uiboot\.netflix\.com/*
    ^http?://23.246.[0-63].*
    ^http?://37.77.1(8[4-9])|(9[0-1])].*
    ^http?://45.57.([0-1][0-1][0-9])|(12[0-7]).*
    ^http?://64.120.(12[8-9])|(1[3-9][0-9])|(2[0-4][0-9])|(25[0-5]).*
    ^http?://66.197.(12[8-9])|(1[3-9][0-9])|(2[0-4][0-9])|(25[0-5]).*
    ^http?://108.175.(3[2-5,8,9])|(4[0-4,6,7]).*
    ^http?://185.2.22[0-3].*
    ^http?://185.9.(188)|(19[0-1]).*
    ^http?://192.173.(6[4-9])|([7-9][0-9])|(10[0-9])|(11[0-7]).*
    ^http?://198.38.(9[6-9])|(10[2-3,8-9])|(11[0-9])|(12[0-5]).*
    ^http?://198.45.(4[8-9])|(5[2-8])|(6[1-3]).*

  • 0 in reply to Aditya Patel

    Hi  please make sure that you post that list with correct syntax. I know that it has been corrected in the KB article  https://community.sophos.com/kb/en-us/125061 after I had problems with it earlier

    For example I had unexpected results with the regex

    ^http?://198.45.(4[8-9])|(5[2-8])|(6[1-3]).* and was fixed by correcting the syntax to

    ^198\.45\.(4[8-9]|5[2-8]|6[1-3])\.*

     correctly identified the issue with the regex and the problem I was having and fixed the KB article.

    Also on a side note, I understand people using regex to bypass traffic for their phones/tablets and computers but it makes more sense to me to completely bypass webfiltering in firewall rules on pure streaming devices like roku, amazonfire, or appleTV etc.