Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 37 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 134997 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall and Netflix

Daniel Bingham

I have recently changed my home network from a SG VM to XG VM running on ESXi

 

I am getting errors when running Netflix via Apple TV

 

To try get around this, I created a new firewall policy as follows:

  • Rule Name: Bypass Web
  • Source Zones: LAN
  • Source Networks and Devices: Bypass MAC's (with a MAC List with my ATV's in there)
  • Destination Zones: WAN
  • Destination Network: Any
  • Services: Any
  • Match known users: Unchecked
  • All Malware Scanning: Unchecked
  • Advanced:
    • Intrusion Prevention: None
    • Traffic Shaping Policy: None
    • Web Policy: None
    • Application Control: None
    • Apply Web Category based Traffic Shaping Policy: Unchecked
    • Apply Application based Traffic Shaping Policy: Unchecked
    • Rewrite source address (Masquerading): Checked

Even in the firewall log I get all green:

 

What am I doing wrong?

 

Thanks



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Ashen1

    Thanks Rap,

     

    So I created a clientless user as per your KB, thank you. It was in a different place than the KB.

    Configure --> Authentication --> Clientless Users

     

    I created it as Apple TV - Username ATV - IP address 192.168.1.111 - Clientless Open Group - Traffic Shaping: High Guarantee User - Quarantine Digest: Disable

     

    I then created a User/Network Rule:

    Position Top (as i am pretty sure the XG reads Top to Bottom)

    Source Zone: LAN

    Source Network: Home (192.168.1.0/24)

    Destination Zones: WAN

    Destination Networks and Services: Any

    Identity - Match Known users with "ATV" listed as a user or group

    All Malware scanning unchecked

    All advanced set to "none" with only NAT & Routing as Rewrite Source address

    Log Firewall Traffic: Checked

     

    Does that look correct to you? If so, I will give it a try.

    Thanks!

Children
  • +1 in reply to Daniel Bingham

    hi Daniel,

     

    kindly edit the destination network, your current setting is "any" it seems all outbound traffic will pass through this rule and supersede bottom firewall policies,

     

    hence, put the ip address of netflix in the destination network or fqdn instead of any.

     

    let us know how it goes,

     

    regards

     

    Rap 

  • 0 in reply to Ashen1

    Hi Rap,

     

    Thanks for the pickup but Netflix uses multiple IP's and multiple FQDN's so how did you achieve this as I am unsure how I can put one single IP address into there?

  • 0 in reply to Daniel Bingham

    when you configured a fqdn, xg would automatically resolve all ip that associates with netflix. give it a try, let us know how it goes

     

    regards

     

    rap

  • 0 in reply to Ashen1

    OK, Thanks; so a quick google search found:

    1. netflix.com
    2. nflximg.com
    3. nflximg.net
    4. llnwd.net

    So I added those 4 under System --> FQDN Host

     

    Then Created a Host Group Called Netflix Host Group

     

    Then added that host group under Destination Networks.

     

    I will give this a try shortly.

     

    Thanks

  • 0 in reply to Ashen1

    Rap, it looks like all of your suggestions helped!

    The rule is working perfectly!!! 

     

    Thanks so much!

     

     

    I should also make note of one unrelated matter for anybody starting out

    Protect --> Intrusion Prevention --> DOS & Spoof Protection --> DOS Settings --> TCP Flood absolutely kills my connection. I go from 96/38mb to 1/1mb

     

  • 0 in reply to Daniel Bingham

    Hi All, 

    Have updated the Netflix list and also check the Drop packets if any via command. 

    console drop 'host <Src Address>

    ^https?://([A-Za-z0-9.-]*\.)?ne?t?fli?x(img|ext|video)?\.(com|net)/
    ^http?://[A-Za-z0-9.-]*netflix.com/
    ^http?://[A-Za-z0-9.-]*nflximg.com/
    ^https?://([A-Za-z0-9.-]*\.)?nflximg\.com\.?/
    ^https?://([A-Za-z0-9.-]*\.)?nflxvideo\.net\.?/
    ^https?://([A-Za-z0-9.-]*\.)?netflix\.com/
    ^http?://([A-Za-z0-9.-]*\.)?netflix-*.vo.llnwd.net/.*
    ^https?://secure\.netflix\.com/*
    ^https?://uiboot\.netflix\.com/*
    ^http?://23.246.[0-63].*
    ^http?://37.77.1(8[4-9])|(9[0-1])].*
    ^http?://45.57.([0-1][0-1][0-9])|(12[0-7]).*
    ^http?://64.120.(12[8-9])|(1[3-9][0-9])|(2[0-4][0-9])|(25[0-5]).*
    ^http?://66.197.(12[8-9])|(1[3-9][0-9])|(2[0-4][0-9])|(25[0-5]).*
    ^http?://108.175.(3[2-5,8,9])|(4[0-4,6,7]).*
    ^http?://185.2.22[0-3].*
    ^http?://185.9.(188)|(19[0-1]).*
    ^http?://192.173.(6[4-9])|([7-9][0-9])|(10[0-9])|(11[0-7]).*
    ^http?://198.38.(9[6-9])|(10[2-3,8-9])|(11[0-9])|(12[0-5]).*
    ^http?://198.45.(4[8-9])|(5[2-8])|(6[1-3]).*

  • 0 in reply to Aditya Patel

    Hi  please make sure that you post that list with correct syntax. I know that it has been corrected in the KB article  https://community.sophos.com/kb/en-us/125061 after I had problems with it earlier

    For example I had unexpected results with the regex

    ^http?://198.45.(4[8-9])|(5[2-8])|(6[1-3]).* and was fixed by correcting the syntax to

    ^198\.45\.(4[8-9]|5[2-8]|6[1-3])\.*

     correctly identified the issue with the regex and the problem I was having and fixed the KB article.

    Also on a side note, I understand people using regex to bypass traffic for their phones/tablets and computers but it makes more sense to me to completely bypass webfiltering in firewall rules on pure streaming devices like roku, amazonfire, or appleTV etc.

     

  • 0 in reply to Billybob

    It is hard for us to test with all the different streaming services, on all device types, in all versions of their products.

    For example, netflix using ips rather than hostnames, downloading using range requests with no mimetype.

    However specifically with Netflix and with the devices I've tested with and heard, the items in the KB article are the only ones that are required.  You may choose to do more, but AFAIK they are not required (there is a difference between excluding all NetFlix, excluding the failing video streams, or excluding the entire device).  If anyone is finding different, please let me know.

    Note: I have no expert knowledge in this, but I've heard that "smart devices" such as TVs and refrigerators are being increasing targets for hacking due to low security and ability to hide.  Hacked devices can be used for spying or more commonly botnets (do your own google searches for this).  I am personally not a proponent of excluding the entire device from the firewall.  You have no idea if the next variant of wannacry will enter your network through a TV and once there spread through OS vulnerabilities.

  • 0 in reply to Michael Dunn

    Haha, we are back to chicken and egg problem. Devices want to connect to the cloud and we don't trust the cloud (over simplification of the problem). I am not saying don't firewall the devices or disable any of the other NGFW protections, but url filtering brings nothing but headaches to any of the streaming devices. I didn't think of smart tvs because all my tvs are used as dumb devices but your point on smart tvs is taken. I do filter other IoT like my nest thermostat (not that I don't trust google[:$])

    On an unrelated note, I noticed that all the other vendors touted their protection for wannacry pretty soon after it was discovered however sophos never made any claims of such protection although IPS/AV signatures were updated to mitigate such traffic. The community board instead had warnings to patch the OS. Usually the marketing department never passes an opportunity to brag [:D] 

    P.S. Regarding my comments above on regex, I was recommending to tighten the list and not expand it.