XG Firewall and Netflix

Hi,

you could try to refer on this: https://community.sophos.com/kb/en-us/125061

let us know of the results,

Thanks,

Rap

Hi,

Thanks, I have followed that link, it is very similar as to what Aditya wrote, it has made no difference.

Thanks

hi daniel,

I can see that the info didn't work, thanks for the feedback, thus kindly try creating a firewall like this: 

and create a clientless user for the specific IP range that would access netflix.

This did the trick for us, kindly let us know how it goes for you.

regards,

Rap

Thanks, I will try this but if you don't mind do you mind stepping me through the creation of the clientless user too as I have not had much experience with the XG as of yet.

Cheers

hi henry,

what version of sfos are you currently running?

thanks

SFVH (SFOS 16.05.5 MR-5)

please refer to this kb in creating clientless users: https://community.sophos.com/kb/en-us/123039

let us know how it goes

regards

Rap

Thanks Rap,

So I created a clientless user as per your KB, thank you. It was in a different place than the KB.

Configure --> Authentication --> Clientless Users

I created it as Apple TV - Username ATV - IP address 192.168.1.111 - Clientless Open Group - Traffic Shaping: High Guarantee User - Quarantine Digest: Disable

I then created a User/Network Rule:

Position Top (as i am pretty sure the XG reads Top to Bottom)

Source Zone: LAN

Source Network: Home (192.168.1.0/24)

Destination Zones: WAN

Destination Networks and Services: Any

Identity - Match Known users with "ATV" listed as a user or group

All Malware scanning unchecked

All advanced set to "none" with only NAT & Routing as Rewrite Source address

Log Firewall Traffic: Checked

Does that look correct to you? If so, I will give it a try.

Thanks!

hi Daniel,

kindly edit the destination network, your current setting is "any" it seems all outbound traffic will pass through this rule and supersede bottom firewall policies,

hence, put the ip address of netflix in the destination network or fqdn instead of any.

let us know how it goes,

regards

Rap 

Hi Rap,

Thanks for the pickup but Netflix uses multiple IP's and multiple FQDN's so how did you achieve this as I am unsure how I can put one single IP address into there?

Hi Rap,

Thanks for the pickup but Netflix uses multiple IP's and multiple FQDN's so how did you achieve this as I am unsure how I can put one single IP address into there?

when you configured a fqdn, xg would automatically resolve all ip that associates with netflix. give it a try, let us know how it goes

regards

rap

OK, Thanks; so a quick google search found:

1. netflix.com
2. nflximg.com
3. nflximg.net
4. llnwd.net

So I added those 4 under System --> FQDN Host

Then Created a Host Group Called Netflix Host Group

Then added that host group under Destination Networks.

I will give this a try shortly.

Thanks

Rap, it looks like all of your suggestions helped!

The rule is working perfectly!!! 

Thanks so much!

I should also make note of one unrelated matter for anybody starting out

Protect --> Intrusion Prevention --> DOS & Spoof Protection --> DOS Settings --> TCP Flood absolutely kills my connection. I go from 96/38mb to 1/1mb

Hi All, 

Have updated the Netflix list and also check the Drop packets if any via command. 

console drop 'host <Src Address>

^https?://([A-Za-z0-9.-]*\.)?ne?t?fli?x(img|ext|video)?\.(com|net)/
^http?://[A-Za-z0-9.-]*netflix.com/
^http?://[A-Za-z0-9.-]*nflximg.com/
^https?://([A-Za-z0-9.-]*\.)?nflximg\.com\.?/
^https?://([A-Za-z0-9.-]*\.)?nflxvideo\.net\.?/
^https?://([A-Za-z0-9.-]*\.)?netflix\.com/
^http?://([A-Za-z0-9.-]*\.)?netflix-*.vo.llnwd.net/.*
^https?://secure\.netflix\.com/*
^https?://uiboot\.netflix\.com/*
^http?://23.246.[0-63].*
^http?://37.77.1(8[4-9])|(9[0-1])].*
^http?://45.57.([0-1][0-1][0-9])|(12[0-7]).*
^http?://64.120.(12[8-9])|(1[3-9][0-9])|(2[0-4][0-9])|(25[0-5]).*
^http?://66.197.(12[8-9])|(1[3-9][0-9])|(2[0-4][0-9])|(25[0-5]).*
^http?://108.175.(3[2-5,8,9])|(4[0-4,6,7]).*
^http?://185.2.22[0-3].*
^http?://185.9.(188)|(19[0-1]).*
^http?://192.173.(6[4-9])|([7-9][0-9])|(10[0-9])|(11[0-7]).*
^http?://198.38.(9[6-9])|(10[2-3,8-9])|(11[0-9])|(12[0-5]).*
^http?://198.45.(4[8-9])|(5[2-8])|(6[1-3]).*

Hi Aditya Patel please make sure that you post that list with correct syntax. I know that it has been corrected in the KB article  https://community.sophos.com/kb/en-us/125061 after I had problems with it earlier

For example I had unexpected results with the regex

^http?://198.45.(4[8-9])|(5[2-8])|(6[1-3]).* and was fixed by correcting the syntax to

^198\.45\.(4[8-9]|5[2-8]|6[1-3])\.*

Michael Dunn correctly identified the issue with the regex and the problem I was having and fixed the KB article.

Also on a side note, I understand people using regex to bypass traffic for their phones/tablets and computers but it makes more sense to me to completely bypass webfiltering in firewall rules on pure streaming devices like roku, amazonfire, or appleTV etc.

It is hard for us to test with all the different streaming services, on all device types, in all versions of their products.

For example, netflix using ips rather than hostnames, downloading using range requests with no mimetype.

However specifically with Netflix and with the devices I've tested with and heard, the items in the KB article are the only ones that are required.  You may choose to do more, but AFAIK they are not required (there is a difference between excluding all NetFlix, excluding the failing video streams, or excluding the entire device).  If anyone is finding different, please let me know.

Note: I have no expert knowledge in this, but I've heard that "smart devices" such as TVs and refrigerators are being increasing targets for hacking due to low security and ability to hide.  Hacked devices can be used for spying or more commonly botnets (do your own google searches for this).  I am personally not a proponent of excluding the entire device from the firewall.  You have no idea if the next variant of wannacry will enter your network through a TV and once there spread through OS vulnerabilities.

Haha, we are back to chicken and egg problem. Devices want to connect to the cloud and we don't trust the cloud (over simplification of the problem). I am not saying don't firewall the devices or disable any of the other NGFW protections, but url filtering brings nothing but headaches to any of the streaming devices. I didn't think of smart tvs because all my tvs are used as dumb devices but your point on smart tvs is taken. I do filter other IoT like my nest thermostat (not that I don't trust google[:$])

On an unrelated note, I noticed that all the other vendors touted their protection for wannacry pretty soon after it was discovered however sophos never made any claims of such protection although IPS/AV signatures were updated to mitigate such traffic. The community board instead had warnings to patch the OS. Usually the marketing department never passes an opportunity to brag [:D] 

P.S. Regarding my comments above on regex, I was recommending to tighten the list and not expand it.