XG Firewall and Netflix

Is it possible that Apple TV "gets" Netflix content differently than say a PC or a Roku or whatever?  After doing all of this I can't get my Apple TV to play Netflix content; only after I add the IP of the Apple TV to a Web Exception for HTTPS/Malware/Policy checks does it work. 

 

It is frustrating because looking at the live logs I never see anything from the Apple TV being blocked, and yet it clearly does not work.  Hopefully with v17 finding these kinds of things will be much simpler owing to the improved logging we're being promised.

I already know that mobile devices and desktop browsers get the content differently.  It is quite possible that Apple TV does something else.

I don't think v17 logging will help.

Lower level debugging is required.  Which of course I can do (it's my job) but I'm treading on thin ground with helping publicly.  Even then, it will at best show you additional destinations for the exceptions.

However I can point at the following KB.  https://community.sophos.com/kb/en-us/123185

Hi all,

I started with the KB article https://community.sophos.com/kb/en-us/125061 and updated some patterns.

These are the https + AV exception pattern I'm using right now. It works with the iOS app, but I don't know if the Apple TV app is the same.

^23\.246\.([0-9]|[1-5][0-9]|6[0-3])\.[0-9]
^185\.2\.(2(2[0-3]))\.[0-9]
^192\.173\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))\.[0-9]
^108\.175\.(3[2-9]|4[0-7])\.[0-9]
^69\.53\.(2(2[4-9]|[3-4][0-9]|5[0-5]))\.[0-9]
^66\.197\.(1(2[8-9]|[3-9][0-9])|2([0-4][0-9]|5[0-5]))\.[0-9]
^198\.45\.(4[8-9]|5[0-9]|6[0-3])\.[0-9]
^208\.75\.(7[6-9])\.[0-9]
^64\.120\.(1(2[8-9]|[3-9][0-9])|2([0-4][0-9]|5[0-5]))\.[0-9]
^185\.9\.(1(8[8-9]|9[0-1]))\.[0-9]
^([A-Za-z0-9.-]*\.)?ne?t?fli?x(img|ext|video)?\.(com|net)/
^198\.38\.(9[6-9]|1([0-1][0-9]|2[0-7]))\.[0-9]
^45\.57\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))\.[0-9]
^37\.77\.(1(8[4-9]|9[0-1]))\.[0-9]

Additionally I'm running the web AV in scan mode "real-time". This might be an important difference if there are some URLs which are not covered by the patterns.

Best Regards

Dom Nik

*sigh*

I few months ago I cleaned up the list of items in the KB article.  It appears someone has reverted the list.  We are changing it back and seeing if we can lock it.

In the meantime, can you please try with the following.  I know this was confirmed working by other customers a few months ago.

The list you you are using now is one that was community developed as a shotgun approach using a bit of guesswork to get everything NetFlix.

The list below is created by Sophos development to focus on the specific problems that netflix presents.  It is the list that we want to use going forward, and if anyone has problems with this list I want to know so that I can explore the issues.

 

^([A-Za-z0-9.-]*\.)?ne?t?fli?x(img|ext|video)?\.(com|net)/

^23\.246\.([0-9]|[1-5][0-9]|6[0-3])\.[0-9]

^37\.77\.(1(8[4-9]|9[0-1]))\.[0-9]

^45\.57\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))\.[0-9]

^64\.120\.(1(2[8-9]|[3-9][0-9])|2([0-4][0-9]|5[0-5]))\.[0-9]

^66\.197\.(1(2[8-9]|[3-9][0-9])|2([0-4][0-9]|5[0-5]))\.[0-9]

^192\.173\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))\.[0-9]

^69\.53\.(2(2[4-9]|[3-4][0-9]|5[0-5]))\.[0-9]

^108\.175\.(3[2-9]|4[0-7])\.[0-9]

^185\.2\.(2(2[0-3]))\.[0-9]

^185\.9\.(1(8[8-9]|9[0-1]))\.[0-9]

^198\.38\.(9[6-9]|1([0-1][0-9]|2[0-7]))\.[0-9]

^198\.45\.(4[8-9]|5[0-9]|6[0-3])\.[0-9]

^208\.75\.(7[6-9])\.[0-9]

I get Netflix without problems on PC's, Chromecasts and phones via my XG firewall but I have an LG 60" TV which seems to be able to move through the menus just fine but then freezes at 25% when actually loading a show. It and most other streaming devices are setup as clientless users in the firewall with very little in the way of blocking applied.

Is there any chance that this behaviour is caused by the firewall because it seems (maybe) to have been happening for about the time that the firewall has been in service.

Michael Dunn said:

*sigh*

I few months ago I cleaned up the list of items in the KB article.  It appears someone has reverted the list.  We are changing it back and seeing if we can lock it.

 

This is exactly what I was pointing out to Aditya in my initial post. His regex exceptions are very relaxed and will allow unintended IPs to pass through. I had that happen to me before the KB article was fixed as I pointed out. I see the KB article is reverted to the relaxed version again. We somehow got side tracked on TVs getting owned by malware[;)] I didn't even have to use all the regex to get my netflix to work because most of the cdns are localized and I mostly connect to the same cdns closest to me in texas.