Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 27 subscribers
  • Views 24099 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New knowledge base articles for Sophos XG Firewall v17

Karlos

Hi all,

The following articles illustrates the use of new features in Sophos XG Firewall v17. Please provide comments, suggestions or any feedback that we can improve the knowledge base articles's quality.

Thank you!

Sophos XG Firewall v17: How to establish a Site-to-Site IPsec VPN to Microsoft Azure

Sophos XG Firewall v17: How to enable IKEv2 for IPsec VPN

Sophos XG Firewall v17: How to use the Policy Test tool

Sophos XG Firewall v17: How to group firewall rules

Sophos XG Firewall v17: How to configure Synchronized Application Control (SAC)

Sophos XG Firewall v17: Behavior during registration

Sophos XG Firewall v17: How to configure Greylisting

Sophos XG Firewall v17: How to configure Smarthost

Sophos XG Firewall v17: Technical details on how Smarthost works

Sophos XG Firewall v17: How to configure Recipient Verification

Sophos XG Firewall v17: How web categorization works and how to lookup a URL



This thread was automatically locked due to age.
Parents
  • 0

    There is mention of Streaming Video improvements in Version 17, are any knowledge base articles available for that. 

  • 0 in reply to tom greene

    tom greene said:

    There is mention of Streaming Video improvements in Version 17, are any knowledge base articles available for that. 

     

    There are no KB articles on this because there isn't really any configuration.  It's mostly an under-the-hood improvement.

    We now support range-requests for most streaming media types.  For some video sites that did not play videos, had delays in starting playing, or could not seek around in the middle of the video this will make things better.

    There is a global option "Scan audio and video files".  This has always been there, but with the v17 improvements there are fewer sites where this is required.

    I recommend that this option be enabled by default (ie it should scan).  Only if you are having problems with streaming from certain sites and you find that disabling scanning makes a difference should it be used.

    As a separate fix, for those people who are having trouble streaming NetFlix (mostly on IOS devices) there is a new and better way of getting it working.  NetFlix for IOS streaming has issues because it makes HTTPS connections directly to IPs, making the exceptions for them complex.  The better method is to create a firewall rule that causes all traffic to netflix to bypass the proxy.  This is similar the the UTM's "transparent mode skiplist".  The v17 improvement is a FQDN Group definition in a out-of-the-box object that capture both hostname and all the IP. 
    See here for more on NetFlix:
    community.sophos.com/.../125061
     
  • 0 in reply to Michael Dunn

    Michael Dunn said:
    We now support range-requests for most streaming media types.  For some video sites that did not play videos, had delays in starting playing, or could not seek around in the middle of the video this will make things better.

    There is a global option "Scan audio and video files".  This has always been there, but with the v17 improvements there are fewer sites where this is required.

    I recommend that this option be enabled by default (ie it should scan).  Only if you are having problems with streaming from certain sites and you find that disabling scanning makes a difference should it be used.

    Would this guidance apply only to the new v17 or would you recommend  enabling "Scan audio and video files" also in v16.5?

Reply
  • 0 in reply to Michael Dunn

    Michael Dunn said:
    We now support range-requests for most streaming media types.  For some video sites that did not play videos, had delays in starting playing, or could not seek around in the middle of the video this will make things better.

    There is a global option "Scan audio and video files".  This has always been there, but with the v17 improvements there are fewer sites where this is required.

    I recommend that this option be enabled by default (ie it should scan).  Only if you are having problems with streaming from certain sites and you find that disabling scanning makes a difference should it be used.

    Would this guidance apply only to the new v17 or would you recommend  enabling "Scan audio and video files" also in v16.5?

Children
  • 0 in reply to Bill Roland

    There is always a trade off between security and convenience/functionality.
    I go on the premise of "Be secure, and only reduce security if you need to".  So yes, I would recommend that you mark the checkbox for Scan Audio/Visual for 16.5 as well.  If and only if you have a specific reason to do otherwise should you uncheck it.  The number of problems are likely to be lower in v17 than in v16.5.
    The security issue is not that audio/video can contain viruses - they cannot.  The issue is that websites can lie about whether a given stream is audio/visual.
     
    Some history and context:
     
    The SG UTM scans everything including audio/visual.
    If a website does not play videos, administrators are quick to create an exception for "skip antivirus" so that the site works.
     
    The XG Firewall scans everything including audio/visual.
    In v15 and v16 there are no exceptions.  So if a website doesn't play videos, the only option is not scan any audio and visual (sort of a giant global exception).
    In v16.5 we introduced exceptions.  So the best thing would be that if a site doesn't work, create an exception for that site.  The support for streaming and for exceptions is similar to UTM 9.5.
    In v17 we added some more streaming support.  So the frequency of needing an exception is lower.  Lower in fact than UTM 9.5.
     
     
    For various reasons, starting with v15 the "Scan audio/visual" was defaulted to off for new installs.  In my personal opinion, from v16.5 on we should default new installs to scan.  Unfortunately the majority of customer installs are not currently scanning audio/visual.
  • 0 in reply to Michael Dunn

    Thanks Michael for the insightful post.  I have enabled it on v17 home box and haven't noticed any adverse effects yet.  I will consider enabling it on my v16.5 box in production if all goes well.