Netflix 4K and v17

Hm, I just picked up an LG OLED TV as well and watched a Netflix show in 4K with no issues (MR-3). I’m also running a custom Web Policy so my traffic is going through the web proxy. This was Netflix on an Apple TV though. If I get some time this weekend I can try the Netflix app on the LG TV itself.

Hello,

i've got the same Problem. But i think there is a solution.

- The Information is out of the Sophos KB. But i did not remember the Link.

You only have to create a new Firewall Rule with the following entrys. After adding this Rule evertything works fine.

Source: LAN

Source Network: in my Case the IP of my LG TV

Destination: WAN

Destination Networks: Netflix (it really exsist in the Dropdown menu)

Service: ANY

IPS: None

Traffic Shaping: None

Web Policy: none

Application Control: None

NAT: Rewrite source address (Masquerading)

I hope it will help you

Hi,

I solved it as follows:

1. Create/enhance the Netflix FQDN Group with the following FQDNs:

*.nflximg.com
*.nflxvideo.com
*.nflxso.com
*.netflix.com
*.nflxext.com
*.nflximg.net
*.nflxso.net
*.nflxvideo.net

2. Create a dedicated FW rule for NetFlix FQDN Group and your TV:

Services: HTTP & HTTPS

Web Malware: everything disabled

IPS: can be enabled

Web Policy: None

And now the very important hint if it is still not working: Simply retry to play the video after 1-2 minutes if it was not working at first. This is some kind of a bug with the FQDNs, I've opened a thread for this here: First FQDN host resolution happens to late when used in FW rule

Best Regards

Dom Nik

RobertDavis said:

Ugh! Been having problems on my LG OLED Netflix app. 1080p worked fine but when I viewed 4K it would get about 15+ mins into a show and then start giving an error.  If you tried to resume it would play about 3 secs and error again.  FINALLY traced it to v17 (MR2 or MR3).  I had Web Filter: Allow All.  As soon as I changed to to None it worked fine.  Tried the Netflix exception and still had the problem. I had been running v16.05 until v17 MR2 came out and had no problems. Weird.

Robert,

Go to Protect > Web > General Settings.  In Malware and Content Settings, click on Advanced Settings to expand that portion.  Does deactivating Scan Audio and Video files help?.

Certain apps on my Apple TV don't work when I activate scanning of audio and video (EPIX, STARZ, and certain channels in SlingTV).  I don't have Netflix to test your issue.

There is a byte range bug in v17 https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-feedback/95909/fw-log-could-not-assocate-packet-to-any-connection-when-ips-enabled/352142#352142 which makes netflix fail when using web proxy.

Either follow Dominik's advice above or create a new firewall rule

Allow Lan>Wan user LG TV, uncheck http/s scanning, web policy none, application control none. You can apply LAN to WAN IPS policy if you like. Keep in mind, this rule won't scan anything but will NAT your TV so be mindful of the risks involved but I run all my streaming devices in this configuration instead of constantly tweaking firewall rules to make my streaming devices work correctly.

The other thing that we have discovered is that you need to make sure that your TV and your XG are using the same DNS server.  Some ISPs have co-located Netflix streaming boxes so that if you do DNS via the ISP DNS you go to one set of servers and if you do DNS via something else (eg Google, OpenDNS) you get a different set of servers.

Michael Dunn said:

The other thing that we have discovered is that you need to make sure that your TV and your XG are using the same DNS server.  Some ISPs have co-located Netflix streaming boxes so that if you do DNS via the ISP DNS you go to one set of servers and if you do DNS via something else (eg Google, OpenDNS) you get a different set of servers.

Micheal,

Thank you for brining that up.  I've run into that issue too.  Some smart TVs won't "smartly" use your gateway DNS nor let your change its DNS.

Most likely they are doing DHCP and getting the DNS settings from DHCP.  So if they getting their address from the XG I think they should be using the XG as their DNS server and everything is good.  If they are using your home ADSL router's DHCP then they are going to use that as the DNS server, which then will go up however your modem is configured.  At which point you should make sure that you modem and XG are configured the same.  The worst may be things like PVRs and Set Top boxes provided by the telco/cableco.  Since they are only ever intended to work on their network, they could potentially be configured to use some specific DNS server or even worse (ignore DNS and use a completely different mechanism to determine what servers to connect to).

I haven't had time to play with it since I posted so haven't been able to do more testing.  As noted the error was ONLY with 4K programs.  I could watch HD (1080p) all day with no problems.  My first quick thought is that Netflix keeps chunks on different servers (for caching) and my show switched to a different server to finish.  That is just a guess.

The LG is DHCP handled by the XG firewall and uses my ISP DNS.

I might try to force a Google DNS when I test again. I will also try the specific exclusions listed.  The built-in v17 Netflix exclusion had no affect.

Michael Dunn said:

Most likely they are doing DHCP and getting the DNS settings from DHCP.  So if they getting their address from the XG I think they should be using the XG as their DNS server and everything is good. 

I know for a fact that roku has hard coded google 8.8.8.8/8.8.4.4 dns servers. That is why every beta I ask for the ability to DNAT (which is available in SG) any dns traffic to anywhere back to XG for certain devices. Every device including most IoTs and phones also try to connect to NTP servers all day long all over the place but that is separate discussion although it still comes under my DNAT feature request.

In any case always nice to hear your input Michael.