One of the great features of the Sophos UTM firewall is the ability to filter and monitor web traffic on your network.  If you are using this in a home network you will more than likely have it filtering far less than a corporate environment would.  You can be as permissive or restrictive as you wish.  You can also setup multiple policies and apply them to certain hosts, or users.  This will allow you to be more restrictive for young children than for yourself.  The system will also scan web traffic for virus and malware and allow you to either allow, warn or block executable files.

Sophos WebfilterThis however causes a problem for certain websites, especially if you enjoy playing games, and watching Netflix and Hulu.  Over the past month of running the system  I have added exceptions to the system to allow certain services to run without issues.  To create your exception you will want to log into Sophos UTM and then under the Web Protection you will find the Filtering Options.  You’ll notice there are already some in place, these were setup by default when the system was initially configured.

To setup a new filter choose new exception list.  You will then provide your exception list with a name and description.  What I have done for the exceptions is to set them up to skip the following checks: Authentication, Caching, Anti-virus, Extension blocking, URL filtering, content removal, SSL Scanning, certification trust check, certification date check, Do not display Download/Scan progress page.  Then for all requests choose Matching these URL’s.  Here you can either type in what you need, or import them in for longer lists.  Below are the ones I have added so far.  It is best to add each one separately as you can then deactivate them or activate them per item to help facilitate troubleshooting.

Blizzard

^https?://([A-Za-z0-9.-]*\.)?edgesuite\.net/
^https?://([A-Za-z0-9.-]*\.)?battle\.net/
^https?://([A-Za-z0-9.-]*\.)?blizzard\.com/

Hulu

^https?://([A-Za-z0-9.-]*\.)?hulu\.com/

Chat

^https?://([A-Za-z0-9.-]*\.)?aol\.com/
^https?://([A-Za-z0-9.-]*\.)?oscar\.com/
^https?://([A-Za-z0-9.-]*\.)?google([A-Za-z0-9.-]*)?\.com/
^https?://([A-Za-z0-9.-]*\.)?wlxrs\.com/
^https?://([A-Za-z0-9.-]*\.)?trillian\.im/
^https?://([A-Za-z0-9.-]*\.)?icq\.net/

Netflix

^https?://([A-Za-z0-9.-]*\.)?nflximg\.com\.?/
^https?://([A-Za-z0-9.-]*\.)?nflxvideo\.net\.?/
^https?://([A-Za-z0-9.-]*\.)?netflix\.com/
^https?://[\d+(\.\d+){3}/]*/[0-9]{8}\.ism
^https?://[\d+(\.\d+){3}/]*/[0-9]{9}\.ism
^https?://[\d+(\.\d+){3}/]*/[0-9]{10}\.ism
^https?://([A-Za-z0-9.-]*\.)?netflix-*.vo.llnwd.net/.*
^https?://secure\.netflix\.com/*
^https?://uiboot\.netflix\.com/*
^https?://nintendo.nccp.netflix.com/
^https?://customerevents.netflix.com/
^https?://api-global.netflix.com/
^https?://([A-Za-z0-9.-]*\.)?nflxvideo.net/
^https?://ipv6_1.lagg0.c[0-9]{1,3}.[A-Za-z][A-Za-z][A-Za-z][0-9]{1,3}.ix.nflxvideo.net/
^https?://([A-Za-z0-9.-]*\.)?nflximg\.net\.?/
^https?://cdn[0-9].nflximg.com/
^https?://cdn[0-9].nflximg.net/
^https?://108.175.[0-9]{1,3}.[0-9]{1,3}/\?o=([A-Za-z0-9.-]*\.)?
^https?://[A-Za-z0-9.-]*netflix-*.vo.llnwd.net/
^https?://[A-Za-z0-9.-]*nflximg.com/
^https?://[A-Za-z0-9.-]*nflxvideo.net/
^https?://[A-Za-z0-9.-]*netflix.com/
^http?://23.7.139.*
^http?://([A-Za-z0-9.-]*\.)?netflix-*.vo.llnwd.net/.*[/QUOTE]

or comming from these user agents

Mozilla/5.0 (compatible; U; Nflx) Netflix/[0-9].[0-9].[0-9]
Gibbon/[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4}/[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4}: Netflix/[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4} (DEVTYPE=NFX[0-9]{1,4}-[0-9]{1,4}-; CERTVER=[0-9]{1,4})
AppleCoreMedia

Playstation Network

^https?://([A-Za-z0-9.-]*\.)?playstation\.(com|net|org)/

Steam Gaming

^https?://(?:\d{1,3}\.){3}\d{1,3}/depot/571/

Following the pattern of the web sites above should allow you to add additional exceptions when needed.  As I add to my exception list when needed I will update this page, so you can check back from time to time.  Also if you have any questions about adding an exception feel free to reach out to me.

Cheers,

Ivan Windon

7 Responses to “Sophos UTM – Web Filtering Options”

  1. I cant get HULU to play on the Firestick or android. it plays fine on my ipad. not sure where to make anymore changes to allow HULU.

    • If Hulu works on the iPad, and it is also going through the UTM web filtering and has the same priveleges as your Firestick then it’s not a filtering issue with Hulu. It maybe be an issue with the user agent that Amazon is using that needs to be allowed. I had to do the same thing with Netflix for the Apple TV. It wouldn’t stream media properly until I told it to add the user agent AppleCoreMedia. I’m not sure what the user agents would be for Amazon, that would take some searching on the Internet, or contact Amazon for the information. One thing that helps is looking at the web filtering logs to see what is being blocked, you can then make the needed adjustments to the url filtering. Hope that helps get you going in the right direction. Another option is seeing the Firestick isn’t going to be much of a browsing or security threat to begin with you can assign your player a static IP address and then assign a more open policy for just that one device.

  2. Seth Hartman says:

    What about Nintendo gaming servers i.e. Super Smash Brothers Wii U or Super Mario Maker, because I have no idea how to fix this problem, I don’t know where to look, or nobody knows what.

    • Sometimes I find it difficult to find the required information to unblock certain things. First I track down what is really blocking it by turning off features on the UTM. I try turning off virus scanning on the web first, then I shut down web filtering all together. Most of the time it is virus scanning that is causing the issue. So from there I’ll open the real time logs of web filtering and then try to access the service and see what is happening. You’ll see if anything is being blocked, or at least what IP’s the Wii is trying to access. From there you can create a rule that would bypass virus scanning coming from the IP of the Wii and going to the various IPs you noted earlier. Another option would be to create just a rule that would bypass virus scanning from the source of the Wii completely, as the chances of being infected on the Wii is pretty much null. The would then allow the Wii to hit any IP and not have it scan for viruses, or even filter web traffic at all if you feel the need. I did that with my son’s Kindle Fire, so just that one device would not scan for viruses, as it’s not as critical as it would be for a computer. Hope that helps.

  3. Thanks for Netflix’s,it worked, but had to add the AppleCoreMedia

    • Right, you need both to make it work. The problem is for other devices such as Amazon Fire, Samsung Tablets, phones that are not Apple it doesn’t work. I haven’t found the equivalent for those services yet. So my work around for the time being is to create a static IP entry for those devices and assign them to a profile that does not use Anti-Virus for just those tablets and devices.

  4. For Hulu, had to add:
    ^https?://([A-Za-z0-9.-]*\.)?hulustream\.com/

Leave a Reply

Your email address will not be published. Required fields are marked *

17 − two =