PAN-OS 8.0 Upgrade Blocking Nexflix

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN-OS 8.0 Upgrade Blocking Nexflix

L1 Bithead

I recently upgraded my home PA-200 to PAN-OS 8.0.1 from 7.1.7.  All seems fine, except that from two Samsung smart TVs Netflix streaming is affected.  A diagnostic test on one of the TVs shows that the app is able to connect to 1 of 4 Netflix servers only.  Strangely, I can stream Netflix to a Chrome browser on a Windows 10 machine without issue.

 

Any suggestions as to what might be causing this, or how to fix it?

8 REPLIES 8

Cyber Elite
Cyber Elite

First step is to check if you see any sessions if you go to Monitor > Traffic and use filter below?

( addr.src in 1.1.1.1 )  and ( action neq allow )

 

Replace 1.1.1.1 with ip of your TV.

 

Also run filter ( addr.src in 1.1.1.1 ) against threat and url log also.

 

 

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I've pasted below certain fields from the traffic log of a pretty typical attempt to connect to Netflix from one of the smart TVs.  Lots of TCP resets from client, though no idea why that would be happening.

 

The threat and URL logs are empty.

 

 

Receive TimeTypeThreat/Content TypeSource addressDestination addressRuleApplicationSource PortDestination PortFlagsIP ProtocolActionCategoryDestination Countrypkts_sentpkts_receivedsession_end_reason
4/20/2017 23:10TRAFFICend192.168.2.1018.8.8.8rule-outbound-guestdns46815530x400019udpallowanyUnited States1616aged-out
4/20/2017 23:10TRAFFICend192.168.2.10174.125.28.104rule-outbound-guestgoogle-base52760800x40001ctcpallowsearch-enginesUnited States3336tcp-fin
4/20/2017 23:10TRAFFICend192.168.2.101206.190.36.45rule-outbound-guestweb-browsing42024800x40001ctcpallowanyUnited States64tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10123.44.160.210rule-outbound-guestnetflix-base569774430x400053tcpallowstreaming-mediaUnited States129tcp-rst-from-client
4/20/2017 23:09TRAFFICend192.168.2.10174.125.28.104rule-outbound-guestgoogle-base52753800x40001ctcpallowsearch-enginesUnited States3336tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.101206.190.36.45rule-outbound-guestweb-browsing42017800x40001ctcpallowanyUnited States64tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10123.44.160.210rule-outbound-guestnetflix-base569704430x400053tcpallowstreaming-mediaUnited States118tcp-rst-from-client
4/20/2017 23:09TRAFFICend192.168.2.101206.190.36.45rule-outbound-guestweb-browsing41964800x40001ctcpallowanyUnited States64tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10174.125.28.104rule-outbound-guestgoogle-base52700800x40001ctcpallowsearch-enginesUnited States3336tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10123.44.160.210rule-outbound-guestnetflix-base569174430x400053tcpallowstreaming-mediaUnited States129tcp-rst-from-client
4/20/2017 23:09TRAFFICend192.168.2.101157.56.136.235rule-outbound-guestweb-browsing45842800x40001ctcpallowanyUnited States43tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.101157.56.136.235rule-outbound-guestweb-browsing45843800x40001ctcpallowanyUnited States65tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10123.60.74.112rule-outbound-guestweb-browsing36748800x40001ctcpallowanyUnited States55tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.101192.99.20.185rule-outbound-guestweb-browsing49949800x40001ctcpallowanyCanada63tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.101175.41.134.166rule-outbound-guestssl555174430x400053tcpallowanySingapore3026tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.101207.36.95.10rule-outbound-guestssl341754430x40001atcpallowanyUnited States98tcp-rst-from-client
4/20/2017 23:09TRAFFICend192.168.2.10169.192.247.46rule-outbound-guestweb-browsing46773800x40001ctcpallowanyUnited States55tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10169.192.247.46rule-outbound-guestweb-browsing46779800x40001ctcpallowanyUnited States55tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10169.192.247.46rule-outbound-guestweb-browsing46765800x40001ctcpallowanyUnited States55tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10169.192.247.46rule-outbound-guestweb-browsing46732800x40001ctcpallowanyUnited States55tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10154.192.143.51rule-outbound-guestweb-browsing57982800x40001ctcpallowanyUnited States88tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10152.4.8.109rule-outbound-guestweb-browsing49421800x40001ctcpallowanyUnited States55tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10169.192.247.46rule-outbound-guestweb-browsing46729800x40001ctcpallowanyUnited States66tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.101207.36.95.10rule-outbound-guestssl341374430x40001atcpallowanyUnited States1418tcp-rst-from-client
4/20/2017 23:09TRAFFICend192.168.2.101208.38.213.148rule-outbound-guestntp334641230x400053udpallowanyUnited States11aged-out
4/20/2017 23:09TRAFFICend192.168.2.101207.36.95.10rule-outbound-guestssl341254430x40001atcpallowanyUnited States98tcp-rst-from-client
4/20/2017 23:09TRAFFICend192.168.2.101207.36.95.10rule-outbound-guestssl341264430x40001atcpallowanyUnited States98tcp-rst-from-client
4/20/2017 23:09TRAFFICend192.168.2.101207.36.95.10rule-outbound-guestssl341234430x40001atcpallowanyUnited States1211tcp-rst-from-client
4/20/2017 23:09TRAFFICend192.168.2.10198.136.189.56rule-outbound-guestssl413074430x40001atcpallowanyUnited States1011tcp-rst-from-client
4/20/2017 23:09TRAFFICend192.168.2.10169.192.247.46rule-outbound-guestweb-browsing46567800x40001ctcpallowanyUnited States66tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.101207.36.95.10rule-outbound-guestssl338144430x40001ctcpallowanyUnited States910tcp-rst-from-server
4/20/2017 23:09TRAFFICend192.168.2.101207.36.95.10rule-outbound-guestssl338274430x40001ctcpallowanyUnited States910tcp-rst-from-server
4/20/2017 23:09TRAFFICend192.168.2.101207.36.95.10rule-outbound-guestssl337964430x40001ctcpallowanyUnited States910tcp-rst-from-server
4/20/2017 23:09TRAFFICend192.168.2.101207.36.95.10rule-outbound-guestssl337974430x40001ctcpallowanyUnited States910tcp-rst-from-server
4/20/2017 23:09TRAFFICend192.168.2.10154.164.76.169rule-outbound-guestssl457484430x40001ctcpallowanyUnited States117tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10154.192.143.51rule-outbound-guestweb-browsing57637800x40001ctcpallowanyUnited States88tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10169.192.247.46rule-outbound-guestweb-browsing46384800x40001ctcpallowanyUnited States55tcp-fin
4/20/2017 23:09TRAFFICend192.168.2.10169.192.247.46rule-outbound-guestweb-browsing46381800x40001ctcpallowanyUnited States65tcp-fin

Are you decrypting traffic? Traffic and URL log don't show any blocked traffic?

What if you add Policies > Application Override rule temorarily to match if source is TV IP for traffic that goes to WAN.

Will it work then?

 

Be careful with app override. This will make Palo to stop at Layer 4 and will not do Layer 7 inspection and AppID.

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application-...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L7 Applicator

During the 8.0 beta, there were a couple of issues reported with Netflix, but I don't know if they were fully addressed.  The two workarounds mentioned at the time were:

 1.) disabling the DNS proxy (or pointing the two netflix devices @ an external DNS server such as 8.8.8.8 and 8.8.4.4)

 2.) enabling "allow http header range option" under Device / Setup / Content-ID / Content-ID Settings

 

Would be curious to know if either of these apply to you and if modifying them changes the behavior.  

Thanks both for your replies and suggestions.

 

@jvalentine, it seems to be a DNS Proxy problem.  I use DHCP on my network to assign/provide both IP and DNS to clients.  On the first smart TV client, I reverted to manual IP and DNS configuration, and streaming is back on Netflix.  On the second device - really an Apple TV - I manually assigned the DNS server only (keeping DHCP for local IP address assignment) and its streaming is now working too.

 

FWIW, I tried the "allow http header range option" setting both on and off and it seemed to have no effect in my configuration.  

 

Solved for now!

Hi,

 

I have had disabled the dnsproxy for my appletv for the last couple of months, which worked for me.

 

But then after upgrading my appletv to the latest releaes yesterday evening, Netflix suddenly stopped working.

 

I then enabled the "allow header range option", and Netflix worked again 🙂

 

So thank you for the tip!

 

PS.: Running 8.0.3-h4.

L1 Bithead

Thanks for the tips that got it working for me.

Just experienced this today after having setup DNS proxy on 8.1.1 in my home network.

 

If you enable TCP queries on your DNS proxy setup Netflix works as normal (at least it did for me with my Apple TV).

  • 7951 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!