Netflix issue

Classic filtering works (I believe) by the Palo performing periodic DNS lookups on "netflix.com".  Connections are then blocked if the previous DNS lookup found the matching IP for Netflix in a previous lookup. 

If you're not performing decryption, the firewalls have limited (no) visibility into the streams and have to base their appid on limited info. "Oh this is an SSL connection - Looks Good - Open the Gates!".  

As Netflix is hosted in the "cloud" - a conglomeration of many servers that are selected by proximity to the end user.  DNS lookups will purposely be manipulated to return those servers closest to you.  This is further massaged based on server usage  - the servers nearest you are approaching max?  Lets increase the radius of available servers and remove the nearest.  If you're caught in that point where previously, Fairfax Virginia was your "closest" location 10 minutes ago, those servers reached max users and now Atlanta, Georgia is "closest".  The most recent check of netlix.com has not yet run and did not see the Altanta servers in a DNS lookup... you can have a connection sneak through.  

---

@itassetbenilde wrote:

Good day,

 

Just got off a meeting with one of our users. We have a standing policy wherein Netflix is blocked within the campus premises. We explicitly created a rule to block all banned applications right on top of the security policy stack, netflix amongst them. Rule had been in place for more than a year.

 

It was reported that users were still able to access netflix.com(splash page). Weird thing is, when we received the ticket and tested, netflix.com could no longer be accessed. User doesn't watch Netflix, so we've ruled out possible browser caching.

 

i already checked, nobody made any changes that could possibly affect Netflix access. The logs also show that netflix-base is being blocked, and i am getting a blank list when i search for 'app eq netflix'.

 

Sadly i cannot reproduce the behavior, as Netflix is being blocked elsewhere in our campuses.

 

Taking the ticket details as is, What other possibilities are there that Netflix could be allowed, yet not logged on the firewall? Am guessing that somehow, for a split second, the firewall may have failed to identify Netflix traffic.

 

Any ideas? For now, we've added .netflix.com/ and *.netflix.com/ into our URL filtering block list.  Thanks

 

 

 

 

---

As others have mentioned it's possible some CDN variation of content delivery of netflix might have presented the homepage of netflix, but if you're blocking the netflix applications, the parent app:

And this blocking rule is above ANY allow rules AND you've also got a custom URL profile with the Netflix domains & potential CDNs then there should be no way for netflix to be accessible.  Also like mentioned before if you're not doing SSL decryption then it's possible from time to time weird scenarios like this may arise.