Packet filters converted to proxy policy typesMonday, March 9, 2015 - by Keith A. SmithI decided to clean up and consolidate my firewall rule base last week. I originally had multiple rules for the same policy type for each subnet that need access, it ended up that way because I needed to get things up and running ASAP because the change took place late in the evening. Anyway I created some http-proxy, https-proxy and dns proxy policy types to lump all the vlans into, once that was done I tested most of the services and things seemed ok. I found out on 3/7/15 that Netflix had not working in a few days; I took a look online twitter and etc and found others had issues also so I figured our problem with the amazon fire tv's could be related to that issue. I called Netflix and they were no help basically, so I had a thought...which was to split out the vlan that contains the amazon fire tv’s from the proxy policies and to place it in to a non proxy http, https and dns packet filter. Once that change was committed I proceeded to test it out on one of the fire tv's and bam it worked! I didn't see a whole lot of traffic being blocked before the change. The one entry on the traffic monitor that tipped me off was 2015-03-09 16:52:26 Deny x.x.x.x 176.32.101.52 https/tcp 47763 443 3-vlan 0-External ProxyDrop: HTTPS timeout (HTTPS-proxy-00) proc_id="https-proxy" rc="594" msg_id="2CFF-0008" The 176.32.101.52 belongs to one of amazon's cdn's I also discovered that the amazon fire tv's don't like non u.s. dns servers. All is well now. Note to self never use proxy policy types for things like media. |
Tweet |