Keith Smith - My Blog

Packet filters converted to proxy policy types

Monday, March 9, 2015 - by Keith A. Smith

I decided to clean up and consolidate my firewall rule base last week. I originally had multiple rules for the same policy type for each subnet that need access, it ended up that way because I needed to get things up and running ASAP because the change took place late in the evening. Anyway I created some http-proxy, https-proxy and dns proxy policy types to lump all the vlans into, once that was done I tested most of the services and things seemed ok.

I found out on 3/7/15 that Netflix had not working in a few days; I took a look online twitter and etc and found others had issues also so I figured our problem with the amazon fire tv's could be related to that issue. I called Netflix and they were no help basically, so I had a thought...which was to split out the vlan that contains the amazon fire tv’s from the proxy policies and to place it in to a non proxy http, https and dns packet filter. Once that change was committed I proceeded to test it out on one of the fire tv's and bam it worked! I didn't see a whole lot of traffic being blocked before the change.

The one entry on the traffic monitor that tipped me off was

2015-03-09 16:52:26 Deny x.x.x.x 176.32.101.52 https/tcp 47763 443 3-vlan 0-External ProxyDrop: HTTPS timeout (HTTPS-proxy-00) proc_id="https-proxy" rc="594" msg_id="2CFF-0008"

The 176.32.101.52 belongs to one of amazon's cdn's

I also discovered that the amazon fire tv's don't like non u.s. dns servers.

All is well now. Note to self never use proxy policy types for things like media.

  Share Post   

View Comments Comments


Leave a Comment