daronor regintah ositha

0 views
Skip to first unread message

Epicuro Kishore

unread,
Aug 2, 2024, 6:52:07 AM8/2/24
to fectsighpromov

Ok, don't shoot the messenger but I was asked to see if I could unblock the queue management area for Netflix but still block the streaming media part of it... We're using the URL filtering capabilities of the PA 2050 device and I have a policy defined that's based on an Active Directory user group to filter traffic. I'm not sure how I would go about doing this, any thoughs?

Its pretty basic, your going to create a rule that precedes your URL filtering rule. The rule will be from trust to untrust application will be "netflix" and action will be drop.

Has Palo Alto changed the Netflix signature recently? In September we had blocked the application per Phil's suggestion earlier in this thread and people were able to login and manage their queue but couldn't view any movies. This morning, though, I wasn't able to login anymore. Thanks --

@cshep: you would have to review all of the release notes to see what has changed between each version of the content update to see if PAN engineering have updated any particular application signature(s).

If you see the block in either the "traffic" or "threat" logs then that would be due to either an application update or an antivirus update. If you see the block in the URL filtering log then it is your URL filtering profiles that need examination.

I would say looking at the logs should give you an indication of whats going on with the block. I have a handful or preset filters for looking at that kind of thing. I'm running 3.1.4 code with the latest app and threat updates and have just noticed I'm unable to get to the netflix.com queue. I can get to the sites front page however loggin in doesn't happen. When I look at the traffic log is see a deny for netflix based on the app, i don't see anything blocked in the URL log for netflix so it's definately the app. I'd have to look back as well but I'm guessing a app and threat update changed something.

If you require assistance resolving this issue I would suggest posting some screen shots of the traffic, URL filtering and threat logs to this thread so that we can do some detective work and find the root cause of the issue.

I am curious what the general take of the recent Netflix announcement is with regard to our ability to control the traffic. Announcement here . I have an opinion as to whether it is necessary, but that is another subject altogether.

It is clear there is only so much application ID that can occur if the data is encrypted, but can it be combined with URL rules to control the traffic? We would, for example, have to know all of the URLs/subnets that youtube (or Netflix) videos are streamed from. Is that even possible?

We have yet to implement any decryption, but I see that it is going to have to happen at some point. But if we implemented it, is anything going to be able to keep up with the decryption process when it is decrypting a bunch streaming data?

With decryption, you have access to the sub-functions within that application (ie: being able to tell the difference between netflix queue management and streaming, or the difference between facebook-posting and facebook-file-transfer).

Jared is absolutely correct regarding using decryption to enable inspection. To address the performance concern: whether or not decryption has an appreciable effect on your performance depends entirely on *how much* you are decrypting. Each platform has specific upper limits in terms of the maximum number of concurrent decrypted sessions. The additional overhead caused by decryption will depend on this volume. You can limit the scope of decrypted traffic using different criteria (e.g. URL category). This approach will let you inspect things that need to be, like youtube, facebook, etc. while not wasting resources on sessions that probably don't need to be (e.g. online banking, healthcare, etc).

It depends if Netflix just wants to protect the name of the content being watched, or if they really want hide the fact you watch Netflix at all. Like Jared said, you can see the domain name during the SSL/TLS handshake, so you will still be able to block Netflix if you want. After all, if a user cannot login to the main page, he won't be able to watch anything.

The problem I see is more with the QoS. The content is currently streamed from a lot of servers using domain names ending in *.nflxvideo.net. If Netflix encrypts those streams and change the domain name to something less obvious, the firewall will see it as generic encrypted traffic and the QoS rule for Netflix won't match, unless you have a decryption rule in place. I guess there will also be the option of simply giving a low priority to generic encrypted trafic.

Maybe a better example is: Someone logs onto Google.com, then goes to youtube via the google apps link. Unless I am missing something, the PA is seeing this traffic as SSL as the call to google is already encrypted.

Bob, that's a perfect example. If google uses *.google.com as a certificate for all of their properties (including youtube, gmail, google-search, google-hangouts, etc.) then it will become increasingly difficult to identify, inspect, and secure the traffic within that SSL tunnel without performing SSL decryption.

Normally I do this by explaining the critical responsibilities and the necessary character traits and skills, but in this article I will be taking a very different approach. I want to instead introduce you to real people.

The products are all iconic, and everyone that reads this will know of every product I describe, but few people know the actual product managers behind these products. And fewer still know the back stories behind these successful products.

They focused on things like Word Count which is used 10 times a day by every press person to make sure that it was lightning fast, as the press used the feature as their performance barometer. They even made it faster than the feature on Windows.

In subsequent years, not only did Microsoft once again decide to diverge the code base, they completely separated the teams into different buildings and business units, and had them fully embrace all things Mac. Strategically it was a complete 180.

But back in 1999, a then very young Netflix based in Los Gatos with less than 20 employees, was on the edge of going bust. They had a couple experienced co-founders, including the now legendary Reed Hastings, but the problem was that they were stuck at about 300,000 customers.

Even worse, DVD sales were starting to lag, and a Hollywood backlash further muddied the situation. Then there were challenges with fulfillment logistics, difficulty maintaining DVD quality, and trying to figure out how to do all this in a way that covered costs and generated some cash.

They knew they needed to somehow get customers to want a blend of expensive and less expensive titles. Necessity being the mother of invention, this is where the queue, the ratings system, and the recommendation engine all came from. Those were the technology-powered innovations that enabled the new, much more desirable business model.

They also re-wrote the billing system to handle the monthly subscription model (a funny little side story is that they actually launched without this as they had the 30 day free trial month, which bought them the extra time they needed).

Between working with the co-founders on the strategy, validating concepts with the users, assessing the analytics, driving features and functionality with the team, and working with finance on the new business model, marketing on acquisition, and the warehouse on fulfillment, you can imagine the workload Kate faced on a daily basis.

Yet the team got the new service up and running and used this to power and grow their business for another 7 years, until they disrupted themselves again by moving aggressively to the streaming model.

The new sales team, under Omid Kordistani, was off to a strong start selling keywords to large brands and placing the results at the top of the search results, highlighted as an ad, but still very prominent, much in the style that had been done in search results at other companies, including at Netscape where Omid came from. Sales was nervous that this idea of a self-service advertising platform would diminish the value of what the sales team was trying to sell.

And the engineers, which had been working so hard to provide highly relevant search results, were undersandably very worried that users would be confused and frustrated by ads getting in the way of their search results.

This is yet another example of how there are always so many good reasons for products not to get built. In the products that succeed, there is always someone like Jane behind the scenes working to get over each and every one of the objections, be they technical or business or anything else.

One such early possibility she found were city center venues that had these large electronic billboard screens that were capable of video. But she observed that these venues were just playing the same thing you could watch on your television at home, even though the context and audience was very different.

So Alex proposed a series of experiments where she would have editorial teams assemble specific tailored content suitable for specific venues and audiences, and then she would measure the audience reach and engagement.

Camille was a product manager on the iTunes team at Apple, and as you might imagine with such a disruptive and ground-breaking product, she experienced and learned a great deal during her formative product years at Apple, especially as she was there during the years moving from the iTunes original DRM-based music, to DRM-free, was critical in helping iTunes to become truly mass market.

90f70e40cf
Reply all
Reply to author
Forward
0 new messages