Content Inspection - Video- Radio-Streams, Speedtests-Problems

edited August 1 in Firebox - Proxies

Hi,

i did enable "Content Inspection" @ M370 (including Webblocker, AV and more). Websites are loading. Even for example youtube, but the videos dont run. Even radio-Streams or speedtest (like google speedtest) dont start. I disabled Webblocker, Antivirus, but it still doesnt work.

Do you have any idea?

Thanks

Mo

Comments

  • Did you install the firewall certificate on your PCs?

  • edited August 1

    Hi,

    thanks. Yes, i did.

    Mo

  • What do you see in Traffic Monitor when you try one of these accesses?
    Seems like something is being stripped or denied

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @MoSeSe

    What does the browser say when portions of the page are not loading properly? Do you see any certificate warnings (either in the address bar, or in developer mode via the network tab)

    The instructions to generate a HAR file will get you in developer mode so you can seee more errors:
    (Generate a HAR file)
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000WOm9SAG&lang=en_US

    If you haven't done so I'd suggest opening a support case.

    -James Carson
    WatchGuard Customer Support

  • @MoSeSe when you enabled the inspect mode in the HTTPS-proxy what (HTTP) Proxy Action did you chose?
    The default HTTP-Client.Standard, HTTP-Client or your own customer action?
    Please try to change to the default HTTP-Client.Standard action…

  • @Bruce_Briggs said:
    What do you see in Traffic Monitor when you try one of these accesses?
    Seems like something is being stripped or denied

    Hi,

    for example radio stream:

    2025-07-31 09:57:38 Member1 Allow XX.XXX.XXX.XXX XXX.XXX.XXX.XX https/tcp 58574 443 LAN HTPEXT HTTP request (LAN--WAN--HTTPS-proxy-Inspect-00) HTTP-Client.Standard-WebBlocker-AV proc_id="http-proxy" rc="525" msg_id="1AFF-0024" proxy_act="HTTP-Client.Standard-WebBlocker-AV" op="GET" dstname="www.gstatic.com" arg="/cast/sdk/libs/sender/1.0/cast_framework.js" sent_bytes="690" rcvd_bytes="356" elapsed_time="0.031227 sec(s)" geo_dst="USA" Traffic
    2025-07-31 09:57:38 Member1 Allow XX.XXX.XXX.XXX XXX.XXX.XXX.XX https/tcp 58574 443 LAN HTPEXT ProxyAllow: HTTP Request categories (LAN--WAN--HTTPS-proxy-Inspect-00) HTTP-Client.Standard-WebBlocker-AV proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Client.Standard-WebBlocker-AV" cats="Web Infrastructure" op="GET" dstname="www.gstatic.com" arg="/cast/sdk/libs/sender/1.0/cast_framework.js" action="test_WebBlocker" geo_dst="USA" Traffic
    2025-07-31 09:57:38 Member1 Allow XX.XXX.XXX.XXX XX.XXX.XX.XX https/tcp 58571 443 LAN HTPEXT HTTP request (LAN--WAN--HTTPS-proxy-Inspect-00) HTTP-Client.Standard-WebBlocker-AV proc_id="http-proxy" rc="525" msg_id="1AFF-0024" proxy_act="HTTP-Client.Standard-WebBlocker-AV" op="POST" dstname="lwqvhgk.pa-cd.com" arg="/event?s=624843&idclient=mdpip53axkjldf4a" sent_bytes="3724" rcvd_bytes="474" elapsed_time="0.028550 sec(s)" geo_dst="USA" Traffic
    2025-07-31 09:57:38 Member1 Allow XX.XXX.XXX.XXX XXX XX.XXX.XX.XX https/tcp 58571 443 LAN HTPEXT ProxyAllow: HTTP Request categories (LAN--WAN--HTTPS-proxy-Inspect-00) HTTP-Client.Standard-WebBlocker-AV proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Client.Standard-WebBlocker-AV" cats="Web Infrastructure" op="POST" dstname="lwqvhgk.pa-cd.com" arg="/event?s=624843&idclient=mdpip53axkjldf4a" action="test_WebBlocker" geo_dst="USA" Traffic
    2025-07-31 09:57:38 Member1 Allow XX.XXX.XXX.XXX XXX.XX.XX.XXX https/tcp 58575 443 LAN HTPEXT HTTP request (LAN--WAN--HTTPS-proxy-Inspect-00) HTTP-Client.Standard-WebBlocker-AV proc_id="http-proxy" rc="525" msg_id="1AFF-0024" proxy_act="HTTP-Client.Standard-WebBlocker-AV" op="GET" dstname="wdrhf.akamaized.net" arg="/hls/live/2027966/wdr2rheinland/master.m3u8" sent_bytes="635" rcvd_bytes="1087" elapsed_time="0.006641 sec(s)" geo_dst="DEU" Traffic
    2025-07-31 09:57:38 Member1 Allow XX.XXX.XXX.XXX XXX.XX.XX.XXX https/tcp 58575 443 LAN HTPEXT HTTP request (LAN--WAN--HTTPS-proxy-Inspect-00) HTTP-Client.Standard-WebBlocker-AV proc_id="http-proxy" rc="525" msg_id="1AFF-0024" proxy_act="HTTP-Client.Standard-WebBlocker-AV" op="GET" dstname="wdrhf.akamaized.net" arg="/hls/live/2027966/wdr2rheinland/master.m3u8" sent_bytes="635" rcvd_bytes="1087" elapsed_time="0.018219 sec(s)" geo_dst="DEU" Traffic
    2025-07-31 09:57:38 Member1 Allow XX.XXX.XXX.XXX XXX.XX.XX.XXX https/tcp 58575 443 LAN HTPEXT ProxyAllow: HTTP Request categories (LAN--WAN--HTTPS-proxy-Inspect-00) HTTP-Client.Standard-WebBlocker-AV proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Client.Standard-WebBlocker-AV" cats="Information Technology" op="GET" dstname="wdrhf.akamaized.net" arg="/hls/live/2027966/wdr2rheinland/master.m3u8" action="test_WebBlocker" geo_dst="DEU" Traffic
    2025-07-31 09:57:38 Member1 Allow XX.XXX.XXX.XXX XXX.XX.XX.XXX https/tcp 58575 443 LAN HTPEXT ProxyAllow: HTTP Request categories (LAN--WAN--HTTPS-proxy-Inspect-00) HTTP-Client.Standard-WebBlocker-AV proc_id="http-proxy" rc="590" msg_id="1AFF-0021" proxy_act="HTTP-Client.Standard-WebBlocker-AV" cats="Information Technology" op="GET" dstname="wdrhf.akamaized.net" arg="/hls/live/2027966/wdr2rheinland/master.m3u8" action="test_WebBlocker" geo_dst="DEU" Traffic
    2025-07-31 09:57:38 Member1 Allow XX.XXX.XXX.XXX XX.XX.XXX.XXXhttps/tcp 58563 443 LAN HTPEXT HTTP request (LAN--WAN--HTTPS-proxy-Inspect-00) HTTP-Client.Standard-WebBlocker-AV proc_id="http-proxy" rc="525" msg_id="1AFF-0024" proxy_act="HTTP-Client.Standard-WebBlocker-AV" op="GET" dstname="www1.wdr.de" arg="/radio/player/radioplayer104~_layout-popupVersion.html" sent_bytes="1065" rcvd_bytes="5028" elapsed_time="0.012111 sec(s)" geo_dst="DEU" Traffic
    2025-07-31 09:57:38 Member1 http-proxy 0x12e0e30-3913790 19795504:3913790: nondata_event: DATA_INTERNAL(157): 1434: XX.XXX.XXX.XXX:58575 -> XXX.XX.XX.XXX:443 [A] {B} Debug
    2025-07-31 09:57:38 Member1 http-proxy 0x12e0e30-3913790 19795504:3913790: nondata_event: DATA_INTERNAL(157): 1434: XX.XXX.XXX.XXX:58575 -> XXX.XX.XX.XXX:443 [A] {B} Debug
    2025-07-31 09:57:38 Member1 http-proxy 0x29c5190-4491011 43798928:4491011: nondata_event: DATA_INTERNAL(157): 252: XX.XXX.XXX.XXX:58563 -> XX.XX.XXX.XXX:443 [A] {B} Debug
    2025-07-31 09:57:38 Member1 http-proxy 0xad8140-4491028 11370816:4491028: nondata_event: DATA_INTERNAL(157): 292: XX.XXX.XXX.XXX:58571 -> XX.XXX.XX.XX:443 [A t] {X} Debug
    2025-07-31 09:57:40 Member1 https-proxy 0x1ad4360-3994784 129: XX.XXX.XXX.XXX:54561 -> XXX.XXX.XXX.XXX:443 [A t] {N}: got 103 bytes of data Debug

    Please let me know, if there is any information i shouldnt have published.

    Thanks

    Mo

  • @kimmo.pohjoisaho said:
    @MoSeSe when you enabled the inspect mode in the HTTPS-proxy what (HTTP) Proxy Action did you chose?
    The default HTTP-Client.Standard, HTTP-Client or your own customer action?
    Please try to change to the default HTTP-Client.Standard action…

    Hi,

    thanks. I hope, i understood rigtht:

  • edited August 3

    @james.carson said:
    Hi @MoSeSe

    What does the browser say when portions of the page are not loading properly? Do you see any certificate warnings (either in the address bar, or in developer mode via the network tab)

    The instructions to generate a HAR file will get you in developer mode so you can seee more errors:
    (Generate a HAR file)
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000WOm9SAG&lang=en_US

    If you haven't done so I'd suggest opening a support case.

    Hi,

    youtube for example there ist no warning. All is fine, but the video is black without any information. It seems, the video doesnt start. When im going to the bottom line with the mouse, i can see alle picture previews. And, very interesting, when i disable the content inspection, for the ip test computer, of course youtube works, when i am reactivating content inspection for this systems youtube seems now to work. radio stream the warning is "Playback error
    Unfortunately, this audio clip cannot be played. We ask for your understanding." I even cant start the google speedtest with warning "The test for measuring internet speed appears to be unavailable at the moment due to high demand. Please try again later." the speedtest wieistmeineip.de seems to start but runs and runs and runds @ 0%.

    developer mode: net::
    "ERR_FAILED 200 (OK)"
    "...has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."
    "net::ERR_FAILED"
    "ardplayer-wdr.js?t=20301:1 Uncaught (in promise) NotAllowedError: play() failed because the user didn't interact with the document first."

    I will try HAR today.

    I did open a support case.

    Thanks

  • Please check the following HTTPS-Proxy & content inspection config video I made couple years ago to some of our WG customers…
    https://app.screencast.com/1HYxSGyJD1mm1

    In the HTTP-Proxy settings, you configure what checks the firewall performs on web browsing traffic (HTTP and HTTPS).
    In the HTTPS-Proxy settings, you configure which HTTPS websites are checked and which HTTPS connections are not checked.

    The HTTPS-Proxy policy can be used in two ways.
    Without content inspection feature, the only UTM feature that can be used is WebBlocker.
    With content inspection enabled, now all the UTM features can be used to inspect HTTPS traffic.

    00:00 – 07:25
    Adding a HTTP-Proxy policy and configuring UTM settings in the HTTP-Proxy.
    Adding a HTTPS-Proxy policy without content inspection and a WebBlocker config.
    Browsing from a Windows workstation to veikkaus.fi (gambling site) that is blocked, the user does not see any WebBlocker block message.
    Browsing to some other websites and show how to check the HTTPS sites certificate details.

    07:30 – 09:15
    Enabling content inspection settings in the HTTPS-Proxy policy.
    Browsing from a Windows workstation now shows a certificate error and prevents browsing.

    09:20 – 11:10
    Firebox HTTPS-Proxy Authority certificate import to the Windows workstation.
    Browsing from the Windows workstation to veikkaus.fi (gambling site) that is again blocked, but now the user sees the WebBlocker block message.

    11:15 – 12:35
    Bypassing content inspection of OP.fi (bank) website in the HTTPS-Proxy policy under Domain Name settings.
    Browsing from the Windows workstation to the OP.fi (bank) site that is bypassing the content inspection.
    The sites certificate is now displayed with the bank's own certificate info.

    12:36 – 15:49
    Change the Content Inspection to use WebBlocker category in HTTPS-Proxy policy. (recommended way to configure content inspection in the HTTPS-Proxy)
    Bypassing bank web sites in WebBlocker categories in HTTPS-Proxy
    Now all bank websites are now bypassing the content inspection and are using the bank's own certificates.
    Other websites are inspected and are using the Fireware HTTPS Proxy certificate.

  • @james.carson said:
    Hi @MoSeSe

    What does the browser say when portions of the page are not loading properly? Do you see any certificate warnings (either in the address bar, or in developer mode via the network tab)

    The instructions to generate a HAR file will get you in developer mode so you can seee more errors:
    (Generate a HAR file)
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000WOm9SAG&lang=en_US

    If you haven't done so I'd suggest opening a support case.

    Hi james.carson,

    did my informatino help, or do you still need HAR?

    Thanks a lot

    MoSeSe

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @MoSeSe
    I would suggest opening a support case.

    -James Carson
    WatchGuard Customer Support

  • @kimmo.pohjoisaho said:
    Please check the following HTTPS-Proxy & content inspection config video I made couple years ago to some of our WG customers…
    https://app.screencast.com/1HYxSGyJD1mm1

    In the HTTP-Proxy settings, you configure what checks the firewall performs on web browsing traffic (HTTP and HTTPS).
    In the HTTPS-Proxy settings, you configure which HTTPS websites are checked and which HTTPS connections are not checked.

    The HTTPS-Proxy policy can be used in two ways.
    Without content inspection feature, the only UTM feature that can be used is WebBlocker.
    With content inspection enabled, now all the UTM features can be used to inspect HTTPS traffic.

    00:00 – 07:25
    Adding a HTTP-Proxy policy and configuring UTM settings in the HTTP-Proxy.
    Adding a HTTPS-Proxy policy without content inspection and a WebBlocker config.
    Browsing from a Windows workstation to veikkaus.fi (gambling site) that is blocked, the user does not see any WebBlocker block message.
    Browsing to some other websites and show how to check the HTTPS sites certificate details.

    07:30 – 09:15
    Enabling content inspection settings in the HTTPS-Proxy policy.
    Browsing from a Windows workstation now shows a certificate error and prevents browsing.

    09:20 – 11:10
    Firebox HTTPS-Proxy Authority certificate import to the Windows workstation.
    Browsing from the Windows workstation to veikkaus.fi (gambling site) that is again blocked, but now the user sees the WebBlocker block message.

    11:15 – 12:35
    Bypassing content inspection of OP.fi (bank) website in the HTTPS-Proxy policy under Domain Name settings.
    Browsing from the Windows workstation to the OP.fi (bank) site that is bypassing the content inspection.
    The sites certificate is now displayed with the bank's own certificate info.

    12:36 – 15:49
    Change the Content Inspection to use WebBlocker category in HTTPS-Proxy policy. (recommended way to configure content inspection in the HTTPS-Proxy)
    Bypassing bank web sites in WebBlocker categories in HTTPS-Proxy
    Now all bank websites are now bypassing the content inspection and are using the bank's own certificates.
    Other websites are inspected and are using the Fireware HTTPS Proxy certificate.

    Hi kimmo.pohjoisaho,

    thanks a lot. I tried a lot and i will try on. Ill keep you updated.

    MoSeSe

  • I think your problem is not the HTTPS-Proxy action, but the HTTP-proxy action you are using to do inspect.
    In the HTTPS-Proxy action, you configure what websites are going to be inspected and what websites are not inspected.
    In the HTTP-Proxy action, you then configure what kind of inspecting is done to the websites.
    You are probably using and old HTTP-Proxy action that has many outdated configurations that aren’t really working anymore with modern websites.
    Nowadays, many modern websites use custom HTTP “X-” headers and if these custom headers are stripped these websites aren’t working correct anymore.
    I would increase the “Set the maximum URL path length to” 16384 from the default 4096 value, both in HTTP Request and HTTP Response General Settings.

    Security is achieved with the UTM security services, not by denying some HTTP headers.
    The idea is more to use the Firebox devices UTM security services to protect your networks and users from attacks and harmful data.

    Proxy actions are powerful tools and better suited to example control some web traffic by denying *.exe file downloads
    or denying example on-line media content with denying HTTP headers, etc...
    For normal daily web browsing, I would use the default “open” HTTP-Client.Standard action + UTM Security services!

    Check following video where I show my new best practice HTTP Proxy action that is based on the WG Cloud Managed Firebox proxy action + couple setting
    that I have enabled.

    https://app.screencast.com/zooMlmsGhhJpS

  • @kimmo.pohjoisaho said:
    I think your problem is not the HTTPS-Proxy action, but the HTTP-proxy action you are using to do inspect.
    In the HTTPS-Proxy action, you configure what websites are going to be inspected and what websites are not inspected.
    In the HTTP-Proxy action, you then configure what kind of inspecting is done to the websites.
    You are probably using and old HTTP-Proxy action that has many outdated configurations that aren’t really working anymore with modern websites.
    Nowadays, many modern websites use custom HTTP “X-” headers and if these custom headers are stripped these websites aren’t working correct anymore.
    I would increase the “Set the maximum URL path length to” 16384 from the default 4096 value, both in HTTP Request and HTTP Response General Settings.

    Security is achieved with the UTM security services, not by denying some HTTP headers.
    The idea is more to use the Firebox devices UTM security services to protect your networks and users from attacks and harmful data.

    Proxy actions are powerful tools and better suited to example control some web traffic by denying *.exe file downloads
    or denying example on-line media content with denying HTTP headers, etc...
    For normal daily web browsing, I would use the default “open” HTTP-Client.Standard action + UTM Security services!

    Check following video where I show my new best practice HTTP Proxy action that is based on the WG Cloud Managed Firebox proxy action + couple setting
    that I have enabled.

    https://app.screencast.com/zooMlmsGhhJpS

    Hi,

    thanks again. I now set both to 16384 and looking forward to your other recommendations. Ill keep you updated again.

    Kind regards

    MoSeSe

  • @kimmo.pohjoisaho said:
    I think your problem is not the HTTPS-Proxy action, but the HTTP-proxy action you are using to do inspect.
    In the HTTPS-Proxy action, you configure what websites are going to be inspected and what websites are not inspected.
    In the HTTP-Proxy action, you then configure what kind of inspecting is done to the websites.
    You are probably using and old HTTP-Proxy action that has many outdated configurations that aren’t really working anymore with modern websites.
    Nowadays, many modern websites use custom HTTP “X-” headers and if these custom headers are stripped these websites aren’t working correct anymore.
    I would increase the “Set the maximum URL path length to” 16384 from the default 4096 value, both in HTTP Request and HTTP Response General Settings.

    Security is achieved with the UTM security services, not by denying some HTTP headers.
    The idea is more to use the Firebox devices UTM security services to protect your networks and users from attacks and harmful data.

    Proxy actions are powerful tools and better suited to example control some web traffic by denying *.exe file downloads
    or denying example on-line media content with denying HTTP headers, etc...
    For normal daily web browsing, I would use the default “open” HTTP-Client.Standard action + UTM Security services!

    Check following video where I show my new best practice HTTP Proxy action that is based on the WG Cloud Managed Firebox proxy action + couple setting
    that I have enabled.

    https://app.screencast.com/zooMlmsGhhJpS

    We haven't been able to solve the problem yet. WG Support is taking a closer look at it again.

Sign In to comment.