Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mforbes
Staff
Staff

Created on ‎06-07-2016 01:57 AM Edited on ‎09-18-2025 10:47 PM By Moderator

Article Id 195422

Technical Tip: How to allow YouTube videos while blocking the Streaming Media category

Description

 
This article describes how to allow access and playback of YouTube.com videos when blocking the Streaming Media category.


Scope

 
FortiGate.


Solution

 

  1. Web Rating Overrides. Go to Security Profiles -> Web Rating Overrides. Add the following URLs:


youtube.com
google.video.com
ad.doubleclick.net
gstatic.com
ytimg.com

ggpht.com
2mdn.net
google.com
youtube-nocookie.com
googleads.g.doubleclick.net
cm.g.doubleclick.net
googleads4.g.doubleclick.net
l1.ytimg.com
www.youtube.com
googletagservices.com
googlesyndication.com
googlevideo.com
googleadservices.com
doubleclick.net
googleapis.com
apis.google.com

 

These are some of the common URLs that YouTube.com also accesses. Not every YouTube.com page is the same, so adding these additional URLs to the override will let the pages render correctly. Failing to do this will make some pages not display correctly or even stop video playback.

Set the Override Category to 'custom1'.

Web rating override.png

 

Web Filter Profile:
Go to Security Profiles -> Web Filter. Create a new Web Filter profile, named 'youtube_allow' in this example. Set the Inspection Mode to 'Proxy'. Under Local Categories, allow 'custom1'.  

 

Local category.jpg

 

Block 'Internet Radio and TV' and 'Streaming Media and Download'. Do not block 'Social Media'. YouTube.com is not considered part of this environment.


Web filter profile.png

 

CLI: 

This configuration can also be set from the CLI. Local Categories:

 

config webfilter ftgd-local-cat
    edit "custom1"
        set id 140
    next
    edit "custom2"
        set id 141
    next
end

Web Rating Override:

config webfilter ftgd-local-rating
    edit "youtube.com"
        set rating 140
    next
    edit "google.video.com"
        set rating 140
    next
    edit "ad.doubleclick.net"
        set rating 140
    next
    edit "gstatic.com"
        set rating 140
    next
    edit "ytimg.com"
        set rating 140
    next
    edit "2mdn.net"
        set rating 140
    next
    edit "google.com"
        set rating 140
    next
    edit "youtube-nocookie.com"
        set rating 140
    next
    edit "googleads.g.doubleclick.net"
        set rating 140
    next
    edit "cm.g.doubleclick.net"
        set rating 140
    next
    edit "googleads4.g.doubleclick.net"
        set rating 140
    next
    edit "l1.ytimg.com"
        set rating 140
    next
    edit "www.youtube.com"
        set rating 140
    next
    edit "googletagservices.com"
        set rating 140
    next
    edit "googlesyndication.com"
        set rating 140
    next
    edit "googlevideo.com"
        set rating 140
    next
    edit "googleadservices.com"
        set rating 140
    next
    edit "doubleclick.net"
        set rating 140
    next
    edit "googleapis.com"
        set rating 140
    next
end

 

Firewall Policy:

config firewall policy
    edit 6
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set comments "test-policy"
        set webfilter-profile "youtube_allow"
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
end

 

Troubleshooting:

 

diagnose debug disable
diagnose debug reset

diagnose debug urlfilter src-addr 192.168.30.100
diagnose debug application  urlfilter -1
diagnose debug enable

 

To stop the debug, run the following commands:  

                                                   

diagnose debug disable

diagnose debug reset

 

To collect the session list for the same source, use the following CLI Commands:

 

diagnose system session filter src 192.168.30.100

diagnose system session list

 

To clear the session filter, use the following command:


diagnose system session filter clear


Open the web page 'www.youtube.com'. URLs will match with Web Overrides. Any additional URLs under 'hostname' will also need to be added.

Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65107 dst=172.217.4.110 dport=443 service="https" cat=140 cat_desc="custom1" hostname="www.youtube.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=clients1.google.com:80, id=1568, vfname='root', vfid=0, profile='youtube_allow', type=0, client=192.168.30.100, url_source=1, url="/ocsp"

Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65108 dst=172.217.4.110 dport=80 service="http" cat=140 cat_desc="custom1" hostname="clients1.google.com" url="/ocsp"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=fonts.gstatic.com:443, id=1569, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"

Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65110 dst=172.217.4.99 dport=443 service="https" cat=140 cat_desc="custom1" hostname="fonts.gstatic.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=s.ytimg.com:443, id=1570, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"

Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65112 dst=172.217.4.110 dport=443 service="https" cat=140 cat_desc="custom1" hostname="s.ytimg.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=i.ytimg.com:443, id=1571, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"

Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65114 dst=172.217.4.110 dport=443 service="https" cat=140 cat_desc="custom1" hostname="i.ytimg.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=pubads.g.doubleclick.net:443, id=1572, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"

Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65123 dst=172.217.4.97 dport=443 service="https" cat=140 cat_desc="custom1" hostname="tpc.googlesyndication.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=s0.2mdn.net:443, id=1577, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"

Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65127 dst=216.58.216.66 dport=443 service="https" cat=140 cat_desc="custom1" hostname="googleads4.g.doubleclick.net" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=clients1.google.com:80, id=1580, vfname='root', vfid=0, profile='youtube_allow', type=0, client=192.168.30.100, url_source=1, url="/ocsp"

Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65140 dst=172.217.4.102 dport=443 service="https" cat=140 cat_desc="custom1" hostname="ad.doubleclick.net" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=accounts.google.com:443, id=1588, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"

Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65131 dst=172.217.4.102 dport=443 service="https" cat=140 cat_desc="custom1" hostname="s0.2mdn.net" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=pagead2.googlesyndication.com:443, id=1583, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"

Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65132 dst=216.58.192.194 dport=443 service="https" cat=140 cat_desc="custom1" hostname="pagead2.googlesyndication.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=www.gstatic.com:443, id=1584, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"

Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65134 dst=172.217.4.99 dport=443 service="https" cat=140 cat_desc="custom1" hostname="www.gstatic.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=apis.google.com:443, id=1585, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"

Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65146 dst=74.125.207.239 dport=443 service="https" cat=140 cat_desc="custom1" hostname="content.googleapis.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=clients1.google.com:80, id=1592, vfname='root', vfid=0, profile='youtube_allow', type=0, client=192.168.30.100, url_source=1, url="/ocsp"

Url matches local rating

      

To block YouTube or other applications from application control, see the steps in Technical Tip: How to block particular application using Application Control Filter.

33351
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.