Description
This article describes how to allow access and playback of YouTube.com videos when blocking the Streaming Media category.
Scope
All FortiGate units.
Solution
- Web Rating Overrides.
Go to Security Profiles -> Advanced -> Web Rating Overrides.
Add the following URLs:
youtube.com
google.video.com
ad.doubleclick.net
gstatic.com
ytimg.com
2mdn.net
google.com
youtube-nocookie.com
googleads.g.doubleclick.net
cm.g.doubleclick.net
googleads4.g.doubleclick.net
l1.ytimg.com
www.youtube.com
googletagservices.com
googlesyndication.com
googlevideo.com
googleadservices.com
doubleclick.net
googleapis.com
These are some of the common URLs that YouTube.com also accesses. Not every YouTube.com page is the same, so adding these additional URLs to the override will let the pages render correctly. Failing to do this will make some pages not display correctly or even, stop video playback.
Set the Override Category to "custom1". - Web Filter Profile.
Go to Security Profiles -> Web Filter. Create a new Web Filter profile. In this example, it is named 'youtube_allow'. Set Inspection Mode to 'Proxy'. Under Local Categories, allow 'custom1'. Under Bandwidth Consuming, block 'Internet Radio' and 'Streaming Media and Download'. Under General Interest - Personal, do not block 'Social Media'. YouTube.com is not considered part of this environment.
CLI.
This configuration can also be set from the CLI.
Local Categories.
config webfilter ftgd-local-cat
edit "custom1"
set id 140
next
edit "custom2"
set id 141
next
end
Web Rating Override.
config webfilter ftgd-local-rating
edit "youtube.com"
set rating 140
next
edit "google.video.com"
set rating 140
next
edit "ad.doubleclick.net"
set rating 140
next
edit "gstatic.com"
set rating 140
next
edit "ytimg.com"
set rating 140
next
edit "2mdn.net"
set rating 140
next
edit "google.com"
set rating 140
next
edit "youtube-nocookie.com"
set rating 140
next
edit "googleads.g.doubleclick.net"
set rating 140
next
edit "cm.g.doubleclick.net"
set rating 140
next
edit "googleads4.g.doubleclick.net"
set rating 140
next
edit "l1.ytimg.com"
set rating 140
next
edit "www.youtube.com"
set rating 140
next
edit "googletagservices.com"
set rating 140
next
edit "googlesyndication.com"
set rating 140
next
edit "googlevideo.com"
set rating 140
next
edit "googleadservices.com"
set rating 140
next
edit "doubleclick.net"
set rating 140
next
edit "googleapis.com"
set rating 140
next
end
Firewall Policy.
config firewall policy
edit 6
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set comments "test-policy"
set webfilter-profile "youtube_allow"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
Troubleshooting.
FWF60C3G12000081 # di de urlfilter src-addr 192.168.30.100
FWF60C3G12000081 # di de application urlfilter -1
FWF60C3G12000081 # diag sys session filter src 192.168.30.100
FWF60C3G12000081 # diag sys session filter clear
FWF60C3G12000081 # di de en
Open the web page to youtube.com. URLs will match with Web Overrides... Any additional URLs under 'hostname' will also need to be added.
Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65107 dst=172.217.4.110 dport=443 service="https" cat=140 cat_desc="custom1" hostname="www.youtube.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=clients1.google.com:80, id=1568, vfname='root', vfid=0, profile='youtube_allow', type=0, client=192.168.30.100, url_source=1, url="/ocsp"
Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65108 dst=172.217.4.110 dport=80 service="http" cat=140 cat_desc="custom1" hostname="clients1.google.com" url="/ocsp"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=fonts.gstatic.com:443, id=1569, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"
Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65110 dst=172.217.4.99 dport=443 service="https" cat=140 cat_desc="custom1" hostname="fonts.gstatic.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=s.ytimg.com:443, id=1570, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"
Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65112 dst=172.217.4.110 dport=443 service="https" cat=140 cat_desc="custom1" hostname="s.ytimg.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=i.ytimg.com:443, id=1571, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"
Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65114 dst=172.217.4.110 dport=443 service="https" cat=140 cat_desc="custom1" hostname="i.ytimg.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=pubads.g.doubleclick.net:443, id=1572, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"
Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65123 dst=172.217.4.97 dport=443 service="https" cat=140 cat_desc="custom1" hostname="tpc.googlesyndication.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=s0.2mdn.net:443, id=1577, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"
Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65127 dst=216.58.216.66 dport=443 service="https" cat=140 cat_desc="custom1" hostname="googleads4.g.doubleclick.net" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=clients1.google.com:80, id=1580, vfname='root', vfid=0, profile='youtube_allow', type=0, client=192.168.30.100, url_source=1, url="/ocsp"
Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65140 dst=172.217.4.102 dport=443 service="https" cat=140 cat_desc="custom1" hostname="ad.doubleclick.net" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=accounts.google.com:443, id=1588, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"
Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65131 dst=172.217.4.102 dport=443 service="https" cat=140 cat_desc="custom1" hostname="s0.2mdn.net" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=pagead2.googlesyndication.com:443, id=1583, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"
Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65132 dst=216.58.192.194 dport=443 service="https" cat=140 cat_desc="custom1" hostname="pagead2.googlesyndication.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=www.gstatic.com:443, id=1584, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"
Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65134 dst=172.217.4.99 dport=443 service="https" cat=140 cat_desc="custom1" hostname="www.gstatic.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=apis.google.com:443, id=1585, vfname='root', vfid=0, profile='youtube_allow', type=1, client=192.168.30.100, url_source=3, url="/"
Url matches local rating
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=192.168.30.100 sport=65146 dst=74.125.207.239 dport=443 service="https" cat=140 cat_desc="custom1" hostname="content.googleapis.com" url="/"
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=clients1.google.com:80, id=1592, vfname='root', vfid=0, profile='youtube_allow', type=0, client=192.168.30.100, url_source=1, url="/ocsp"
Url matches local rating
To block YouTube or other applications from application control, see the steps in this article.
