Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vhitnal
Staff
Staff

Created on ‎04-28-2021 04:56 AM Edited on ‎08-20-2025 06:21 AM By Moderator

Article Id 191767

Technical Tip: How to restrict YouTube channels using video filtering

Description


This article describes how to allow YouTube channels while blocking all the other videos.

Only the videos from that channel will be reproduced.

 

Scope

 

FortiGate v7.0.11+.


Solution


With the video filter profile, it is possible to filter YouTube videos by channel ID for a more granular override of a single channel, user, or video.
The video filter profile is currently supported in proxy-based policies and requires SSL deep inspection.

 

It is recommended the use of YouTube API key, FortiGate extracts the video ID (vid) and tries to check the category and channel from the local cache. If there is no match from the local cache, it connects to the FortiGuard video rating server to query the video category. If the FortiGuard rating fails, it uses the videofilter.youtube-key to communicate with the Google API server to get its category and channel ID. 

 

To create the YouTube key:

 

  1. Go to console.cloud.google.com and log in with a Google Account.
  2. Create a new project:

    09.jpg
  3. Give it a name and select 'CREATE':

 

10.jpg

 

  1. Select the Project, go to Navigation Menu -> APIs & Services -> Credentials:

     

    11.jpg

     

     

  2. Select 'Enabled APIs & services', and select 'ENABLE APIS AND SERVICES':

     

    12.jpg

     

     

  3. Select 'YouTube Data API V3'. Enable the API:

     

    13.jpg

     

    14.jpg

     

     

  4. Select 'Credentials', then CREATE CREDENTIALS -> API Key:

     

    15.jpg

     

    16.jpg

     

     

  5. Copy the API key and set it on FortiGate through CLI:


    config videofilter youtube-key
        edit 1
            set key *****************
        next
    end


To configure a video filter from GUI.

 

  1. Go to Security Profiles -> Video Filter and select 'Create New'. Add a profile name. In some cases, Video Filter might not be visible thus use the following commands if needed:


config system settings
     set gui-proxy-inspection enable
end


01.jpg

  1. In the YouTube Channel override list section, select 'Create New'. The New Channel Override Entry pane opens.
  • Collect Channel ID:
    • On YouTube, go to YouTube Channel and select More information about this channel -> Share Channel -> Copy channel ID.

 

    • HarveyRebelo_0-1726876406405.png

       

       

  • Enter a Channel ID and select an Action. To allow the channel, the actions 'Allow' or 'Monitor' can be used:

 

02.jpg

 
  • Select 'OK'.
The channel default action is 'Monitor', therefore all YouTube channels are allowed by default. For this example, it is necessary to change the default action to 'Block'. 
 
This step must be done through CLI:
 
config videofilter youtube-channel-filter
    edit 1
        set name "VideoFilter"    <----- Video Filter profile name.
        set default-action block
            config entries
                edit 1
                    set action allow
                    set channel-id "UCRMwv-dKBzq9rH"
                next
            end
        set override-category enable <----- To guarantee the channel action will override the Video Categories.
        set log enable <----- Enable this option to generate logs.
    next
end

All the YouTube channels will be blocked except the one added to the override list in Step 2.


Note that for versions higher than 7.4.x, the configuration is slightly different, because the 'config videofilter youtube-channel-filter'  feature line is not available. Only available 'Keyword", 'profile' and 'youtube-key':

config videofilter
keyword Configure video filter keywords.
profile Configure VideoFilter profile.
youtube-key Configure YouTube API keys.


Due to this, in the 'Config videofilter profile' it must manually create the default action 'Block' to block 'any' categories of videos not allowed as follows:

Video_Filter_7_4_x.JPG

  1. Create the firewall policy: 
  • Go to Policy & Objects -> Firewall Policy and select 'Create New'.
  • For Inspection Mode, select Proxy-based.
  • Enable 'Video Filter' and select the profile created.
  • WebFilter profile is not mandatory. If it is used, the category 'Streaming Media and Download' must be set to 'Allow' or 'Monitor'.
  • For SSL Inspection, select 'deep-inspection'. Note- In some scenarios, deep inspection will not work, but works with custom deep inspection.
  • To guarantee the SSL deep inspection is performed correctly, the QUIC protocol must be blocked. Enable 'Application Control Profile' and make sure QUIC is blocked:
 3.jpg
 
  • When all the profiles are enabled, select Ok in the Firewall Policy settings:
 
04.jpg
 
  1. Test YouTube access.
  • The initial page will be loaded as expected, but the videos will not work. Instead, they keep loading indefinitely:
 
05.jpg
 

Youtube block.png

 

Troubleshooting:

 

Run the following commands to check these in the CLI:

 

fermion-kvm57 # diagnose test application wad 1000

fermion-kvm57 # diagnose wad debug enable level verbose

fermion-kvm57 # diagnose wad debug enable category video
Debug messages will be on for 30 minutes.

fermion-kvm57 # diagnose debug enable

 

Working Debugs (for blocked categories):

 

[V][p:2469][vt:0x7fad41222570] wad_ytf_task_on_youtube_video_info:2236 task=0x7fad41222570,state=8
[V][p:2469][vt:0x7fad41222570] wad_ytf_task_on_youtube_video_info:2254 task=0x7fad41222570 youtube api ok
[V][p:2469][vt:0x7fad41222570] wad_youtube_source_req_close :521 req=0x7fad408259a8
[I][p:2469][vt:0x7fad41222570] wad_vf_sync_task_proc_async_result:2853 task=0x7fad41222570 item=0x7fad41111048
[V][p:2469][vt:0x7fad41222570] wad_vf_sync_task_proc_async_result:2860 ctx(0x7fad413fe430) channel is UC2Kyj04yISmHr1V-UlJz4eg
[V][p:2469][vt:0x7fad41222570] wad_vf_sync_task_proc_async_result:2867 ctx(0x7fad413fe430) channel result is block
[V][p:2469][vt:0x7fad41222570] wad_vf_sync_task_proc_async_result:2898 ctx(0x7fad413fe430) category 4 not match
[V][p:2469][vt:0x7fad41222570] wad_vf_sync_task_proc_async_result:2909 ctx(0x7fad413fe430) title is The American Literacy Crisis, Explained
[I][p:2469][vt:0x7fad41222570] wad_vfc_client_add :233 oid=7032046755052935012
vfc-core add new item, item's value:
oid=7032046755052935012
vid="ZvCT31BOLDM"
category="4"
title="The American Literacy Crisis, Explained"
channel="UC2Kyj04yISmHr1V-UlJz4eg"
desc(first 100 characters)="Go to the link: https://imprintapp.com/jared-henderson to get 20% off an annual membership

 

Working Debugs (for allowed categories):

 

[I][p:2469][vt:0x7fad41222798] wad_vf_task_proc_cache_resp :1952 vf filter cache hit, item=0x7fad42febe18
[V][p:2469][vt:0x7fad41222798] wad_vf_async_task_run :2460 end of async task ret=0
[I][p:2469][vt:0x7fad41222798] wad_vf_sync_task_proc_async_result:2853 task=0x7fad41222798 item=0x7fad42febe18
[V][p:2469][vt:0x7fad41222798] wad_vf_sync_task_proc_async_result:2860 ctx(0x7fad413f5b08) channel is UCXiLnhZNnSdloqdISfHwhgQ
[V][p:2469][vt:0x7fad41222798] wad_vf_sync_task_proc_async_result:2867 ctx(0x7fad413f5b08) channel result is allow
[V][p:2469][vt:0x7fad41222798] wad_vf_sync_task_proc_async_result:2898 ctx(0x7fad413f5b08) category 5 not match
[V][p:2469][vt:0x7fad41222798] wad_vf_sync_task_proc_async_result:2909 ctx(0x7fad413f5b08) title is Creating Ambient Macros in NextGen Mobile
[I][p:2469][vt:0x7fad41222798] wad_vfc_client_add :233 oid=12191027208880248665
vfc-core add duplicated item, item's value:
oid=12191027208880248665
vid="xd3F8HORVls"
category="5"
title="Creating Ambient Macros in NextGen Mobile"
channel="UCXiLnhZNnSdloqdISfHwhgQ"
desc(first 0 characters)="......"
[I][p:2469][vt:0x7fad41222798] wad_vf_sync_task_finished :2975 ctx=0x7fad413f5b08 finished
[V][p:2469] wad_vf_sync_task_run :3016 end of sync task ret=0
[I][p:2469] wad_http_start_video_filter_req :153 hreq=0x7fad40e57e58 submitted vf request, ret=1
[I][p:2469] wad_vf_handle_result :657 hreq=0x7fad40e57e58, result=allow, match_index=0, msg_done=0

Incorrect API (Check API Key):

 

[I][p:2469][vt:0x7fad41222a78] wad_vf_task_proc_cache_resp :1966 video info in cache is incomplete
[V][p:2469][vt:0x7fad41222a78] wad_youtube_source_req_alloc :550 req=0x7fad40826ce8
[I][p:2469][vt:0x7fad41222a78] wad_youtube_api_req_video_info :490 video info req submitted ret=1
[I][p:2469][vt:0x7fad41222a78] wad_vf_task_check_api :2324 task=0x7fad41222a78 waiting for youtube api video info
[V][p:2469][vt:0x7fad41222a78] wad_vf_async_task_run :2460 end of async task ret=0
[V][p:2469][vt:0x7fad41222a78] wad_vf_sync_task_wait_async :2655 ctx(0x7fad413fd9e0) waiting for async task(0x7fad41222a78)
[V][p:2469][vt:0x7fad41222a78] wad_vf_sync_task_run :3016 end of sync task ret=0
[I][p:2469][vt:0x7fad41222a78] wad_http_start_video_filter_req :153 hreq=0x7fad40e5a6a8 submitted vf request, ret=0
[I][p:2469] wad_youtube_api_video_info_cbs :378 hreq=0x7fad416fa7e0, code=2
[V][p:2469][vt:0x7fad41222a78] wad_ytf_task_on_api_fail :2282 task=0x7fad41222a78,state=8,fail_msg=failed to get video info response

 

  • The following error might be displayed:
 
06.jpg
 
  •  The block events can be seen in the Web filter logs:
 
07.jpg
 
  •  Only the allowed channel will open:
 
08.jpg
 
17276
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.