Category Filtering Multimedia Errors

Report Inappropriate Content · ‎08-03-2010

Okay, I am having a problem enabling user overrides on Fortinet Web Filtering categories for video clips. Certain users will need permission to view say, YouTube videos and are given a local user account to override web filtering. See below for filtering config. They get the FG Override Page, successfully enter their credentials and the youtube page in question loads but with an error. See attached JPG. This happens if we enable as a local cateogry manual override for youtube.com or just enable overrides on the entire category as shown in the example below (the desired configuration.) Firewall - Policy > Protection Profile: foo Enable FortiGuard Web Filtering Overrides CHECKED HTTP & HTTPS Category -> Potentially Bandwidth Consuming -> Multimedia Downloads BLOCKED, Allow Overrides. User > Local: username User > User Group > Web Overrides Name: web overrides, Type: Firewall, Protection Profile: foo Members: username FortiGuard Web Filtering Override ALLOW to Create FortiGuard Web Filtering overrides ON Override Scope: Ask Override Type: Categories Off-site URLs: Allow Override Time: Constant Permissions Granted for: foo

Report Inappropriate Content · ‎08-03-2010

Did some more troubleshooting and confirmed it is the web filter blocking it. Videos play fine if I allow the category. Here is output from the web filter log. 1 2010-08-03 14:57:02 notice 1763 192.168.1.155 74.125.95.91 www.youtube.com /player_204?el=detailpage&event=streamingerror&plid=AASM8Y8OSmRSwBCB&v=lFZ0z5Fm-Ng&shost=v9.lscache1.c.youtube 2 2010-08-03 14:57:02 notice 1763 192.168.1.155 74.125.95.91 www.youtube.com /crossdomain.xml URL belongs to an override rule 3 2010-08-03 14:57:02 notice 1773 192.168.1.155 74.125.95.91 www.youtube.com /get_video?video_id=lFZ0z5Fm-Ng&t=vjVQa1PpcFMT8wht9g6ci5IuvpJV697h7sTBXQGZ-ns=&el=detailpage&ps=&fmt=34&asv=2& 4 2010-08-03 14:57:02 notice 1780 192.168.1.155 173.194.8.17 v9.lscache1.c.youtube.com /videoplayback?ip=0.0.0.0&sparams=id%2Cexpire%2Cip%2Cipbits%2Citag%2Calgorithm%2Cburst%2Cfactor%2Coc%3 URL belongs to a denied category in policy 5 2010-08-03 14:57:01 notice 1763 192.168.1.155 74.125.95.91 www.youtube.com /watch?v=lFZ0z5Fm-Ng URL belongs to an override rule 6 2010-08-03 14:56:55 notice 1773 192.168.1.155 74.125.95.91 www.youtube.com /results?search_query=socialnomics09&aq=f URL belongs to an override rule 7 2010-08-03 14:56:26 notice 1763 192.168.1.155 74.125.95.91 www.youtube.com /yva_video?height=225&width=333&ps=yva&el=adunit&video_id=QVQVIqDRs-w&pvi=1 URL belongs to an override r 8 2010-08-03 14:56:24 notice 1773 192.168.1.155 74.125.95.91 www.youtube.com /doubleclick/DARTIframe.html?adParams=3B37804343/37822191/1%25253B%25253B%25257Eokv%25253D%25253Bsz%25253D960x

abelio · ‎08-03-2010

v9.lscache1.c.youtube.com /videoplayback

indeed, maybe you need to review this approach for this kind of websites. Configure a local category with this kind of websites; and modify the profile for those privileged users by including it.

regards

/ Abel

abelio · ‎08-03-2010

What do your webfilter logs say? Check the error there. Consider also that even your browser address bar points to ' youtube.com' the embedded video itself could point to another domains, for example ytimg.com, or google.com ytimg.com is categorized by fortiguard as ' Information Technology' ; maybe you need to review this approach for this kind of websites. regards,

regards

/ Abel

Report Inappropriate Content · ‎08-03-2010

Thanks for that but isn' t that what the off-site URL option (turned on here) is for?

Report Inappropriate Content · ‎08-03-2010

I don' t want to be argumentative but... 1. v9.lscache1.c.youtube.com /videoplayback is a member of the youtube.com domain. 2. Even if it weren' t the offsite-url option is checked. If this did not work properly there would be all sorts of additonal problems with regards dynamic websites that work just fine with lots of other category filtering. 3. I' m not sure what exactly you mean by " review this approach." Do you mean review using FG WebFiltering as our content filter? Or is there another method of doing the content filtering using the FG device that I might not be aware of. In which case I' d be very grateful to be enlightened. And lastly, this error can be duplicated using just local category filter for youtube.com. Total bummer, I know.

zack · ‎08-25-2010

I am having the exact same problem. I have the category blocked, but have youtube as a specifically allowed site. I get the same exact behavior as what is pictured in the first post. Funny thing is it worked fine until about 3 weeks ago. I didnâ€™t change anything in the firewall so I am suspecting a definition update to UTM or something as the source of the troubleâ€¦. any info out there on work arounds?

(2) FortiGate 300A (clustered) 4.2.9 (1) Fortigate 310B 4.2.9 (1) Fortianalyzer 100C 4.2.4

rwpatterson · ‎08-25-2010

Does another user work from the same PC? I know YouTube did some ' upgrading' some time back, and the browser version needed to be upgraded to work.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Report Inappropriate Content · ‎08-26-2010

I think the user is using IE 8. I' ll have to revisit the problem. I couldn' t get a straight answer so I had to unblock the category for the time being.