not yet. I opened a ticket on it and was told we needed to implement proxy. So I have spent the last couple of months working out enabling proxy with AD integration. Once we had it set up, I opened another ticket and was told we didn't need a proxy....sigh. The issue is that it cannot be done from the GUI.

I was told to do (Ticket Number:  1693602)

config web-proxy profile edit "test-profile" config headers edit 1 set name "X-YouTube-Edu-Filter" set content "ABCD1234567890abcdef" end end Finally configure the Explicit Proxy policy that is allowing the traffic to Youtube to use the just created web-proxy profile: config firewall explicit-proxy-policy edit 1 <- ID of the explicit proxy policy set webproxy-profile "test-profile" end end However that did not work so after more research, he said the problem is that "we used certificate inspection.  I researched this further and we needed to use the deep inspection default " and this is where we are now. I am reluctant to use deep-inspection because it changes the way certificates are handled and usually gives certificate errors on every website. I have to admit, I am pretty dissapointed in Fortinet. Their flagship firewall product seems really old-school and barely able to handle common issues such as this. Having to manually code something as universal as safe-search or google issues implies they are not keeping up with how the internet is evolving. We also have a similar issue around google safesearch. It requires a forced URL change. The recommended solution is to modify DNS but that causes a whole host of problems around split-horizon foreign domains so I need to try and get the fortigate to do it.

I am not confident.

update... we successfully were able to make this work.

however....two major hurdles exist.

1) "deep-inspection" of certificates IS required, which means either the Fortigate certificate must be installed on all workstations, or a trusted certificate must be installed on the Fortigate - we are still trying to get this to work.

2) the bigger problem. The GUI is incompatible with the configuration and every time the GUI is used to change any profiles (such as adding a category to exclude, or allowing a website to have access) then the configuration must be manually reprogrammed in the CLI. THis makes it so unweildy that it may not be worth doing. See my last paragraph of the previous entry.

I'm surprised that FortiOS provides for header rewrites - this is not something that you'd expect a normal firewall to do. Rather, a web firewall like the FortiWeb will do it out of the box but this is a dedicated device to control and manipulate HTTP traffic, not so easy to set up and quite expensive. A clear overkill for just YTfE.

Have you thought about redirecting the HTTP traffic out of the FGT to a dedicated (proxy) server via ICAP or WCCP? Both are supported in FortiOS. I admit the prospect of maintaining an additional server for one purpose alone is not promising but it might be an alternative.