Youtube now has a solution to allow only the education side. The solution is to add an HTTP header.
https://support.google.com/youtube/answer/2695317?hl=en
I searched for HTTP Header in the FortiOS documentation and it pointed me at "Proxy Header Control": http://help.fortinet.com/fos50hlp/52/index.html#page/FortiOS%25205.2%2520Help/wanopt.016.4.html
Unfortunately it doesn't mention the impact of any of this (will it screw up existing traffic?) and the options are confusing ( 5 different kinds of headers, none of which match the language in the google page)
We currently do not have anything like that defined, has anyone set this up? Of course there isn't anything in the GUI named "Proxy Header Control" Do I set that up in "Explicit proxy" or "Proxy Options" GUI or do I have to do it in the CLI?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Were you able to resolve this?
not yet. I opened a ticket on it and was told we needed to implement proxy. So I have spent the last couple of months working out enabling proxy with AD integration. Once we had it set up, I opened another ticket and was told we didn't need a proxy....sigh. The issue is that it cannot be done from the GUI.
I was told to do (Ticket Number: 1693602)
config web-proxy profile edit "test-profile" config headers edit 1 set name "X-YouTube-Edu-Filter" set content "ABCD1234567890abcdef" end end Finally configure the Explicit Proxy policy that is allowing the traffic to Youtube to use the just created web-proxy profile: config firewall explicit-proxy-policy edit 1 <- ID of the explicit proxy policy set webproxy-profile "test-profile" end end However that did not work so after more research, he said the problem is that "we used certificate inspection. I researched this further and we needed to use the deep inspection default " and this is where we are now. I am reluctant to use deep-inspection because it changes the way certificates are handled and usually gives certificate errors on every website. I have to admit, I am pretty dissapointed in Fortinet. Their flagship firewall product seems really old-school and barely able to handle common issues such as this. Having to manually code something as universal as safe-search or google issues implies they are not keeping up with how the internet is evolving. We also have a similar issue around google safesearch. It requires a forced URL change. The recommended solution is to modify DNS but that causes a whole host of problems around split-horizon foreign domains so I need to try and get the fortigate to do it.
I am not confident.
update... we successfully were able to make this work.
however....two major hurdles exist.
1) "deep-inspection" of certificates IS required, which means either the Fortigate certificate must be installed on all workstations, or a trusted certificate must be installed on the Fortigate - we are still trying to get this to work.
2) the bigger problem. The GUI is incompatible with the configuration and every time the GUI is used to change any profiles (such as adding a category to exclude, or allowing a website to have access) then the configuration must be manually reprogrammed in the CLI. THis makes it so unweildy that it may not be worth doing. See my last paragraph of the previous entry.
I'm surprised that FortiOS provides for header rewrites - this is not something that you'd expect a normal firewall to do. Rather, a web firewall like the FortiWeb will do it out of the box but this is a dedicated device to control and manipulate HTTP traffic, not so easy to set up and quite expensive. A clear overkill for just YTfE.
Have you thought about redirecting the HTTP traffic out of the FGT to a dedicated (proxy) server via ICAP or WCCP? Both are supported in FortiOS. I admit the prospect of maintaining an additional server for one purpose alone is not promising but it might be an alternative.
@Mbutler522010 wrote:Youtube now has a solution to allow only the education side. The solution is to add an HTTP header.
https://support.google.com/youtube/answer/2695317?hl=en
I searched for HTTP Header in the FortiOS documentation and it pointed me at "Proxy Header Control": http://help.fortinet.com/fos50hlp/52/index.html#page/FortiOS%25205.2%2520Help/wanopt.016.4.html
Unfortunately it doesn't mention the impact of any of this (will it screw up existing traffic?) and the options are confusing ( 5 different kinds of headers, none of which match the language in the google page)
We currently do not have anything like that defined, has anyone set this up? Of course there isn't anything in the GUI named "Proxy Header Control" Do I set that up in "Explicit proxy" or "Proxy Options" GUI or do I have to do it in the CLI?
To configure the HTTP header to allow "YouTube for Education" on FortiOS, you need to follow the steps to add the required HTTP header through the FortiGate firewall settings. This setup can be done either via the GUI or the CLI. Here’s a step-by-step guide:
Log in to FortiGate CLI: Access your FortiGate device using SSH or the console.
Enter Configuration Mode:
Set the required HTTP header:
Replace "your-school-id" with the unique identifier provided by YouTube for your educational institution.
Save the Configuration:
To ensure that adding this header does not disrupt existing traffic:
By carefully following these steps and monitoring the impact, you can configure the HTTP header to allow access to "YouTube for Education" like tutor online pakistan without disrupting existing network traffic.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.