Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mbutler522010
New Contributor

Configuring HTTP header to allow "youtube for education"

Youtube now has a solution to allow only the education side. The solution is to add an HTTP header.

https://support.google.com/youtube/answer/2695317?hl=en

 

I searched for HTTP Header in the FortiOS documentation and it pointed me at "Proxy Header Control": http://help.fortinet.com/fos50hlp/52/index.html#page/FortiOS%25205.2%2520Help/wanopt.016.4.html

 

Unfortunately it doesn't mention the impact of any of this (will it screw up existing traffic?) and the options are confusing ( 5 different kinds of headers, none of which match the language in the google page)

 

We currently do not have anything like that defined, has anyone set this up? Of course there isn't anything in the GUI named "Proxy Header Control"  Do I set that up in "Explicit proxy" or "Proxy Options" GUI or do I have to do it in the CLI?

 

 

4 REPLIES 4
MrN3ff
New Contributor

Were you able to resolve this?

Mbutler522010

not yet. I opened a ticket on it and was told we needed to implement proxy. So I have spent the last couple of months working out enabling proxy with AD integration. Once we had it set up, I opened another ticket and was told we didn't need a proxy....sigh. The issue is that it cannot be done from the GUI.

I was told to do (Ticket Number:  1693602)

 

config web-proxy profile edit "test-profile" config headers edit 1 set name "X-YouTube-Edu-Filter" set content "ABCD1234567890abcdef" end end Finally configure the Explicit Proxy policy that is allowing the traffic to Youtube to use the just created web-proxy profile: config firewall explicit-proxy-policy edit 1 <- ID of the explicit proxy policy set webproxy-profile "test-profile" end end However that did not work so after more research, he said the problem is that "we used certificate inspection.  I researched this further and we needed to use the deep inspection default " and this is where we are now. I am reluctant to use deep-inspection because it changes the way certificates are handled and usually gives certificate errors on every website. I have to admit, I am pretty dissapointed in Fortinet. Their flagship firewall product seems really old-school and barely able to handle common issues such as this. Having to manually code something as universal as safe-search or google issues implies they are not keeping up with how the internet is evolving. We also have a similar issue around google safesearch. It requires a forced URL change. The recommended solution is to modify DNS but that causes a whole host of problems around split-horizon foreign domains so I need to try and get the fortigate to do it.

 

I am not confident.

 

Mbutler522010

update... we successfully were able to make this work.

 

however....two major hurdles exist.

 

1) "deep-inspection" of certificates IS required, which means either the Fortigate certificate must be installed on all workstations, or a trusted certificate must be installed on the Fortigate - we are still trying to get this to work.

 

2) the bigger problem. The GUI is incompatible with the configuration and every time the GUI is used to change any profiles (such as adding a category to exclude, or allowing a website to have access) then the configuration must be manually reprogrammed in the CLI. THis makes it so unweildy that it may not be worth doing. See my last paragraph of the previous entry.

 

ede_pfau
Esteemed Contributor III

I'm surprised that FortiOS provides for header rewrites - this is not something that you'd expect a normal firewall to do. Rather, a web firewall like the FortiWeb will do it out of the box but this is a dedicated device to control and manipulate HTTP traffic, not so easy to set up and quite expensive. A clear overkill for just YTfE.

 

Have you thought about redirecting the HTTP traffic out of the FGT to a dedicated (proxy) server via ICAP or WCCP? Both are supported in FortiOS. I admit the prospect of maintaining an additional server for one purpose alone is not promising but it might be an alternative.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors