Because youtube uses google's wildcard * security certificate and none of our monitored fgt devices use deep inspection (and can not use it), we have to resort to using good old-fashion (FQDN) address firewall blocking, via code similar to the following:

config firewall address
    edit "youtube1"
        set associated-interface "wan1"
        set type fqdn
        set fqdn "www.youtube.com"
    next
    edit "youtube2"
        set associated-interface "wan1"
        set type fqdn
        set fqdn "youtube.com"
    next
    edit "youtube3"
        set associated-interface "wan1"
        set type fqdn
        set fqdn "i1.ytimg.com"
    next
    edit "youtube4"
        set associated-interface "wan1"
        set type fqdn
        set fqdn "youtube-ui.l.google.com"
    next
    edit "youtube5"
        set associated-interface "wan1"
        set type fqdn
        set fqdn "googlevideo.com"
    next
    edit "facebook1"
        set associated-interface "wan1"
        set type fqdn
        set fqdn "facebook.com"
    next
    edit "facebook2"
        set associated-interface "wan1"
        set type fqdn
        set fqdn "www.facebook.com"
    next
    edit "facebook3"
        set associated-interface "wan1"
        set type fqdn
        set fqdn "s-static.ak.facebook.com"
    next
    edit "facebook4"
        set associated-interface "wan1"
        set type fqdn
        set fqdn "login.facebook.com"
    next
    edit "facebook5"
        set associated-interface "wan1"
        set type fqdn
        set fqdn "static.ak.fbcdn.net"
    next
    edit "facebook6"
        set associated-interface "wan1"
        set type fqdn
        set fqdn "profile.ak.fbcdn.net"
    next
end
config firewall addrgrp
    edit "youtube-group"
        set member "youtube1" "youtube2" "youtube3" "youtube4" "youtube5"
    next
    edit "Facebook-group"
        set member "facebook1" "facebook2" "facebook3" "facebook4" "facebook5" "facebook6"
    next
end
config firewall policy
    edit 0
        set srcintf "internal_net"
        set dstintf "wan1"
        set srcaddr "All_Internal"
        set dstaddr "youtube-group" "Facebook-group"
        set schedule "always"
        set service "ALL"

        set action deny
        set logtraffic disable
    next
end

Move firewall rule up in the firewall rule chain so it is before any general HTTP/HTTPS firewall rule.

IMO I wouldn't use this code verbatim (I think one of the FQDN entries for youtube also resolves to an IP for google's search site.)