Dave Hall wrote:

You may have better luck using an application sensor -- either create a new app sensor or preferably use your existing one that is covering web traffic; add an application filter that blocks all video/audio then create a second one that allows google video/media -- move this second app filter above the first one.  Like firewall policy rules app filters are executed from top->down.

 

[attachImg]https://forum.fortinet.com/download.axd?file=0;117879&where=message&f=allow-youtube only b.gif[/attachImg]

i have follow your way to do the filter,but some time fortigate unable detect facebook apps and block it, is just show ssl for facebook and allow, how to avoid this?

lokewing wrote:

i have follow your way to do the filter,but some time fortigate unable detect facebook apps and block it, is just show ssl for facebook and allow, how to avoid this?[attachImg]https://forum.fortinet.com/download.axd?file=0;117982&where=message&f=Capture.JPG[/attachImg]

Facebook uses a wildcard security certificate, so if blocking it via FortiGuard categories (under social networking) or App sensor doesn't work you can try crafting a URL filter block (either using a wildcard *.facebook.com, or regex facebook.com).  www.facebook.com resolves to star.c10r.facebook.com, so a URL filter block (one of the above) should work for that too, even under HTTPS.

Can you clarify (screen shot) of the app sensor used for blocking facebook?  When you craft the app filter, only facebook should be selected under vendor with everything else set as all (default).