Description
This article explains how to allow YouTube channels while blocking all the other videos.
Only the videos from that channel will be reproduced.
Scope
FortiGate v7.0.11+
Solution
With the video filter profile, you can filter YouTube videos by channel ID for a more granular override of a single channel, user, or video.
The video filter profile is currently supported in proxy-based policies and requires SSL deep inspection.
It is recommended the use of YouTube API key, FortiGate extracts the video ID (vid) and tries to check the category and channel from the local cache. If there is no match from the local cache, it connects to the FortiGuard video rating server to query the video category. If the FortiGuard rating fails, it uses the videofilter.youtube-key to communicate with the Google API server to get its category and channel ID.
To create the YouTube key
1) Go to https://console.cloud.google.com/api/dashboard and log with a Google Account.
2) Create a new project:
3) Give it name and click 'CREATE':
4) Select the Project, go to Navigation Menu -> APIs & Services -> Credentials:
5) Select 'Enabled APIs & services', click on 'ENABLE APIS AND SERVICES':
6) Select 'YouTube Data API V3'. Enable the API:
7) Select 'Credentials', then CREATE CREDENTIALS -> API Key:
8) Copy the API key and set it on FortiGate through CLI:
# config videofilter youtube-key
edit 1
set key *****************
next
end
To configure a video filter from GUI.
1) Go to Security Profiles -> Video Filter and select 'Create New'. Add a profile name:
2) In the YouTube Channel override list section, select 'Create New'. The New Channel Override Entry pane opens.
- Enter a Channel ID and select an Action. To allow the channel, the actions 'Allow' or 'Monitor' can be used:
- Select 'OK'.
3) The channel default action is 'Monitor', therefore all YouTube channels are allowed by default. For this example, it is necessary to change the default action to 'Block'.
This step must be done through CLI:
# config videofilter youtube-channel-filter
edit 1
set name "VideoFilter" <----- Video Filter profile name.
set default-action block
config entries
edit 1
set action allow
set channel-id "UCRMwv-dKBzq9rH"
next
end
edit 1
set name "VideoFilter" <----- Video Filter profile name.
set default-action block
config entries
edit 1
set action allow
set channel-id "UCRMwv-dKBzq9rH"
next
end
set override-category enable <----- To guarantee the channel action will override the Video Categories
set log enable < ----- Enable this option to generate logs.
next
end
set log enable < ----- Enable this option to generate logs.
next
end
- All the YouTube channels will be blocked except the one added to the override list in step 2.
4) Create the firewall policy:
- Go to Policy & Objects -> Firewall Policy and select 'Create New'.
- For Inspection Mode, select Proxy-based.
- Enable 'Video Filter' and select the profile created.
- Go to Policy & Objects -> Firewall Policy and select 'Create New'.
- For Inspection Mode, select Proxy-based.
- Enable 'Video Filter' and select the profile created.
- WebFilter profile is not mandatory. If it is used, the category 'Streaming Media and Download' must be set to 'Allow' or 'Monitor'.
- For SSL Inspection, select 'deep-inspection'.
- For SSL Inspection, select 'deep-inspection'.
- To guarantee the SSL deep inspection is performed correctly, QUIC protocol must be blocked. Enable 'Aplication Control Profile' and make sure QUIC is blocked:
- When all the profiles are enabled, select Ok in the Firewall Policy settings:
5) Test YouTube access.
- The initial page will be loaded, it is expected. But the videos won't work, they keep loading:
- The following error might be displayed:
- The block events can be seen in the Web filter logs:
- Only the allowed channel will open:
Related documents:
