How to Allow a subset of YouTube Videos and Block All Other Videos

121939

Created On 09/25/18 17:36 PM - Last Modified 04/23/22 06:09 AM

URL Filtering Profile

Policy

PAN-OS

Symptom

Configuration steps for allowing one or more YouTube videos and block all other YouTube videos,

Environment

PAN-OS. 9.1.9
Palo Alto Firewall.
SSL decryption configured.
URL Filtering configuration.

The configuration was tested to be working on the following browser versions.

Chrome Version - 100.0.4896.88 (Official Build) (64-bit)
Microsoft Edge - Version 100.0.1185.44 (Official build) (64-bit)
Firefox - 99.0 (32-bit)

Note: Youtube Mobile version was confirmed working in Chrome

Resolution

How to Allow a Single/subset of YouTube Videos and Block All Other Videos

PLEASE NOTE:
In order to get this to work correctly, you need the following:

SSL decryption needs to be enabled.
QUIC protocol needs to be disabled because it bypasses SSL decryption.

Steps

Create a new Custom URL Category to allow only the wanted YouTube video(s).

Get to your URL filtering policy inside of the WebGUI > Objects > Custom Objects > URL Category.

Then click Add to create a new Custom URL Category.

A new window will pop up. Inside that new window, Give it a Name (youtube-allowed) and Description if you like, and then click Add again and put the following URLs listed along with any other videos that are needed.

*.youtube.com/watch?v=D4kesE8eIac - this is the test video to allow
*.googlevideo.com - video content is served from this domain
*.ytimg.com/generate_204 - generate 204 is used by various google services to check for online status, without this URL allowed, video does not play on Chrome
*.youtube.com/s/ - Google Static content serves up various elements of the Youtube.com site like base html/css/etc

GUI: Objects > Custom Objects > URL Category > Add

Custom URL Category

Next, you will want to create a new second URL category in order to deny the rest of YouTube videos.

While still inside that URL Category window, click Add again, and then put in a name (Youtube-BaseURLs) and description if needed
Then insert the following URLs under Sites
- *.youtube.com/watch?v= - all video pages are sourced from this URL
- *.googlevideo.com - the video content is sourced from this URL.
- *.youtube.com
- youtube.com
Click OK.

Configure the firewall policy as shown below.

Please verify that you have a decryption policy of type SSL Forward Proxy. The decryption policy should cover youtube traffic. One way is to define a decryption policy for the "streaming-media" URL category. Please see the following article about configuring SSL Decryption: How to Implement and Test SSL Decryption or see the SSL Decryption Resource List on Configuration and Troubleshooting.

Commit and test.

When testing, you should be able to visit www.youtube.com and the links should appear to be active. But when you click on any video (other than the allowed video) you should get a block screen.

Block screen when trying to view a blocked youtube video

Otherwise, if you launch the allowed youtube link, you should be able to watch the video withtout issues.

Screen showing the allowed YouTube video

How to Allow a subset of YouTube Videos and Block All Other Videos

Symptom

Environment

Resolution

How to Allow a Single/subset of YouTube Videos and Block All Other Videos

Other users also viewed: