Palo Alto Networks Knowledgebase: How to Allow a Single YouTube Video and Block All Other Videos

How to Allow a Single YouTube Video and Block All Other Videos

25855
Created On 09/25/18 17:36 PM - Last Updated 01/14/20 23:40 PM
URL Filtering Profile Policy PAN-OS
Symptom
If you are wanting to allow one YouTube video and block all other YouTube videos, I will explain how to accomplish this.
 

 Resolution

How to Allow a Single YouTube Video and Block All Other Videos

PLEASE NOTE:
​​​​​​In order to get this to work correctly, you need the following:

  1. SSL decryption needs to be enabled.
  2. QUIC protocol needs to be disabled, because it bypasses SSL decryption.

In this example we only want to allow this one YouTube video:

https://www.youtube.com/watch?v=8VnvZ8kvAS0

and block all of the other videos on YouTube. Please follow these steps to accomplish this.

Steps

  1. Next, create a new Custom URL Category to allow only the wanted YouTube video(s). Get to your URL filtering policy inside of the WebGUI > Objects > Custom Objects > URL Category. Then click Add to create a new Custom URL Category. A New window will pop up. Inside that new window, Give it a Name (youtube-allowed) and Description if you like, and then click Add again and put in the one YouTube URL to be allowed: www.youtube.com/watch?v=8VnvZ8kvAS0 (No HTTPS:// needed), Then hit OK.
    Custom URL Screen for the 1 video that you want to allow.
  2. Next you will want to create a new second URL category in order to represent the rest of the YouTube videos. While still inside that URL Category window, click Add again, and then put in a name (youtubeWatch) and description if wanted and then insert the following URL under Sites: www.youtube.com/watch?v= (with no video number to represent all videos). Hit OK.
    Custom URL Screen for all YouTube videos
  3. Now onto the Firewall rules needed. You first need to block the QUIC protocol. Please create a new rule in your rulebase to Deny outbound protocol "quic".
     Rule blocking QUIC protocol
  4. Please verify that you have a decryption policy of type SSL Forward Proxy, the decryption policy must be tied to your Custom URL Category in the "Service/URL Category" tab. Please see the following article about configuring SSL Decryption: How to Implement and Test SSL Decryption  or see the SSL DECRYPTION RESOURCE LIST ON CONFIGURING AND TROUBLESHOOTING
  5. Next are the 2 rules needed to allow and deny the traffic.
    The first rule will be used to allow youtube-base and google-base apps for the allowed youtube custom url category - "youtube-allowed".
    The second rule will then deny the same youtube-base and google-base apps for the rest of youtube custom url category - "youtubeWatch". 
    2 rules showing allow and then block of Youtube
  6. Commit and test.

When testing, you should be able to visit www.youtube.com and the links should appear to be active.
But when you click on any video (other than the allowed video) you should get an block screen.
Block screen when trying to view a blocked youtube video

Otherwise, if you launch the allowed youtube link, you should be able to watch the video withtout issues.
Screen showing the allowed YouTube video

Thanks to Walter Doria for the contribution.

Please Note: These are new instructions that should help allow 1 or more videos.

owner: jdelio

 

 



 Attachments
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGzCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language