https://live.paloaltonetworks.com/t5/general-topics/allow-youtube-for-some-persons-and-blocking-it-for-others/m-p/14940#M10959 <HTML><HEAD></HEAD><BODY><P>The tricky part is that a single session can only be identified as a single appid at a time. But also that a single session (well from the client point of view) can also change appid over time.</P><P></P><P>For example unknown -&gt; web-browsing -&gt; youtube -&gt; youtube-upload</P><P></P><P>Similar occurs also for facebook where facebook is not fully recognised until the user is logged in or is requesting more specific "deep" links.</P><P></P><P>So to make your black/whitelist successful you not only need multiple rules but also involve url-filtering to make the whitelist rules as narrow as possible and blacklist rules as broad as possible (along with placing them in correct order - PA reads the rules top-down first-match.</P><P></P><P>I think something like this should be sufficient:</P><P></P><P>1) Allow youtube for specific users</P><P>appid: youtube (or use an app-group or app-filter), web-browsing (so this rule is hit for these users in case main page of youtube isnt recognised as appid youtube)</P><P>service: application-default (or specify TCP80 and TCP443)</P><P>user: &lt;specific users or group of users&gt;</P><P>url: category: streaming media</P><P>action: allow</P><P>log: on session end</P><P></P><P>2) Block appids</P><P>appid: youtube</P><P>service: any</P><P>user: any</P><P>url: any</P><P>action: deny</P><P>log: on session end</P><P></P><P>3) Block urls</P><P>appid: any</P><P>service: any</P><P>user: any</P><P>url: youtube.com, *.youtube.com, &lt;and other urls that should be here and/or categories&gt;</P><P>action: deny</P><P>log: on session end</P><P></P><P>4) Allow regular traffic for all users</P><P>appid: web-browsing</P><P>service: application-default (or specify TCP80 and TCP443 and what other ports should be open for outbound traffic)</P><P>user: any</P><P>url: category: &lt;allowed categories&gt;</P><P>action: allow</P><P>log: on session end</P><P></P><P>5) Default drop</P><P>appid: any</P><P>service: any</P><P>user: any</P><P>url: any</P><P>action: deny</P><P>log: on session end</P></BODY></HTML> Fri, 30 Aug 2013 21:26:09 GMT mikand 2013-08-30T21:26:09Z https://live.paloaltonetworks.com/t5/general-topics/allow-youtube-for-some-persons-and-blocking-it-for-others/m-p/14939#M10958 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I want to allow Youtube in general for a few users. For other users it should be blocked.</P><P>I created a rule that all allows the youtube-application for a few users that are specified with the help of an active directory group. My second rule does only allow web-browsing and blocks other applications.</P><P></P><P>This worked fine so far. After a while I noticed that youtube is still reachable and only gets blocked, when the application is identified. So I additionally blocked the youtube-URLs via url filtering in the second rule.</P><P>But unfortunately the youtube-users can't acces youtube now. So I allowed the specified URLs in my first rule.</P><P></P><P>Again it works fine. My current problem now is, that I have to specify the URL categories on both rules the same way. Is there another possiblity to avoid this?</P><P></P><P>I hope you can understand my question and help me.</P></BODY></HTML> Thu, 22 Aug 2013 12:13:20 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-youtube-for-some-persons-and-blocking-it-for-others/m-p/14939#M10958 LCMember17002 2013-08-22T12:13:20Z https://live.paloaltonetworks.com/t5/general-topics/allow-youtube-for-some-persons-and-blocking-it-for-others/m-p/14940#M10959 <HTML><HEAD></HEAD><BODY><P>The tricky part is that a single session can only be identified as a single appid at a time. But also that a single session (well from the client point of view) can also change appid over time.</P><P></P><P>For example unknown -&gt; web-browsing -&gt; youtube -&gt; youtube-upload</P><P></P><P>Similar occurs also for facebook where facebook is not fully recognised until the user is logged in or is requesting more specific "deep" links.</P><P></P><P>So to make your black/whitelist successful you not only need multiple rules but also involve url-filtering to make the whitelist rules as narrow as possible and blacklist rules as broad as possible (along with placing them in correct order - PA reads the rules top-down first-match.</P><P></P><P>I think something like this should be sufficient:</P><P></P><P>1) Allow youtube for specific users</P><P>appid: youtube (or use an app-group or app-filter), web-browsing (so this rule is hit for these users in case main page of youtube isnt recognised as appid youtube)</P><P>service: application-default (or specify TCP80 and TCP443)</P><P>user: &lt;specific users or group of users&gt;</P><P>url: category: streaming media</P><P>action: allow</P><P>log: on session end</P><P></P><P>2) Block appids</P><P>appid: youtube</P><P>service: any</P><P>user: any</P><P>url: any</P><P>action: deny</P><P>log: on session end</P><P></P><P>3) Block urls</P><P>appid: any</P><P>service: any</P><P>user: any</P><P>url: youtube.com, *.youtube.com, &lt;and other urls that should be here and/or categories&gt;</P><P>action: deny</P><P>log: on session end</P><P></P><P>4) Allow regular traffic for all users</P><P>appid: web-browsing</P><P>service: application-default (or specify TCP80 and TCP443 and what other ports should be open for outbound traffic)</P><P>user: any</P><P>url: category: &lt;allowed categories&gt;</P><P>action: allow</P><P>log: on session end</P><P></P><P>5) Default drop</P><P>appid: any</P><P>service: any</P><P>user: any</P><P>url: any</P><P>action: deny</P><P>log: on session end</P></BODY></HTML> Fri, 30 Aug 2013 21:26:09 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-youtube-for-some-persons-and-blocking-it-for-others/m-p/14940#M10959 mikand 2013-08-30T21:26:09Z