Configuration Articles

Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >

How to Allow a Single YouTube Video and Block All Other Videos

by on ‎02-26-2013 01:01 PM - edited on ‎12-22-2016 12:06 PM by (49,589 Views)

How to Allow a Single YouTube Video and Block All Other Videos

In this example we only want to allow this one youtube video: https://www.youtube.com/watch?v=hHiRb8t2hLM, and block the rest of YouTube. 
Please follow these steps to accomplish this.

 

Steps

  1. Block streaming-media in your URL Filtering Profile. Get there in the WebGUI > Objects > Security Profiles > URL Filtering > click on the URL Filtering profile you would like to use.
    URL Filtering Profile detail showing Streaming-Media being set to Block.URL Filtering Profile detail showing Streaming-Media being set to Block.

  2. Create a Custom URL Category from Objects > Custom Objects > URL Category.
    Your Custom URL Category must include the following entries:

    *.youtube.com
    *.googlevideo.com
    www.youtube-nocookie.com

    ... this will make sure that any youtube page or content you go to is decrypted, so that the full HTTP GET can be read.
    Custom URL Category showing the needed domains.Custom URL Category showing the needed domains.

  3. Add a decryption policy of type SSL Forward Proxy, the decryption policy must be tied to your Custom URL Category in the "Service/URL Category" tab.
    Please see the following article about configuring SSL Decryption:
    How to Implement and Test SSL Decryption 
  4. Go to your URL Filtering profile, in the Allow list add the following URL's:

    www.youtube.com/watch?v=hHiRb8t2hLM
    *.googlevideo.com

    ... the first entry is the URL for the container page itself, then *.googlevideo.com will allow the media that is fetched from that container page out of Google's content CDN at *.googlevideo.com .

    Also, make sure that the custom URL category you created is also "allowed" inside of the URL filtering profile.
    URL filtering profile detail showing the allowed URL List.URL filtering profile detail showing the allowed URL List.

  5. Commit and test.

 

Thanks to Milvaldi for the contribution.

owner: jdelio

 

Comments
by stmcadmin
on ‎04-16-2013 09:21 PM

I have found this not working as per instructions.

1. I cannot use *.youtube.com/watch?v=arhKVwbPBi8&* in the custom URL category for I get the error "Invalid URL pattern". Removing the * and having the full address works.

2. The same error is displayed "Invalid URL pattern" when I add the youtube link with a * wildcard in step 2.

3. To get the youtube video to play there is extra links required. like "www.youtube.com/annotations....  www.youtube.com/ptracking.....    www.youtube.com/live_communcation....." You cannot add these because it only accepts the * wildcard after a fullstop.


We are running PAN ver 4.1.7


Were these instructions meant for PAN 5.*??????

by engineers@solidborder.com
on ‎05-21-2013 05:54 PM

I`m not getting this to work either :smileysad:

Im on a PA-500

by jeffhooi
on ‎05-22-2013 08:21 PM

To do this, i use full url pattern.

by StevenDP
on ‎07-11-2013 06:30 AM

To make this work, you can simply add s.ytimg.com/* and i1.ytimg.com/* to the custom category.

by prb
on ‎03-04-2014 01:06 PM

Why do we need the custom category, when we already have the URL in allow-list?

Am I missing something?

by
on ‎03-04-2014 01:24 PM

prb, I hear what you are saying.  I never really noticed that it was "duplicated" in the allow list and inside of the custom URL.

If I get a chance to set this up and test, I will see if we can remove it from either.  Because it is needed in at least 1, if not both.

If you are able to test this out, please let me know.

by afiq
on ‎03-05-2014 06:50 PM

if you have a list of URLs to be allowed, recommended to use custom URL category else just use the allow-list.

by towry_support
on ‎04-07-2014 11:17 AM

I understand why we use Custom URL Category within a URL Filtering Profile, however, how are we supposed to keep all the duplicated URL Filtering Profiles in Sync?

Or is it that each URL Filtering Profile is supposed to be unique and only used to filter a single category or site?

There may be trouble ahead managing the categories within lots of URL Profiles.. What is the best approach? :smileyhappy:

by
on ‎04-11-2014 10:44 AM

The reason you have the URL filtering profiles could be for many reasons..

Different users, groups, departments, customers(vsys) have different requirements.. 

You can have one profile that allows all.. one that blocks all, one that alerts all. and they can all have special "Allow (white) list" or "Block (black) lists"

The possibilities are endless, and it is up to you to make it only as complicated as it is needed.

I hope that makes sense.

by Blackstone
on ‎08-21-2014 12:46 PM

Has Google changed anything recently that breaks this method? I have had my PA unit setup this way for over a year and within the last couple weeks the videos are failing to play.

by
on ‎08-21-2014 12:51 PM

Google is constantly changing their site settings, which makes this very hard to document how to do this.  Please allow me to troubleshoot this in my lab and see if I can re-write this document as soon as I have determined the issue.

by gkaiser
on ‎08-21-2014 03:36 PM

As I see this, there are two issues being discussed here:  1) PA's wildcard syntax and 2) YouTube blocking/allowing.  I'm interested in both, but the syntax question has me stumped.

In PA's world, the asterisk seems to be limited to matching labels in a URL.   abc.*.com   and   *.abc.com   work as I would expect.  I cannot get the abc*.com to work.  I would expect the later to match a first label that starts with the characters abc.  PA says it's illegal syntax for a wildcard. 

Am I missing something?

by Blackstone
on ‎08-22-2014 08:51 AM

Simple answer, having the wildcard in a string value won't work.

Every sub string is considered a value and can have any number of ASCII characters that does not contain a separator or *.

Separators:

.

/

?

&

=

;

+

So abc.*.com would be  abc=value 1     *=value 2     com=value 3     All separated by the "."

Only a value by itself can be a * or needs to follow a separator. abc.com/* or abc.com/loginID=*

by kstiver
on ‎10-07-2014 12:03 PM

On our PA5060 running 5.0.10 I have the following configuration which works as expected:

I created the Custom URL Category as jdelio suggests, and I populate it with:

s.youtube.com

*.googlevideo.com (this is a recently new requirement)

www.youtube.com/crossdomain.xml

Then I am also able to add individual video playback links such as:

www.youtube.com/watch?v=uo7H_ILs1qc  (also a wildcard pattern such as www.youtube.com/*=uo7H_ILs1qc works)

Some cases appear to require two or more URLs added due to redirecting (review logs to validate):

youtu.be/VEgvR8h7EAY redirects to: www.youtube.com/watch?v=VEgvR8h7EAY

Lastly, open your existing URL Filtering Profile that is blocking 'streaming-media' and set the 'streaming-media-exceptions' category to 'allow'

by IBMco
on ‎01-22-2015 01:05 PM

in this moment  add follow url  and videos load

*.c.youtube.com

*.s.youtube.com

*.s2.youtube.com

*.*.c.youtube.com

s.youtube.com

*.googlevideo.com

www.youtube.com/watch?v=Ke-NwEvRdQg

*.youtube.com/watch?v=Ke-NwEvRdQg/

*.youtube.com/annotations_invideo/

*.youtube.com/get_video/

*.youtube.com/watch_fragments_ajax/

*.youtube.com/set_awesome/

*.youtube.com/player_204/

*.youtube.com/share_ajax/

*.youtube.com/watch?v=L/

www.youtube.com/watch?v=HNjFkD9RcK0

www.youtube.com/watch?v=T9taDeGapYU

www.youtube.com/watch?v=TrJkD41EUno

www.youtube.com/watch?v=3pZ2vys-bm4

www.youtube.com/watch?v=1NDSkXtCbsU

www.youtube.com/watch?v=vYuUrdSwcKo

www.youtube.com/watch?v=MYITYCeLeAE&feature=youtu.be

www.youtube.com/watch?v=dTgS09I6bV0

www.youtube.com/watch?v=E3N4n9nMF0k

www.youtube.com/watch?v=ylJuVe3zM2k

www.youtube.com/watch?v=cudSaRmrpTs

www.youtube.com/watch?v=FXpEEY1U0h0

www.youtube.com/watch?v=amUVuEO1jDI

www.youtube.com/watch?v=RIZjNziClzk

www.youtube.com/watch?v=Ke-NwEvRdQg

www.youtube.com/watch?v=MqccVKkY0Ks

www.youtube.com/watch?v=L-Mvw-A9ZN0

*.youtube.com/watch?v=HNjFkD9RcK0/

*.youtube.com/watch?v=T9taDeGapYU/

*.youtube.com/watch?v=TrJkD41EUno/

*.youtube.com/watch?v=3pZ2vys-bm4/

*.youtube.com/watch?v=1NDSkXtCbsU/

*.youtube.com/watch?v=vYuUrdSwcKo

*.youtube.com/watch?v=MYITYCeLeAE&feature=youtu.be/

*.youtube.com/watch?v=dTgS09I6bV0/

*.youtube.com/watch?v=E3N4n9nMF0k/

*.youtube.com/watch?v=ylJuVe3zM2k/

*.youtube.com/watch?v=cudSaRmrpTs/

*.youtube.com/watch?v=FXpEEY1U0h0/

*.youtube.com/watch?v=amUVuEO1jDI/

*.youtube.com/watch?v=RIZjNziClzk/

*.youtube.com/watch?v=Ke-NwEvRdQg/

*.youtube.com/watch?v=MqccVKkY0Ks/

*.youtube.com/watch?v=L-Mvw-A9ZN0/

but in chrome dont load

by Emreb
on ‎03-08-2015 08:33 AM

Hi,

is it possible to block all youtube videos but only allow accessing the education. I research other vendors that can do that by adding an education filter keyword(shared from youtube) to their web filtering policy.

thanks,

by
on ‎03-09-2015 10:17 AM

Emreb,

I just looked some of this up, and as far as I know, there is no "Education" URL Category.. there is "Educational-institutions" URL category.. but that is not the same thing.

The simplest thing that I could see you doing is to create a custom URL to allow that would include youtube.com/education, which is the #Education - YouTube URL.

You might have to enter both www.youtube.com/education, as well as youtube.com/education

Then block all other streaming media, and if they went to the Education link, then that should work.

by Emreb
on ‎03-10-2015 03:49 PM

Hi Jdelio,

Actually the below links are showing what i want to do. creating a custom URL like youtube.com/education is only allow this url. but I try to watch a video in the youtube.com/education then it is blocking.

How YouTube for Schools Works - YouTube Help

http://kb.cyberoam.com/default.asp?id=2780&Lang=1&SID=

by alej_sald
on ‎04-29-2015 02:54 PM

the only way I could make this work was using decryption to streaming media, adding a URL profile with streaming-media blocking then adding this in the allow list of the profile:

*.googlevideo.com

img.youtube.com

img.youtube.com/vi/SXF-iYysflw/0.jpg

*.youtube.com/watch?v=V4eiBZdApAs (video to allow)

youtu.be/V4eiBZdApAs (video to allow)

www.youtube.com/watch?v=V4eiBZdApAs (video to allow)

www.youtube.com/index

www.youtube.com/opensearch?locale=es_mx (test was done in mexico)

*/crossdomain.xml

*.youtube.com/player_204

*.youtube.com/favicon.ico

*.youtube.com/videoplayback

r2---sn-0opoxu-huts.googlevideo.com/

s.youtube.com/

www.youtube.com/crossdomain.xml

by mivaldi
‎11-17-2015 06:39 PM - edited ‎11-17-2015 06:42 PM

Try this solution:

 

In this example we only want to allow https://www.youtube.com/watch?v=hHiRb8t2hLM

 

Then:

 

1) Block streaming-media in your URL Filtering Profile

 

2) Create a Custom URL Category from Objects > Custom Objects > URL Category. 

Your Custom URL Category must include these entries:

 

*.youtube.com

*.googlevideo.com

www.youtube-nocookie.com

 

... this will make sure that any youtube page or content you go to is decrypted, so that the full HTTP GET can be read.

 

3) Add a decryption policy of type SSL Forward Proxy, the decryption policy must be tied to your Custom URL Category in the "Service/URL Category" tab.

 

3) Go to your URL Filtering profile, in the Allow list add:

 

www.youtube.com/watch?v=hHiRb8t2hLM

*.googlevideo.com

 

... the first entry is the URL for the container page itself, then *.googlevideo.com will allow the media that is fetched from that container page out of Google's content CDN at *.googlevideo.com

by robertsa
on ‎01-07-2016 09:49 AM

Hey mivaldi,

 

I tried your solution and it allowed access to www.youtube.com/watch?v=hHiRb8t2hLM but it also allowed access to all other YouTube Videos. I must be doing something wrong. Please advise?

by mivaldi
on ‎01-14-2016 11:43 AM

@robertsa

 

I noticed something similar *if* you clicked on other listed videos after you accessed the *allowed* video, however if you would browse straight to any other videos the access would be denied. Was this your experience ?

by
on ‎12-21-2016 01:53 PM

This article has been updated, Please let us know if there are any issues.

by RicardM
on ‎02-07-2017 08:25 AM

Hello,

 

I tried this, but I see that now everything of youtube is allowed.....

What I want is to block youtube in general and only permit some exceptions.

Can someone confirm me whether this article is valuable or not?

Thanks in advance,

 

 

Ricard Malvesi Saguer

by RichMichael
on ‎03-12-2017 05:50 AM
Register now
Ask Questions Get Answers Join the Live Community