Youtube streaming not blocking

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Youtube streaming not blocking

L1 Bithead

We want to block youtube streaming via Palo Alto. We create the Custom URL Category "testing" and enter the site "*.youtube.com" (with quotation). We select the testing category in Decrpytion profile and Action "Decrpyt" and Type SSL Forwarding. We create the security policy src:any, destination:any and deny youtube-base. But still we can we view streaming on chrome and firefox. We dont have URL Filtering license.

12 REPLIES 12

Cyber Elite
Cyber Elite

you don't need to use quotes in custom URL categories, simply set

 

*.youtube.com

*.youtube.com/*

 

https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-security...

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

hold on

 

you mention that in your security policy you set youtube-base but you do not mention you added a url-filtering profile

 

can you confirm you created a url filtering security profile and added it to your security policy ?

does your policy look like this?

url filtering.png

 

it might be better if you split up your policy to have a block rule for youtube-base and then a web-browsing policy that blocks your custom url profile, in case

better way.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Reaper, if they don't have a URL filtering license will applying a URL profile even work?

Community Team Member

Hi,

 

It will on custom URL categories.

 

Cheers,

-Kiwi

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

if I'm not mistaken, if you already have a URL database (say, had a subscription but let it lapse), you can still process rules against it, you just won't get updates.

 

not applicable here, but just pointing out I believe the only thing the URL license does for you is updates.

Good point! Also looking for the confirmation on this :-0

It will work, but you will get a warning for each rule using the the URL profile every time you commit. It gets annoying pretty fast.

 

Benjamin

what's a warning? I hardly ever read failure messages.


@bradk14 wrote:

if I'm not mistaken, if you already have a URL database (say, had a subscription but let it lapse), you can still process rules against it, you just won't get updates.

 

not applicable here, but just pointing out I believe the only thing the URL license does for you is updates.


depends slightly on which database you're using:

brightcloud has a downloaded database with the top 2mil most popular websites. once the license expires that list will remain usable but there will be no updates, so miscategorization because a site changes its behavior will start stacking up. once the license is expired dynamic cloud lookups will also stop working

 

PAN-DB builds a cache from cloud lookups. once the license expires cloud lookups will no longer work and your cache will quickly deprecate

 

for custom URL categories you don't need a license

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@bradk14

You missed the /s right...right!? 

I've had co-workers in the past that won't read error messages and will make me jump on the system to figure out why it's 'just not working', even when the error message is telling them exactly why. Makes my eye twitch reading something like that 😉 

@BPry I was trying real hard to ignore that one comment 😛 *twitch*

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaperthanks for clarification on the databas

 

@BPryhalf truth on my part. I know where you're coming from, that's called job security for me. nobody reads error messages or how to use google if they do. but truth is that in my environment, there's never a commit without warnings (of course if you don't address them, they won't go away), so that I have warning fatigue. On the rare occassion there's a failure, it usually takes me 2 or 3 commits to even notice. but when I do notice them, I do read them. promise.

  • 4628 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!