06-14-2013 08:36 PM
We are running PA-3050 HA pairs in active-passive configuration. PANOS 5.0.4 is installed. We have been running 3050's since early May.
We have a security policy defined to block all youtube apps for any user, unless they are in a specified Active Directory group, in which case only youtube-base is allowed. This policy is App-ID based only, and as such we do not block Youtube URLs. The result of this policy has always been that users can browse youtube.com, but cannot play videos (they either get an error in the player, or nothing happens). Users can also sometimes see embedded Youtube, but cannot play (this depends on the page where the videos are embedded).
In the last several weeks I've noticed that if I were to browse Youtube.com, I could load and play SOME, but not all videos. Some of my colleagues have mentioned that they encountered embedded videos that will sometimes play as well. This was disconcerting due to the fact that neither I or my colleagues are granted permanent Youtube access The "success rate" of getting a youtube video to play seems to be on the increase, at least based on my anecdotal observations. There seems to be a correlation between the age of the youtube video and my ability to sneak it past the firewall. Specifically, "old" videos tend to get blocked, while many videos uploaded sometime in 2013 get past the security policies.
Turning to my traffic logs, I notice that when I get a youtube video blocked, the app is identified as "youtube-base" and therefore matches with the security policy to deny Youtube. However when I successfully load and play a video, I see that I am generating traffic identified as "flash", with a destination IP somewhere in Google's IP block (all addresses resolve to a 1e100.net domain). This improper app identification causes the traffic to not match the desired policy and hence be allowed.
I reviewed the applications recognized on my device, and do not see any new youtube child apps. This was not happening when we first switched to 3050's as I thoroughly tested all security policies. My current suspicion is that Google is retooling something with Youtube and it is now behaving differently.
If anyone has encountered this or has an explanation I would appreciate it. I decided to try the communities first rather than create yet another support case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!