Allow Youtube for some persons and blocking it for others

Reply
LCMember17002
L2 Linker

Allow Youtube for some persons and blocking it for others

Hello,

I want to allow Youtube in general for a few users. For other users it should be blocked.

I created a rule that all allows the youtube-application for a few users that are specified with the help of an active directory group. My second rule does only allow web-browsing and blocks other applications.

This worked fine so far. After a while I noticed that youtube is still reachable and only gets blocked, when the application is identified. So I additionally blocked the youtube-URLs via url filtering in the second rule.

But unfortunately the youtube-users can't acces youtube now. So I allowed the specified URLs in my first rule.

Again it works fine. My current problem now is, that I have to specify the URL categories on both rules the same way. Is there another possiblity to avoid this?

I hope you can understand my question and help me.

mikand
L6 Presenter

The tricky part is that a single session can only be identified as a single appid at a time. But also that a single session (well from the client point of view) can also change appid over time.

For example unknown -> web-browsing -> youtube -> youtube-upload

Similar occurs also for facebook where facebook is not fully recognised until the user is logged in or is requesting more specific "deep" links.

So to make your black/whitelist successful you not only need multiple rules but also involve url-filtering to make the whitelist rules as narrow as possible and blacklist rules as broad as possible (along with placing them in correct order - PA reads the rules top-down first-match.

I think something like this should be sufficient:

1) Allow youtube for specific users

appid: youtube (or use an app-group or app-filter), web-browsing (so this rule is hit for these users in case main page of youtube isnt recognised as appid youtube)

service: application-default (or specify TCP80 and TCP443)

user: <specific users or group of users>

url: category: streaming media

action: allow

log: on session end

2) Block appids

appid: youtube

service: any

user: any

url: any

action: deny

log: on session end

3) Block urls

appid: any

service: any

user: any

url: youtube.com, *.youtube.com, <and other urls that should be here and/or categories>

action: deny

log: on session end

4) Allow regular traffic for all users

appid: web-browsing

service: application-default (or specify TCP80 and TCP443 and what other ports should be open for outbound traffic)

user: any

url: category: <allowed categories>

action: allow

log: on session end

5) Default drop

appid: any

service: any

user: any

url: any

action: deny

log: on session end

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!