This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Allow Youtube for some persons and blocking it for others

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Allow Youtube for some persons and blocking it for others

LCMember17002
L2 Linker

‎08-22-2013 05:13 AM

Hello,

I want to allow Youtube in general for a few users. For other users it should be blocked.

I created a rule that all allows the youtube-application for a few users that are specified with the help of an active directory group. My second rule does only allow web-browsing and blocks other applications.

This worked fine so far. After a while I noticed that youtube is still reachable and only gets blocked, when the application is identified. So I additionally blocked the youtube-URLs via url filtering in the second rule.

But unfortunately the youtube-users can't acces youtube now. So I allowed the specified URLs in my first rule.

Again it works fine. My current problem now is, that I have to specify the URL categories on both rules the same way. Is there another possiblity to avoid this?

I hope you can understand my question and help me.

0 Likes Likes
1 REPLY 1

mikand
L6 Presenter

‎08-30-2013 02:26 PM

The tricky part is that a single session can only be identified as a single appid at a time. But also that a single session (well from the client point of view) can also change appid over time.

For example unknown -> web-browsing -> youtube -> youtube-upload

Similar occurs also for facebook where facebook is not fully recognised until the user is logged in or is requesting more specific "deep" links.

So to make your black/whitelist successful you not only need multiple rules but also involve url-filtering to make the whitelist rules as narrow as possible and blacklist rules as broad as possible (along with placing them in correct order - PA reads the rules top-down first-match.

I think something like this should be sufficient:

1) Allow youtube for specific users

appid: youtube (or use an app-group or app-filter), web-browsing (so this rule is hit for these users in case main page of youtube isnt recognised as appid youtube)

service: application-default (or specify TCP80 and TCP443)

user: <specific users or group of users>

url: category: streaming media

action: allow

log: on session end

2) Block appids

appid: youtube

service: any

user: any

url: any

action: deny

log: on session end

3) Block urls

appid: any

service: any

user: any

url: youtube.com, *.youtube.com, <and other urls that should be here and/or categories>

action: deny

log: on session end

4) Allow regular traffic for all users

appid: web-browsing

service: application-default (or specify TCP80 and TCP443 and what other ports should be open for outbound traffic)

user: any

url: category: <allowed categories>

action: allow

log: on session end

5) Default drop

appid: any

service: any

user: any

url: any

action: deny

log: on session end

0 Likes Likes
  • 2278 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks