I'm trying to block all YouTube channels and allow to pass only few of them.
For first look it should be easy, one rule for passing allowed channels and second rule for blocking all other channels.
But it doesn't work .
Youtube of course use URL to open channel but later downloading streaming from others addresses .
Not sure how to isolate addresses from which YouTube download video and pass only them .
I've seen many cases and helps but maybe it worked in 2015 but on December 2016 all of them just don't work.
What is worse transmission is encrypted and PaloAlto decrypting works strange and sometimes even not at all with Google .
So I'm asking you if maybe someone has working solution how to deal with YouTube channels ?
You should be able to get this working then, although not at all easily. If your disabling all of YouTube that should be working failry well if you decrypt traffic. Allowing select channels is where you are really going to begin running into issues as the content tends to move around a lot for low volume channels. You'll need to monitor the URLs that are being used and then create an allow rule for them. Simply getting users to the channel page as you have no doubt figured out isn't that difficult, loading those videos and making sure that you allow those sources is tricker and will involve a fair amount of time.
It's more complicated than people thought.
Block all youtube channel is easy. Allowing few youtube channels is easy by allowing strict URL .
Here problems started. Video streaming is downloading from google cloud and have nothing with allowed URL.
If you allow url you still block google cloud and you won't see anything. If you allow google cloud you allow all youtube streaming regardless of not allowed youtube channels .
Thinking and thinking how to resolve this puzzle .
Adresses from which youtube streams video has nothing with allowed URLs and you cant allow adresses from youtube cloud because it's allow all youtube streaming .
Of course I decrypt all youtube transmission.
Any thoughts ?
You won't be able to. If your blocking where YouTube holds the actual videos from an applicaiton level then even when you allow access to the URL your still going to be blocking the video that is needed.
If this needs to be done for training I would recommend seeing if the content creator will allow you to download the video from YouTube using one of the many download programs and storing them on a file share that everyone can access.
This is a confusing topic, You can refer to this if it will help at all, this shows how to allow 1 video but block others..
I think you are right alone I can't do this alone without help from PaloAlto . As long as youtube will separate channel and video streaming. Sad :(( I pay a lot for one of best NGFW and can't do simple filtering :( Shame
The article is very old , useless in 2016 and if you read comments you will see that it doesn't work and people still looking for working solution .
@Animex, I just wanted to make it clear that you can actually make this work. This isn't by any means quick and you will likely need to keep the policies updated due to Google itself switching things around to keep them up. Like any website if you block a part of it from loading (such as the video) you only recieve what you actually have access to; since you are blocking YouTube from pulling that content it won't be displayed unless you build a rule allowing access to the storage source, and allow the application through.
ONe thing that people seem to forget with NGFW is that everything we want these boxes to do is actually really complicated due to the services that we want them to 'filter'. Dynmaic sources and service providers moving things around makes everything even harder; so when you want to block all of an application but this one little thing then it just keeps getting harder and harder to do it.
To be clear, you can accomplish this with a PaloAlto device. The upkeep to keep a rule as complicated as this working when Google decides to move things around gets a lot more difficult because you won't realize that it's broken until someone brings it up.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!