Blocking youtube

Reply
Highlighted
L0 Member

Blocking youtube

How can I properly block youtube, because it's bypassing a PA-3050 on port 443 (https://)?

Highlighted
L4 Transporter

Re: Blocking youtube

You can either implement SSL decryption, or use URL filtering. (If you use URL filtering, and don't implement SSL decryption, your user will be greeted with a blank page since the firewall can't inject the comfort page.)

Highlighted

Re: Blocking youtube

I believe you could do in two different ways:

1. Build a security policy with app youtube-base and action block;

2. Use an URL filtering profile to block streaming-media category (would block more but you could use allow list to make exceptions... or add youtube with wildcards on the block list of a url filtering that allow streaming media categories;

Highlighted
L5 Sessionator

Re: Blocking youtube

Unfortunately neither of those solutions works (without SSL decryption). I have youtube application blocked, all streaming media blocked with URL filtering, youtube.com in URL block list and youtube still works. It is recognised as SSL application and goes to an URL which is categorised as 'search-engines'. I'll try to catch this URL and add it to block list. 

Highlighted
L6 Presenter

Re: Blocking youtube

You can block youtube with or without SSL Decryption.

 

With SSL Decryption, and if you don't want to implement it for *everything* you can do a targeted decryption to *.google.com and then block youtube.com and *.youtube.com with a Custom URL Category, or simply add those lines to the URL Filtering Profile Block List. I explain how to do a targeted decryption on document: How to Block a Specific HTTPS Site with URL Filtering

 

Without SSL decryption we can't see the HTTP GET, so URL Filtering wouldn't ever trigger. However, without SSL decryption we can still see the SNI (sent from the Browser) and the CN (inside Subject Name field, in the certificate presented by the server). The CN for youtube is *.google.com, however blocking this will also block all HTTPS sites with certificates that present *.google.com

 

Note that in order to present a block page without SSL decryption, you may want to refer to How to Serve a URL Response Page Over an HTTPS Session Without SSL Decryption

 

The SNI is sent from the browser on the SSL 'Client Hello' message, and it is, in this example: www.youtube.com

 

Screen Shot 2015-01-06 at 9.41.22 AM.png

This means that adding an URL Filtering Block rule for *.youtube.com, will block access to YouTube by leveraging the SNI.

 

This (reading SNI) is a feature which was included on PAN-OS 6.0

Please note that not all browsers do support SNI (not all of them send the SNI value).

 

Note that the SNI is an extension of TLS (a.k.a SSLv3.1 and above), so SSLv3.0 won't send the SNI, even if you are using the correct browser. Please disable SSLv3.0 in your browser to make sure it's not contributing to the problem. Digicert has an excellent tutorial on how to achieve this. See: Disabling Browser Support - SSL v3 Protocol | DigiCert.com

 

To know when SNI was implemented into a Browser/Operative System combination, there's a good article on it on Wikipedia. See: Server Name Indication - Wikipedia, the free encyclopedia

Implementation[edit]

In 2004, a patch for adding TLS/SNI into OpenSSL was created by the EdelKey project.[5] In 2006, this patch was then ported to the development branch of OpenSSL, and in 2007 it was back-ported to OpenSSL 0.9.8.

For an application program to implement SNI, the TLS library it uses must implement it and the application must pass the hostname to the TLS library. Further complicating matters, the TLS library may either be included in the application program or be a component of the underlying operating system. Because of this, some browsers implement SNI when running on any operating system, while others implement it only when running on certain operating systems.

Web browsers[6][edit]

Highlighted
L6 Presenter

Re: Blocking youtube

just write a custom app-id and use client hello for ssl and pattern as youtube.com

write a deny rule for that application

youtube will not work with https

you don't need to use ssl decryption.

Highlighted
L6 Presenter

Re: Blocking youtube

Youtube.png

Highlighted
L4 Transporter

Re: Blocking youtube

Without SSL decryption, the firewall thinks that Youtube is also Google.

Browse to https://www.youtube.com and look at the certificate information. The CN is *.google.com.

L3 Networker

Re: Blocking youtube

by creating a custom app-id it takes precedence over builtin apps.

Highlighted
L4 Transporter

Re: Blocking youtube

Hi Wilmar,

You can do this  inter SSL = 443 in service Tab and let me know ?

gaaf.PNG

Regards

Satish

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!