- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-26-2010 08:25 AM
I have a need to block Youtube via application filter like it used to be before the update to the application filter that allows the front page to be viable, but not any of the videos. I used the custom filter document and was able to get most of the page to not display, however Youtube pulls style sheets from another URL, ytimg.com, since this isn't really a request header how would I write a custom application filter to block all of the page? Has anyone already done this?
Thanks.
08-26-2010 08:29 AM
You could create a custom app that looks for this RegEx in the http-req-header:
.*(ytimg.com)
A URL filter might be a better choice, but there are mulitple ways to accomplish the same task.
08-26-2010 08:31 AM
I will try the regex option, I don't want to manage any more URL profiles then I have to, I am not on 3.1. Application filtering is a better option for my configuration.
08-26-2010 11:08 AM
Here's what I saw in the PCAP:
GET /yt/cssbin/www-core-vfl186161.css HTTP/1.1
Accept: */*
Referer: http://www.youtube.com/
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
Accept-Encoding: gzip, deflate
Host: s.ytimg.com
Connection: Keep-Alive
So our problem is that using the RegEx expression .*(Host:).*(s.ytimg.com) is not seven bytes. The RegEx expression must be seven bytes in order to be accecepted by PAN OS.
You may have to use a URL filtering profile here to block the domain ytimg.com.
08-26-2010 11:11 AM
That is what I am trying to get away from, I am curious how Palo Alto used the filter before they updated it to do what I am trying to do.
08-26-2010 11:14 AM
This should explain everything:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!