Need to Allow Video-Streaming from Specific Website

Reply
Highlighted
L4 Transporter

Need to Allow Video-Streaming from Specific Website

Hello Dears,

 Requirement:- I want to allow only some educational videos (educational videos belong from training and tools URL category) for my environment.

Below i have tried:-

  • I have checked all the streaming videos played on YouTube or any the streaming media category.
  • When we allow traffic for training and tools as well as streaming media category the website working fine.
  • But according to my requirement only learning video should be play rest should be block.
  • I have tried to achive my requirement by the below documents:-
  • https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClikCAC
  • According to the documents to achieve my requirement there is one option “Overrides” in URL filtering. But unfortunately this option is not available in latest PAN-OS (“Override” option was available on previous version). my PAN OS is 9.1.3

 

Could you please suggest is there any other way to achive my requirement.

Thanks.

 

Highlighted
Cyber Elite

Hello

 

Yes, I can understand your query now.

 

It is simple, and let me explain.

In previous versions, the Override was used an "Allow" or "Block", that was processed before the built in categories.

 

in 9.1.3, the functionality is the same.  Look for creating two (2) Custom URL categories.

One will be (blocking) *.youtube.com

 

The other one will be for those site you want to allow:

 

Be sure to look at the two attached pics on this thread/response.

 
 

 

 

 

 

 

Help the community: Like helpful comments and mark solutions
Highlighted
L4 Transporter

@SteveCantwell 

Thank you for your reply.

Let me check this. i will confirm you it is working or not.

Highlighted
L4 Transporter

@SteveCantwell 

It means i need to create a policy like this:-

source one- inside

source address- any

destination zone - outside

destination address - any

application - any

service - any

action - allow

 

in security profile - need to create a URL filtering that is mention by you and all other URL category should be block.  is this correct.?

 

Highlighted
Cyber Elite

Yes, that could work fine.

 

Totally different comment here:

 

Question though... WHY such an open rule?  Can you lock it down?

 

Can you make 2 security policies, to accomplish the same thing.

 

Traffic from SZone to DestZone (IP of tube), using youtube application on APPOVED_Youtube_URL, on application default?

Next rule.. deny ALL traffic to youtube?

 

 

Help the community: Like helpful comments and mark solutions
Highlighted
L4 Transporter

@SteveCantwell 

The same i tried but not working.

 custom URL cateogory:-

Jafar_Hussain_0-1603804977850.png

 

In URL filtering:- URL filtering name - (learning website video)

allowed (Approved_youtube) custom URL category and block (Block_youtube) custom URL category.

 

In policy:-

SZ- inside

S user- ANY

DZ- Outside

destination Address - Any

Application- ANY

Service- ANY

service/URL category- ANY

Action - Allow

profile setting - Apply only URL filtering profile learning website video.

 

but the issue still same. any other way , i can achive this ?

Highlighted
Cyber Elite

Can you provide snippets of logs, screen captures, etc.

 

Just saying it is not working.. is not enough.

 

What happens when you try to connect?  Error messages.

 

Your next steps is to take wireshark/packet captures to help you visualize what is happening on the wire, and you can configure your policies better.

 

TAC should be able to assist you as well.

 

 

Help the community: Like helpful comments and mark solutions
Highlighted
L4 Transporter

@SteveCantwell 

I took the packet capture and below are my findings:-

1 - I can see in packet capture most of the packet 'ignore unknown record' when i check it is causing of L4 checksum. do i need to disable the L4 checksum?

2 - As well as i run the counter command and found TCP sessions closed via injecting RST. for this, i have allowed the challenge-ACK  from the CLI.

3 - Below is the snapshot of the error while playing the video.

 

Jafar_Hussain_0-1603873467189.png

4 - Below is the snapshot of counter command:-

 

Jafar_Hussain_1-1603873547709.png

 

Jafar_Hussain_2-1603873572674.png

 

 

 

 

Highlighted
L4 Transporter

@SteveCantwell 

I have downgraded my firewall up to 8.1.0 and found the override option is available. but  i tried the same configuraion according to document but issue still persists.

 

Jafar_Hussain_0-1604236470740.png

 

Highlighted
Cyber Elite

@Jafar_Hussain 

 

Sounds like you have to open a ticket with the TAC.

 

Good luck and let me know what you find.

 

Thx

Help the community: Like helpful comments and mark solutions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!