Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Need to Allow Video-Streaming from Specific Website

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Need to Allow Video-Streaming from Specific Website

L4 Transporter

Hello Dears,

 Requirement:- I want to allow only some educational videos (educational videos belong from training and tools URL category) for my environment.

Below i have tried:-

  • I have checked all the streaming videos played on YouTube or any the streaming media category.
  • When we allow traffic for training and tools as well as streaming media category the website working fine.
  • But according to my requirement only learning video should be play rest should be block.
  • I have tried to achive my requirement by the below documents:-
  • https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClikCAC
  • According to the documents to achieve my requirement there is one option “Overrides” in URL filtering. But unfortunately this option is not available in latest PAN-OS (“Override” option was available on previous version). my PAN OS is 9.1.3

 

Could you please suggest is there any other way to achive my requirement.

Thanks.

 

10 REPLIES 10

Cyber Elite
Cyber Elite

Hello

 

Yes, I can understand your query now.

 

It is simple, and let me explain.

In previous versions, the Override was used an "Allow" or "Block", that was processed before the built in categories.

 

in 9.1.3, the functionality is the same.  Look for creating two (2) Custom URL categories.

One will be (blocking) *.youtube.com

 

The other one will be for those site you want to allow:

 

Be sure to look at the two attached pics on this thread/response.

 
 

 

 

 

 

 

Help the community: Like helpful comments and mark solutions

@S.Cantwell 

Thank you for your reply.

Let me check this. i will confirm you it is working or not.

@S.Cantwell 

It means i need to create a policy like this:-

source one- inside

source address- any

destination zone - outside

destination address - any

application - any

service - any

action - allow

 

in security profile - need to create a URL filtering that is mention by you and all other URL category should be block.  is this correct.?

 

Yes, that could work fine.

 

Totally different comment here:

 

Question though... WHY such an open rule?  Can you lock it down?

 

Can you make 2 security policies, to accomplish the same thing.

 

Traffic from SZone to DestZone (IP of tube), using youtube application on APPOVED_Youtube_URL, on application default?

Next rule.. deny ALL traffic to youtube?

 

 

Help the community: Like helpful comments and mark solutions

@S.Cantwell 

The same i tried but not working.

 custom URL cateogory:-

Jafar_Hussain_0-1603804977850.png

 

In URL filtering:- URL filtering name - (learning website video)

allowed (Approved_youtube) custom URL category and block (Block_youtube) custom URL category.

 

In policy:-

SZ- inside

S user- ANY

DZ- Outside

destination Address - Any

Application- ANY

Service- ANY

service/URL category- ANY

Action - Allow

profile setting - Apply only URL filtering profile learning website video.

 

but the issue still same. any other way , i can achive this ?

Can you provide snippets of logs, screen captures, etc.

 

Just saying it is not working.. is not enough.

 

What happens when you try to connect?  Error messages.

 

Your next steps is to take wireshark/packet captures to help you visualize what is happening on the wire, and you can configure your policies better.

 

TAC should be able to assist you as well.

 

 

Help the community: Like helpful comments and mark solutions

@S.Cantwell 

I took the packet capture and below are my findings:-

1 - I can see in packet capture most of the packet 'ignore unknown record' when i check it is causing of L4 checksum. do i need to disable the L4 checksum?

2 - As well as i run the counter command and found TCP sessions closed via injecting RST. for this, i have allowed the challenge-ACK  from the CLI.

3 - Below is the snapshot of the error while playing the video.

 

Jafar_Hussain_0-1603873467189.png

4 - Below is the snapshot of counter command:-

 

Jafar_Hussain_1-1603873547709.png

 

Jafar_Hussain_2-1603873572674.png

 

 

 

 

@S.Cantwell 

I have downgraded my firewall up to 8.1.0 and found the override option is available. but  i tried the same configuraion according to document but issue still persists.

 

Jafar_Hussain_0-1604236470740.png

 

@Jafar_Hussain 

 

Sounds like you have to open a ticket with the TAC.

 

Good luck and let me know what you find.

 

Thx

Help the community: Like helpful comments and mark solutions

@S.Cantwell 

Thanks for the reply.

 

I believe we can achieve this requirement by the decrypt you tube traffic.

 

I just want to confirm can we decrypt youtube traffic or not.

Because when i applied the decryption policy on youtube. youtube stop working it is showing the below error

 

Jafar_Hussain_0-1604484532569.png

 

  • 12727 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!