cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need to Allow Video-Streaming from Specific Website

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need to Allow Video-Streaming from Specific Website

Jafar_Hussain
L4 Transporter

‎10-20-2020 11:47 PM

Hello Dears,

 Requirement:- I want to allow only some educational videos (educational videos belong from training and tools URL category) for my environment.

Below i have tried:-

  • I have checked all the streaming videos played on YouTube or any the streaming media category.
  • When we allow traffic for training and tools as well as streaming media category the website working fine.
  • But according to my requirement only learning video should be play rest should be block.
  • I have tried to achive my requirement by the below documents:-
  • https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClikCAC
  • According to the documents to achieve my requirement there is one option “Overrides” in URL filtering. But unfortunately this option is not available in latest PAN-OS (“Override” option was available on previous version). my PAN OS is 9.1.3

 

Could you please suggest is there any other way to achive my requirement.

Thanks.

 

0 Likes Likes
10 REPLIES 10

SteveCantwell
Cyber Elite
Cyber Elite

‎10-21-2020 05:35 AM - edited ‎10-21-2020 05:36 AM

Hello

 

Yes, I can understand your query now.

 

It is simple, and let me explain.

In previous versions, the Override was used an "Allow" or "Block", that was processed before the built in categories.

 

in 9.1.3, the functionality is the same.  Look for creating two (2) Custom URL categories.

One will be (blocking) *.youtube.com

 

The other one will be for those site you want to allow:

 

Be sure to look at the two attached pics on this thread/response.

 
 

 

 

 

 

 

Help the community: Like helpful comments and mark solutions
Preview file
31 KB
Preview file
18 KB
0 Likes Likes

Jafar_Hussain
L4 Transporter
In response to SteveCantwell

‎10-21-2020 05:42 AM

@SteveCantwell 

Thank you for your reply.

Let me check this. i will confirm you it is working or not.

0 Likes Likes

Jafar_Hussain
L4 Transporter
In response to Jafar_Hussain

‎10-21-2020 06:50 AM

@SteveCantwell 

It means i need to create a policy like this:-

source one- inside

source address- any

destination zone - outside

destination address - any

application - any

service - any

action - allow

 

in security profile - need to create a URL filtering that is mention by you and all other URL category should be block.  is this correct.?

 

0 Likes Likes

SteveCantwell
Cyber Elite
Cyber Elite
In response to Jafar_Hussain

‎10-21-2020 11:51 AM

Yes, that could work fine.

 

Totally different comment here:

 

Question though... WHY such an open rule?  Can you lock it down?

 

Can you make 2 security policies, to accomplish the same thing.

 

Traffic from SZone to DestZone (IP of tube), using youtube application on APPOVED_Youtube_URL, on application default?

Next rule.. deny ALL traffic to youtube?

 

 

Help the community: Like helpful comments and mark solutions
0 Likes Likes

Jafar_Hussain
L4 Transporter
In response to SteveCantwell

‎10-27-2020 06:29 AM

@SteveCantwell 

The same i tried but not working.

 custom URL cateogory:-

Jafar_Hussain_0-1603804977850.png

 

In URL filtering:- URL filtering name - (learning website video)

allowed (Approved_youtube) custom URL category and block (Block_youtube) custom URL category.

 

In policy:-

SZ- inside

S user- ANY

DZ- Outside

destination Address - Any

Application- ANY

Service- ANY

service/URL category- ANY

Action - Allow

profile setting - Apply only URL filtering profile learning website video.

 

but the issue still same. any other way , i can achive this ?

0 Likes Likes

SteveCantwell
Cyber Elite
Cyber Elite
In response to Jafar_Hussain

‎10-27-2020 06:39 AM

Can you provide snippets of logs, screen captures, etc.

 

Just saying it is not working.. is not enough.

 

What happens when you try to connect?  Error messages.

 

Your next steps is to take wireshark/packet captures to help you visualize what is happening on the wire, and you can configure your policies better.

 

TAC should be able to assist you as well.

 

 

Help the community: Like helpful comments and mark solutions
0 Likes Likes

Jafar_Hussain
L4 Transporter
In response to SteveCantwell

‎10-28-2020 01:27 AM

@SteveCantwell 

I took the packet capture and below are my findings:-

1 - I can see in packet capture most of the packet 'ignore unknown record' when i check it is causing of L4 checksum. do i need to disable the L4 checksum?

2 - As well as i run the counter command and found TCP sessions closed via injecting RST. for this, i have allowed the challenge-ACK  from the CLI.

3 - Below is the snapshot of the error while playing the video.

 

Jafar_Hussain_0-1603873467189.png

4 - Below is the snapshot of counter command:-

 

Jafar_Hussain_1-1603873547709.png

 

Jafar_Hussain_2-1603873572674.png

 

 

 

 

0 Likes Likes

Jafar_Hussain
L4 Transporter
In response to Jafar_Hussain

‎11-01-2020 05:15 AM

@SteveCantwell 

I have downgraded my firewall up to 8.1.0 and found the override option is available. but  i tried the same configuraion according to document but issue still persists.

 

Jafar_Hussain_0-1604236470740.png

 

0 Likes Likes

SteveCantwell
Cyber Elite
Cyber Elite
In response to Jafar_Hussain

‎11-02-2020 11:55 AM

@Jafar_Hussain 

 

Sounds like you have to open a ticket with the TAC.

 

Good luck and let me know what you find.

 

Thx

Help the community: Like helpful comments and mark solutions
0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks