In some cases you might be asked to enable the YouTube application but only for a few set of videos or the ones in a given playlist. MineMeld includes an experimental miner prototype that can extract the video items in a YouTube playlist and convert them into a URL list that can be imported into your Internet Gateway Palo Alto Networks Firewall to achieve such a goal.
There are three components that are needed to implement this use case:
The YouTube miner will use the provided API Key and the PlayList unique ID to grab the list of videos. They will be converted in a set of URL's (https://www.youtube.com/watch?v=...) that can be aggregated and placed into an output feed.
If you need additional videos then you can add a stdlib.listUrl miner node and manage your own exceptions.
The security policy in the FW will need two rules:
A ssl decryption rule is needed to allow the FW full access to the URL details to successfully apply the filters.
First, visit https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld and select the article (from the top right) about installing and running MineMeld appropriate to your environment. Note, if using the VMWare desktop instructions (https://live.paloaltonetworks.com/t5/MineMeld-Articles/Running-MineMeld-on-VMWare-desktop/ta-p/72038) you can go ahead with the "Super fast setup" but please download the cloud-init ISO and mount it on first boot. Assuming an IP comes via DHCP and you have internet access, your VM will automatically be updated to the latest version of Minemeld.
Make note of MineMelds IP address (from an ifconfig) and login from your browser (defaults to username: admin / password: minemeld)
Connect to https://console.cloud.google.com and login with your Google Account. If this is the first time you access the cloud console then an empty dashboard will be shown.
Navigate to the API Manager -> Library and then click on YouTube Data API.
You can use any existing project to attach the YouTube API also. If this is your first time or if you do not have any project then you must create a new one. Each Google Account is provided with a quota of up to 12 projects for free.
After clicking the "Create" button you will be send back to the YouTube Data API screen where you must click on "Manage" to allow this project access YouTube data. Once enabled the "Create credential" button will be shown for you to move on.
Fill the form as shown in the following screen capture and click on "What credentials do I need?" to disclose the API key.
This is the API Key you'll be asked for in the step 4. So copy it to a safe place.
This is the easiest part. We'll cover three common demands:
In the case you already know, just navigate YouTube until you reach the playlist you want to enable and copy its ID from the URL.
The following screen captures are for the Ligthboard Series playlist in the Palo Alto Networks channel.
If you need to get the videos from a specific channel, then you can take advantage of an "under-the-hood" mapping in YouTube between the Channel ID and its corresponding Upload Playlist ID. Let's take, as an example, the Live Community Channel in Palo Alto Networks' YouTube Account.
This channel's ID is UCPRouchFt58TZnjoI65aelA so its corresponding upload playlist id (containing the 87 videos uploaded to this channel) will be UUPRouchFt58TZnjoI65aelA. In other words: you just need to change the second character "C" with a "U".
Something equivalent happens for YouTube users. Each user in YouTube has an internal Channel ID that, if transformed, becomes the user's upload PlayList ID. To display any YouTube user internal Channel ID just play a video from that user and click on his name.
In this case we're using the Palo Alto Networks YouTube user as a example. Click on the user name to navigate to the YouTube user profile page. Note in the URL the Channel ID for this user.
In this case the Channel ID for the Palo Alto Networks user is UC2UPStk47kvhBn8P7Q5BaAg and its corresponding upload playlist ID (containing all videos uploaded by this user) will be UU2UPStk47kvhBn8P7Q5BaAg.
The experimental YouTube paylist miner is provided as an external feature that can be added to your MineMeld instrance from https://github.com/PaloAltoNetworks/youtube-miner
In this step you'll use the YouTube API Key and PlayList ID to configure the miner and generate the URL feed.
First click on "CONFIG" to expose your current configuration. In the bottom right part of the screen you'll locate the icon to access the prototype library. Open it and locate the "youtubeminer.playlistMiner" prototype.
Click on it and create a new prototype from that base
Fill the form using your YouTube API Key and Playlist ID from Steps 2 & 3.
The next step is to add the recently created prototype as an engine node. To achieve this just go back to the prototype library, locate the recently created one and click on "CLONE".
Provide a descriptive name for the node and click on "OK" to attach it to the engine's configuration.
Next step is attach a URL processor to the engine's configuration and to connect its input to the YouTube miner node. In this case we do not need to create a new prototype. Just "CLONE" the stdlib.aggregatorURL, provide a descriptive name for the node, and bind its input to the miner.
And, finally, we must attach an output node. We can just "CLONE" the stdlib.feedHCGreen and bind its input to the aggregator we deployed in the previous step.
Now it is time to commit the configuration and to check that the output node is publishing the expected list.
This is the last step and the documentation bellow is for a "green field" deployment and must be taken as guidance to modify your existing policy to provide this use case.
First of all a SSL decryption rule is needed to expose the URL details inside the YouTube application. In this example we're enabling "forward proxy" decryption for all SSL sessions from "trust" to "untrust" for the URL category "streaming-media" which the YouTube application belongs to. If this is your first time with the SSL Decryption feature then look in the PANOS Knowledge Base for articles on how to configure it (Trust CA Certificates, Decryption Profiles, etc.)
You might want, as well, to deny the application named "quic". It maps to the experimental protocol used by Google's Chrome browser when accessing Google services like YouTube. Denying this application will force the browser to fail back to TLS and avoid Chrome user bypassing the decryption policy.
Next we need a "custom URL category" that targets the "www.youtube.com/watch" URL and a URL Filtering Profile that blocks it.
We will use the URL Filtering profile in the first rule that enables "google-base" and also in the first rule that enables "youtube-base". If you do not have such a rules then just create a new one as shown in the following screen capture.
At this moment in time you might want to check that the YouTube application logic has been broken. Go to www.youtube.com. You should be able to navigate the application but a URL Filtering Block page will be shown as soon as you attempt to playback any given video.
Now we have to configure the PAN-OS device with an External Dynamic List connected to the MineMeld output feed created in the step 4.
And the corresponding URL Category must be used in a new security rule (above the previous one) to override the URL Filtering Profile for the videos in the playlist we want to enable. Note that we're using this URL Category as a matching criteria in the rule and not inside a URL Filtering Profile.
With this new configuration only the videos in the mined playlist should be enabled.