- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-18-2023 01:48 AM
Palo Alto URL Filtering allows blocked URL categories if one keep refreshing the page. The issue is particularly seen with Youtube.com. We have blocked Streaming Media category and Custom URL to block youtube.com. However the web page is opened after multiple refresh. URL Filtering monitoring logs shows traffic is blocked .However we can access the web page..
PANOS version is 9.1.14
Appreciate if any one can try this behavior to see how it is working in different environment or provide any root cause for this...
07-19-2023 02:10 AM
Hello @AbdulGafoorPP
You may consider the logic explained in the below KB to block youtube traffic:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGzCAK
07-20-2023 12:00 PM
Are you full SSL decryption to all your traffic or just relying on SNI for URL identification? Also, are you blocking "youtube.com/" and "*.youtube.com/" or are you blocking all of Youtube's many variations (i.e. youtu.be, video.google.com, googlevideo.com, etc.)
Because some sites use SSL certificates for multiple FQDN names hosted on the same IPs, I have seen cases where the browser reuses an existing SSL connection for a different FQDN to the same server. So, for example, if you have blocked youtube.com by URL but ytstats.google.com is allowed via other general access rules, you might have an initial SSL connection to ytstats.google.com that is allowed (and you see the SNI "ytstats.google.com"). But then the browser reuses that same SSL connection to call the youtube.com content. If you are not decrypting the SSL then you can not see this reuse for an existing SSL session for a different resource.
07-20-2023 08:02 PM
Hello Abdul,
As Adrian pointed out, to fully guarantee a behavior, SSL decryption will be required.
Without it, it will be best effort (for all traffic relying on SSL).
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
08-12-2023 09:03 AM
Thank you...But we do Full SSL Decryption with an exception for 'play.google.com'. and the environment currently use PAN OS 9.1. 14.. I have read that 9.X version has some limitation to decrypt TLSv1.3 ..Will that be a reason too?
08-12-2023 09:35 AM
TAC Response:
"offline" version of youtube is stored on the web browser!!! Due to which, PA gateway allows this communication...Will that be a reason?
Also, I have noticed that when I set no decryption for 'play.google.com', gateway exclude *.google.com from decryption......
08-13-2023 09:16 PM
Hello AbdulGafoorPP,
I will not comment on TAC response.
If you have SSL decryption, you can make sure that all the URLs required for youtube to be blocked (a google search "block youtube URLs" will give you a list).
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!