URL Filtering Category level (Streaming Media ) Blocking or Custom Blocking is not working for Youtube.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

URL Filtering Category level (Streaming Media ) Blocking or Custom Blocking is not working for Youtube.

L1 Bithead

Palo Alto URL Filtering allows blocked URL categories if one keep refreshing the page. The issue is particularly seen with Youtube.com. We have blocked Streaming Media category and Custom URL to block youtube.com. However the web page is opened after multiple refresh. URL Filtering monitoring logs shows traffic is blocked .However we can access the web page..

 

PANOS version is 9.1.14 

 

Appreciate if any one can try this behavior to see how it is working in different environment  or provide any root cause for this...

 

6 REPLIES 6

L4 Transporter

Hello @AbdulGafoorPP 

 

You may consider the logic explained in the below KB to block youtube traffic:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGzCAK

 

Anoopkumar
Network Security Engineer

L6 Presenter

Are you full SSL decryption to all your traffic or just relying on SNI for URL identification? Also, are you blocking "youtube.com/" and "*.youtube.com/" or are you blocking all of Youtube's many variations (i.e. youtu.be, video.google.com, googlevideo.com, etc.)

 

Because some sites use SSL certificates for multiple FQDN names hosted on the same IPs, I have seen cases where the browser reuses an existing SSL connection for a different FQDN to the same server. So, for example, if you have blocked youtube.com by URL but ytstats.google.com is allowed via other general access rules, you might have an initial SSL connection to ytstats.google.com that is allowed (and you see the SNI "ytstats.google.com"). But then the browser reuses that same SSL connection to call the youtube.com content. If you are not decrypting the SSL then you can not see this reuse for an existing SSL session for a different resource.

L4 Transporter

Hello Abdul,

As Adrian pointed out, to fully guarantee a behavior, SSL decryption will be required.
Without it, it will be best effort (for all traffic relying on SSL).

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

Thank you...But we do Full SSL Decryption with an exception for 'play.google.com'. and the environment currently use PAN OS 9.1. 14.. I have read that 9.X version has some limitation to decrypt TLSv1.3 ..Will that be a reason too?

TAC Response:

"offline" version of youtube is stored on the web browser!!! Due to which, PA gateway allows this communication...Will that be a reason?

 

Also, I have noticed that when I set no decryption for 'play.google.com', gateway exclude *.google.com from decryption......

Hello AbdulGafoorPP,

 

I will not comment on TAC response.

If you have SSL decryption, you can make sure that all the URLs required for youtube to be blocked (a google search "block youtube URLs" will give you a list).


Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

  • 2589 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!