In some cases you might be asked to enable the YouTube application but only for a few set of videos or the ones in a given playlist. MineMeld includes an experimental miner prototype that can extract the video items in a YouTube playlist and convert them into a URL list that can be imported into your Internet Gateway Palo Alto Networks Firewall to achieve such a goal.
Theory of operations
There are three components that are needed to implement this use case:
A running MineMeld instance
A google account and a YouTube Data API v3 key (can be obtained for free from console.cloud.google.com)
An Internet Gateway PANOS device
The YouTube miner will use the provided API Key and the PlayList unique ID to grab the list of videos. They will be converted in a set of URL's (https://www.youtube.com/watch?v=...) that can be aggregated and placed into an output feed.
If you need additional videos then you can add a stdlib.listUrl miner node and manage your own exceptions.
The security policy in the FW will need two rules:
A bottom rule enabling google-base and youtube-base with a URL filtering profile blocking the url "www.youtube.com/watch". This way, although the streaming of videos is enabled, the YouTube application logic is broken at the time the user requests a given playback (/watch?v=...)
An upper rule overriding the URL filter for the list of videos provided by the MineMeld feed
A ssl decryption rule is needed to allow the FW full access to the URL details to successfully apply the filters.
Make note of MineMelds IP address (from an ifconfig) and login from your browser (defaults to username: admin / password: minemeld)
Step 2. Get your YouTube Data API v3 key
Connect to https://console.cloud.google.com and login with your Google Account. If this is the first time you access the cloud console then an empty dashboard will be shown.
Navigate to the API Manager -> Library and then click on YouTube Data API.
You can use any existing project to attach the YouTube API also. If this is your first time or if you do not have any project then you must create a new one. Each Google Account is provided with a quota of up to 12 projects for free.
After clicking the "Create" button you will be send back to the YouTube Data API screen where you must click on "Manage" to allow this project access YouTube data. Once enabled the "Create credential" button will be shown for you to move on.
Fill the form as shown in the following screen capture and click on "What credentials do I need?" to disclose the API key.
This is the API Key you'll be asked for in the step 4. So copy it to a safe place.
Step 3. Get the ID of the YouTube playlist you want to mine.
This is the easiest part. We'll cover three common demands:
Videos from a known PlayList
Videos on a specific YouTube channel
Videos upload by a known User
In the case you already know, just navigate YouTube until you reach the playlist you want to enable and copy its ID from the URL.
The following screen captures are for the Ligthboard Series playlist in the Palo Alto Networks channel.
If you need to get the videos from a specific channel, then you can take advantage of an "under-the-hood" mapping in YouTube between the Channel ID and its corresponding Upload Playlist ID. Let's take, as an example, the Live Community Channel in Palo Alto Networks' YouTube Account.
This channel's ID is UCPRouchFt58TZnjoI65aelA so its corresponding upload playlist id (containing the 87 videos uploaded to this channel) will be UUPRouchFt58TZnjoI65aelA. In other words: you just need to change the second character "C" with a "U".
Something equivalent happens for YouTube users. Each user in YouTube has an internal Channel ID that, if transformed, becomes the user's upload PlayList ID. To display any YouTube user internal Channel ID just play a video from that user and click on his name.
In this case we're using the Palo Alto Networks YouTube user as a example. Click on the user name to navigate to the YouTube user profile page. Note in the URL the Channel ID for this user.
In this case the Channel ID for the Palo Alto Networks user is UC2UPStk47kvhBn8P7Q5BaAg and its corresponding upload playlist ID (containing all videos uploaded by this user) will be UU2UPStk47kvhBn8P7Q5BaAg.
In this step you'll use the YouTube API Key and PlayList ID to configure the miner and generate the URL feed.
First click on "CONFIG" to expose your current configuration. In the bottom right part of the screen you'll locate the icon to access the prototype library. Open it and locate the "youtubeminer.playlistMiner" prototype.
Click on it and create a new prototype from that base
Fill the form using your YouTube API Key and Playlist ID from Steps 2 & 3.
The next step is to add the recently created prototype as an engine node. To achieve this just go back to the prototype library, locate the recently created one and click on "CLONE".
Provide a descriptive name for the node and click on "OK" to attach it to the engine's configuration.
Next step is attach a URL processor to the engine's configuration and to connect its input to the YouTube miner node. In this case we do not need to create a new prototype. Just "CLONE" the stdlib.aggregatorURL, provide a descriptive name for the node, and bind its input to the miner.
And, finally, we must attach an output node. We can just "CLONE" the stdlib.feedHCGreen and bind its input to the aggregator we deployed in the previous step.
Now it is time to commit the configuration and to check that the output node is publishing the expected list.
Step 5. Configure the PAN-OS Internet Gateway device
This is the last step and the documentation bellow is for a "green field" deployment and must be taken as guidance to modify your existing policy to provide this use case.
First of all a SSL decryption rule is needed to expose the URL details inside the YouTube application. In this example we're enabling "forward proxy" decryption for all SSL sessions from "trust" to "untrust" for the URL category "streaming-media" which the YouTube application belongs to. If this is your first time with the SSL Decryption feature then look in the PANOS Knowledge Base for articles on how to configure it (Trust CA Certificates, Decryption Profiles, etc.)
You might want, as well, to deny the application named "quic". It maps to the experimental protocol used by Google's Chrome browser when accessing Google services like YouTube. Denying this application will force the browser to fail back to TLS and avoid Chrome user bypassing the decryption policy.
Next we need a "custom URL category" that targets the "www.youtube.com/watch" URL and a URL Filtering Profile that blocks it.
We will use the URL Filtering profile in the first rule that enables "google-base" and also in the first rule that enables "youtube-base". If you do not have such a rules then just create a new one as shown in the following screen capture.
At this moment in time you might want to check that the YouTube application logic has been broken. Go to www.youtube.com. You should be able to navigate the application but a URL Filtering Block page will be shown as soon as you attempt to playback any given video.
Now we have to configure the PAN-OS device with an External Dynamic List connected to the MineMeld output feed created in the step 4.
And the corresponding URL Category must be used in a new security rule (above the previous one) to override the URL Filtering Profile for the videos in the playlist we want to enable. Note that we're using this URL Category as a matching criteria in the rule and not inside a URL Filtering Profile.
With this new configuration only the videos in the mined playlist should be enabled.