Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daveteoh
New Contributor

Created on ‎08-19-2014 08:58 PM

fortiguard categories blocking, but allow one youtube.com?

Hi All, I' d like to block all streaming and downloads website under FortiGuard categories but allow youtube.com access which is fall under this category. I' ve been finding options to configure this but cant find it. any sifus can help me on this? Dave
33207
0 Kudos
5 REPLIES 5
hklb
Contributor II

Created on ‎08-19-2014 11:21 PM

Hello, try to do a web rating overide : add www.youtube.com in custom category " custom1" , and in web filter allow the custom1 category
Preview file
68 KB
5875
0 Kudos
Warren_Olson_FTNT
Staff
Staff

Created on ‎08-21-2014 06:35 AM

You should also be able to add a urlfilter list and add youtube.com with status of allow on it.
5876
0 Kudos
FortiAdam
Contributor II
In response to Warren_Olson_FTNT

Created on ‎08-22-2014 11:57 AM

In theory you would think that would work but I can tell you that in version 5 and above that isn' t the case. If you allow in the URL filter but the fortiguard category is set to block the website will still get blocked. Feel free to join the discussion on this here https://forum.fortinet.com/FindPost/112190 The OP would really be better off creating a category override for youtube.com and then allowing that category in the webfilter profile.

5876
0 Kudos
Warren_Olson_FTNT
Staff
Staff

Created on ‎08-22-2014 12:45 PM

Yea I used to use urlfilters in 4.x like this I guess I hadnt tried in 5 and now that I have it does seem to block regardless...thanks for heads up.
5876
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎08-22-2014 02:02 PM

Keep in mind that other than block and exempt the Fortigate will still subject the request to other UTM/web filter options. This is pretty much why some things do not seem to " work as expected" . (see pic) There is a couple problems with trying to block or allow youtube. One is Google is using a wild-card " *.google.com" certificate for most of their web/network services, including Youtube.com. So without enabling deep " packet" inspection, the Fortigate really can not tell by checking the domain name on the cert which google site your " users" are visiting. (Edit: of course, I am referring to https connections to youtube in the above sentence.) Second problem is google/youtube uses 3rd party content servers for streaming media content from local " mirrors" . So simply blocking or allowing " youtube.com" at the URL or FortiGuard web filter level will not apply to those 3rd party content servers. That said, we have had better luck using a combination " youtube FQDN/IP static group" firewall policy with an application " youtube" sensor. Haven' t deployed 5.x on the fgt devices we manage, but I hear it is a lot better at detecting/managing youtube than on 4.0 MR3...especially with detecting SPDY traffic.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
27 KB
5876
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.