Wednesday, 24 May 2017

How to Allow a Single YouTube Video and Block All Other Videos in Palo Alto

How to Allow a Single YouTube Video and Block All Other Videos

In this example we only want to allow this one youtube video: https://www.youtube.com/watch?v=hHiRb8t2hLM, and block the rest of YouTube. 
Please follow these steps to accomplish this.

Steps

  1. Block streaming-media in your URL Filtering Profile. Get there in the WebGUI > Objects > Security Profiles > URL Filtering > click on the URL Filtering profile you would like to use.
    URL Filtering Profile detail showing Streaming-Media being set to Block.URL Filtering Profile detail showing Streaming-Media being set to Block.
  2. Create a Custom URL Category from Objects > Custom Objects > URL Category
    Your Custom URL Category must include the following entries:

    *.youtube.com
    *.googlevideo.com
    www.youtube-nocookie.com

    ... this will make sure that any youtube page or content you go to is decrypted, so that the full HTTP GET can be read.
    Custom URL Category showing the needed domains.Custom URL Category showing the needed domains.
  3. Add a decryption policy of type SSL Forward Proxy, the decryption policy must be tied to your Custom URL Category in the "Service/URL Category" tab.
    Please see the following article about configuring SSL Decryption:
    How to Implement and Test SSL Decryption 
  4. Go to your URL Filtering profile, in the Allow list add the following URL's:

    www.youtube.com/watch?v=hHiRb8t2hLM
    *.googlevideo.com

    ... the first entry is the URL for the container page itself, then *.googlevideo.com will allow the media that is fetched from that container page out of Google's content CDN at *.googlevideo.com .

    Also, make sure that the custom URL category you created is also "allowed" inside of the URL filtering profile.
    URL filtering profile detail showing the allowed URL List.URL filtering profile detail showing the allowed URL List.
  5. Commit and test.

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...