Fortinet black logo

Administration Guide

Top application: YouTube example

Top application: YouTube example

Monitoring network traffic with SSL deep inspection

This example of monitors network traffic for YouTube using FortiView Applications view with SSL deep inspection.

To monitor network traffic with SSL deep inspection:
  1. Use a firewall policy with the following settings. If necessary, create a policy with these settings.
    • Application Control is enabled.
    • SSL Inspection is set to deep-inspection.
    • Log Allowed Traffic is set to All Sessions.

  2. Go to Security Profiles > Application Control.
  3. Select a relative Application Control profile used by the firewall policy and click Edit.
  4. Because YouTube cloud applications are categorized into Video/Audio, ensure the Video/Audio category is monitored.

    Monitored categories are indicate by an eye icon.

  5. Click View Application Signatures and hover over YouTube cloud applications to view detailed information about YouTube application sensors.
  6. Expand YouTube to view the Application Signatures associated with the application.

    Application Signature

    Description

    Application ID

    YouTube_Video.Access

    An attempt to access a video on YouTube.

    16420

    YouTube_Channel.ID

    An attempt to access a video on a specific channel on YouTube.

    44956

    YouTube_Comment.Posting

    An attempt to post comments on YouTube.

    31076

    YouTube_HD.Streaming

    An attempt to watch HD videos on YouTube.

    33104

    YouTube_Messenger

    An attempt to access messenger on YouTube.

    47858

    YouTube_Video.Play

    An attempt to download and play a video from YouTube.

    38569

    YouTube_Video.Upload

    An attempt to upload a video to YouTube.

    22564

    YouTube

    An attempt to access YouTube.

    This application sensor does not depend on SSL deep inspection so it does not have a cloud or lock icon.

    31077

    YouTube_Channel.Access

    An attempt to access a video on a specific channel on YouTube.

    41598

    Tooltip

    To view the application signature description, click the ID link in the information window.

  7. On the test PC, log into YouTube and play some videos.
  8. On the FortiGate, go to Log & Report > Application Control and look for log entries for browsing and playing YouTube videos.

    In this example, note the Application User and Application Details. Also note that the Application Control ID is 38569 showing that this entry was triggered by the application sensor YouTube_Video.Play.

  9. Go to Dashboard > FortiView Applications.
  10. In the FortiView Applications dashboard, double-click YouTube to view the drilldown information.
  11. Select the Sessions tab to see all the entries for the videos played. Check the sessions for YouTube_Video.Play with the ID 38569.

Monitoring network traffic without SSL deep inspection

This example of monitors network traffic for YouTube using FortiView cloud application view without SSL deep inspection.

To monitor network traffic without SSL deep inspection:
  1. Use a firewall policy with the following settings. If necessary, create a policy with these settings.
    • Application Control is enabled.
    • SSL Inspection is set to certificate-inspection.
    • Log Allowed Traffic is set to All Sessions.

  2. On the test PC, log into YouTube and play some videos.
  3. On the FortiGate, go to Log & Report > Application Control and look for log entries for browsing and playing YouTube videos.

    In this example, the log shows only applications with the name YouTube. The log cannot show YouTube application sensors which rely on SSL deep inspection.

  4. Go to Dashboard > FortiView Applications.

    The FortiView Cloud Application by Bytes dashboard shows the YouTube cloud application without the video played information that requires SSL deep inspection.

  5. Double-click YouTube and click the Sessions tab.

    These sessions were triggered by the application sensor YouTube with the ID 31077. This is the application sensor with cloud behavior which does not rely on SSL deep inspection.

Top application: YouTube example

Top application: YouTube example

Monitoring network traffic with SSL deep inspection

This example of monitors network traffic for YouTube using FortiView Applications view with SSL deep inspection.

To monitor network traffic with SSL deep inspection:
  1. Use a firewall policy with the following settings. If necessary, create a policy with these settings.
    • Application Control is enabled.
    • SSL Inspection is set to deep-inspection.
    • Log Allowed Traffic is set to All Sessions.

  2. Go to Security Profiles > Application Control.
  3. Select a relative Application Control profile used by the firewall policy and click Edit.
  4. Because YouTube cloud applications are categorized into Video/Audio, ensure the Video/Audio category is monitored.

    Monitored categories are indicate by an eye icon.

  5. Click View Application Signatures and hover over YouTube cloud applications to view detailed information about YouTube application sensors.
  6. Expand YouTube to view the Application Signatures associated with the application.

    Application Signature

    Description

    Application ID

    YouTube_Video.Access

    An attempt to access a video on YouTube.

    16420

    YouTube_Channel.ID

    An attempt to access a video on a specific channel on YouTube.

    44956

    YouTube_Comment.Posting

    An attempt to post comments on YouTube.

    31076

    YouTube_HD.Streaming

    An attempt to watch HD videos on YouTube.

    33104

    YouTube_Messenger

    An attempt to access messenger on YouTube.

    47858

    YouTube_Video.Play

    An attempt to download and play a video from YouTube.

    38569

    YouTube_Video.Upload

    An attempt to upload a video to YouTube.

    22564

    YouTube

    An attempt to access YouTube.

    This application sensor does not depend on SSL deep inspection so it does not have a cloud or lock icon.

    31077

    YouTube_Channel.Access

    An attempt to access a video on a specific channel on YouTube.

    41598

    Tooltip

    To view the application signature description, click the ID link in the information window.

  7. On the test PC, log into YouTube and play some videos.
  8. On the FortiGate, go to Log & Report > Application Control and look for log entries for browsing and playing YouTube videos.

    In this example, note the Application User and Application Details. Also note that the Application Control ID is 38569 showing that this entry was triggered by the application sensor YouTube_Video.Play.

  9. Go to Dashboard > FortiView Applications.
  10. In the FortiView Applications dashboard, double-click YouTube to view the drilldown information.
  11. Select the Sessions tab to see all the entries for the videos played. Check the sessions for YouTube_Video.Play with the ID 38569.

Monitoring network traffic without SSL deep inspection

This example of monitors network traffic for YouTube using FortiView cloud application view without SSL deep inspection.

To monitor network traffic without SSL deep inspection:
  1. Use a firewall policy with the following settings. If necessary, create a policy with these settings.
    • Application Control is enabled.
    • SSL Inspection is set to certificate-inspection.
    • Log Allowed Traffic is set to All Sessions.

  2. On the test PC, log into YouTube and play some videos.
  3. On the FortiGate, go to Log & Report > Application Control and look for log entries for browsing and playing YouTube videos.

    In this example, the log shows only applications with the name YouTube. The log cannot show YouTube application sensors which rely on SSL deep inspection.

  4. Go to Dashboard > FortiView Applications.

    The FortiView Cloud Application by Bytes dashboard shows the YouTube cloud application without the video played information that requires SSL deep inspection.

  5. Double-click YouTube and click the Sessions tab.

    These sessions were triggered by the application sensor YouTube with the ID 31077. This is the application sensor with cloud behavior which does not rely on SSL deep inspection.