Fortinet black logo

New Features

Allow the YouTube channel override action to take precedence 7.0.6

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:373087
Download PDF

In a video filter profile, when the FortiGuard category-based filter and YouTube channel override are used together, by default a video will be blocked if it matches either category or YouTube channel and the action is set to block. This enhancement enables the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed when the override-category option is enabled.

Example

In this example, all categories in the video filter are configured to be blocked. The YouTube channel filter list is configured with override-category enabled, which effectively creates an allowlist. The channel UCR6d0EiC3G4WA8-Rqji6a8g is allowed.

To configure YouTube channel override:
  1. Configure the YouTube channel filter:
    config videofilter youtube-channel-filter
        edit 1
            set name "vf1"
            set default-action monitor
            config entries
                edit 1
                    set comment "https://www.youtube.com/watch_v=EAyo3_zJj5c"
                    set action allow
                    set channel-id "UCR6d0EiC3G4WA8-Rqji6a8g"
                next
            end
            set override-category enable
            set log enable
        next
    end
  2. Configure the video filter profile:
    config videofilter profile
        edit "channel_filter_override"
            set youtube-channel-filter 1
            config fortiguard-category
                config filters
                    edit 1
                        set action block
                        set log enable
                    next
                    edit 2
                        set action block
                        set category-id 1
                        set log enable
                    next
                    edit 3
                        set action block
                        set category-id 2
                        set log enable
                    next
                    edit 4
                        set action block
                        set category-id 3
                        set log enable
                    next
                    edit 5
                        set action block
                        set category-id 4
                        set log enable
                    next
                    edit 6
                        set action block
                        set category-id 5
                        set log enable
                    next
                    edit 7
                        set action block
                        set category-id 6
                        set log enable
                    next
                    edit 8
                        set action block
                        set category-id 7
                        set log enable
                    next
                    edit 9
                        set action block
                        set category-id 8
                        set log enable
                    next
                    edit 10
                        set action block
                        set category-id 9
                        set log enable
                    next
                    edit 11
                        set action block
                        set category-id 10
                        set log enable
                    next
                end
            end
        next
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 10
            set name "client_yt_v4"
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "proxy"
            set ssl-ssh-profile "custom-deep-inspection"
            set videofilter-profile "channel_filter_override"
            set logtraffic all
            set nat enable
        next
    end
  4. Verify the logs. The category action is set to block and the channel action is set to allow, so video access is allowed:
    30: date=2022-05-27 time=13:40:13 eventtime=1653684013375716267 tz="-0700" logid="0348013682" type="utm" subtype="webfilter" eventtype="videofilter-channel" level="notice" vd="vdom1" msg="Video channel is allowed." policyid=10 sessionid=69958 srcip=10.1.100.11 dstip=142.251.33.78 srcport=42542 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" action="passthrough" videoinfosource="API" profile="channel_filter_override" videoid="EAyo3_zJj5c" videochannelid="UCR6d0EiC3G4WA8-Rqji6a8g" hostname="www.youtube.com" url="https://www.youtube.com/watch?v=EAyo3_zJj5c"
    Note

    If the category action is changed to allow and the channel action is changed to block, the video access would be blocked.

In a video filter profile, when the FortiGuard category-based filter and YouTube channel override are used together, by default a video will be blocked if it matches either category or YouTube channel and the action is set to block. This enhancement enables the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed when the override-category option is enabled.

Example

In this example, all categories in the video filter are configured to be blocked. The YouTube channel filter list is configured with override-category enabled, which effectively creates an allowlist. The channel UCR6d0EiC3G4WA8-Rqji6a8g is allowed.

To configure YouTube channel override:
  1. Configure the YouTube channel filter:
    config videofilter youtube-channel-filter
        edit 1
            set name "vf1"
            set default-action monitor
            config entries
                edit 1
                    set comment "https://www.youtube.com/watch_v=EAyo3_zJj5c"
                    set action allow
                    set channel-id "UCR6d0EiC3G4WA8-Rqji6a8g"
                next
            end
            set override-category enable
            set log enable
        next
    end
  2. Configure the video filter profile:
    config videofilter profile
        edit "channel_filter_override"
            set youtube-channel-filter 1
            config fortiguard-category
                config filters
                    edit 1
                        set action block
                        set log enable
                    next
                    edit 2
                        set action block
                        set category-id 1
                        set log enable
                    next
                    edit 3
                        set action block
                        set category-id 2
                        set log enable
                    next
                    edit 4
                        set action block
                        set category-id 3
                        set log enable
                    next
                    edit 5
                        set action block
                        set category-id 4
                        set log enable
                    next
                    edit 6
                        set action block
                        set category-id 5
                        set log enable
                    next
                    edit 7
                        set action block
                        set category-id 6
                        set log enable
                    next
                    edit 8
                        set action block
                        set category-id 7
                        set log enable
                    next
                    edit 9
                        set action block
                        set category-id 8
                        set log enable
                    next
                    edit 10
                        set action block
                        set category-id 9
                        set log enable
                    next
                    edit 11
                        set action block
                        set category-id 10
                        set log enable
                    next
                end
            end
        next
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 10
            set name "client_yt_v4"
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "proxy"
            set ssl-ssh-profile "custom-deep-inspection"
            set videofilter-profile "channel_filter_override"
            set logtraffic all
            set nat enable
        next
    end
  4. Verify the logs. The category action is set to block and the channel action is set to allow, so video access is allowed:
    30: date=2022-05-27 time=13:40:13 eventtime=1653684013375716267 tz="-0700" logid="0348013682" type="utm" subtype="webfilter" eventtype="videofilter-channel" level="notice" vd="vdom1" msg="Video channel is allowed." policyid=10 sessionid=69958 srcip=10.1.100.11 dstip=142.251.33.78 srcport=42542 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" action="passthrough" videoinfosource="API" profile="channel_filter_override" videoid="EAyo3_zJj5c" videochannelid="UCR6d0EiC3G4WA8-Rqji6a8g" hostname="www.youtube.com" url="https://www.youtube.com/watch?v=EAyo3_zJj5c"
    Note

    If the category action is changed to allow and the channel action is changed to block, the video access would be blocked.