Allow the YouTube channel override action to take precedence 7.0.6
In a video filter profile, when the FortiGuard category-based filter and YouTube channel override are used together, by default a video will be blocked if it matches either category or YouTube channel and the action is set to block. This enhancement enables the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed when the override-category option is enabled.
Example
In this example, all categories in the video filter are configured to be blocked. The YouTube channel filter list is configured with override-category enabled, which effectively creates an allowlist. The channel UCR6d0EiC3G4WA8-Rqji6a8g is allowed.
To configure YouTube channel override:
- Configure the YouTube channel filter:
config videofilter youtube-channel-filter edit 1 set name "vf1" set default-action monitor config entries edit 1 set comment "https://www.youtube.com/watch_v=EAyo3_zJj5c" set action allow set channel-id "UCR6d0EiC3G4WA8-Rqji6a8g" next end set override-category enable set log enable next end - Configure the video filter profile:
config videofilter profile edit "channel_filter_override" set youtube-channel-filter 1 config fortiguard-category config filters edit 1 set action block set log enable next edit 2 set action block set category-id 1 set log enable next edit 3 set action block set category-id 2 set log enable next edit 4 set action block set category-id 3 set log enable next edit 5 set action block set category-id 4 set log enable next edit 6 set action block set category-id 5 set log enable next edit 7 set action block set category-id 6 set log enable next edit 8 set action block set category-id 7 set log enable next edit 9 set action block set category-id 8 set log enable next edit 10 set action block set category-id 9 set log enable next edit 11 set action block set category-id 10 set log enable next end end next end - Configure the firewall policy:
config firewall policy edit 10 set name "client_yt_v4" set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set profile-protocol-options "proxy" set ssl-ssh-profile "custom-deep-inspection" set videofilter-profile "channel_filter_override" set logtraffic all set nat enable next end - Verify the logs. The category action is set to
blockand the channel action is set toallow, so video access is allowed:30: date=2022-05-27 time=13:40:13 eventtime=1653684013375716267 tz="-0700" logid="0348013682" type="utm" subtype="webfilter" eventtype="videofilter-channel" level="notice" vd="vdom1" msg="Video channel is allowed." policyid=10 sessionid=69958 srcip=10.1.100.11 dstip=142.251.33.78 srcport=42542 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" action="passthrough" videoinfosource="API" profile="channel_filter_override" videoid="EAyo3_zJj5c" videochannelid="UCR6d0EiC3G4WA8-Rqji6a8g" hostname="www.youtube.com" url="https://www.youtube.com/watch?v=EAyo3_zJj5c"
If the category action is changed to
allowand the channel action is changed toblock, the video access would be blocked.