Filtering based on FortiGuard categories
Video filtering is only proxy-based and uses the WAD daemon to inspect the video in four phases:
- When the WAD receives a video query from a client, it extracts the video ID (
vid) and tries to check the category and channel from the local cache. - If there is no match from the local cache, it connects to the FortiGuard video rating server to query the video category.
- If the FortiGuard rating fails, it uses the
videofilter.youtube-keyto communicate with the Google API server to get its category and channel ID. This is the API query setting and it requires the user’s own YouTube API key string. This configuration is optional. - If all steps fail to match the video, the WAD calls on the IPS engine to match the video ID and channel ID from the application signature database.
|
The FortiGuard anycast service must be enabled to use this feature. |
In the following example, a new video filter profile is created to block the Knowledge category.
|
In the firewall policy settings, the default application control profile is recommended because it blocks QUIC traffic. Many Google services use the QUIC protocol on UDP/443. By blocking QUIC, YouTube will use standard HTTPS TCP/443 connections. |
To configure a video filter based on FortiGuard categories in the GUI:
- Create the video filter profile:
- Go to Security Profiles > Video Filter and click Create New.
- Enter a name (category_filter).
- In the FortiGuard Category Based Filter section, set the Knowledge category Action to Block.
- Click OK.
- Create the firewall policy:
- Enter the following:
Incoming Interface
port2
Outgoing Interface
port1
Source
All
Destination
All
Service
All
Inspection Mode
Proxy-based
NAT
Enable
Video Filter
Enable and select category_filter
Application Control
Enable and select default
SSL Inspection
deep-inspection
Log Allowed Traffic
All Sessions
- Configure the other settings as needed and click OK.
- Enter the following:
To configure a video filter based on FortiGuard categories in the CLI:
- Create the video filter profile:
config videofilter profile edit "category_filter" config fortiguard-category edit 5 set action block set category-id 4 set log enable next end next end - Create the firewall policy:
config firewall policy edit 10 set name "client_yt_v4" set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "deep-inspection" set application-list "default" set videofilter-profile "category_filter" set logtraffic all set nat enable next end
To configure the YouTube API key (optional):
config videofilter youtube-key
edit 1
set key ********
set status enable
next
end
Verifying that the video is blocked
When a user browses to YouTube and selects a video based in the Knowledge category, a replacement message will appear. This replacement message says the URL is blocked, and displays the URL of the YouTube video. On the FortiGate, verify the forward traffic and web filter logs.
Sample forward traffic log
2: date=2021-04-27 time=15:27:13 eventtime=1619562433424944288 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.11 srcport=60628 srcintf="port2" srcintfrole="undefined" dstip=172.217.3.206 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=8230 proto=6 action="client-rst" policyid=10 policytype="policy" poluuid="a5e991ba-a799-51eb-4efe-ce32b9f70b75" policyname="client_yt_v4" service="HTTPS" trandisp="snat" transip=172.16.200.1 transport=60628 duration=95 sentbyte=3546 rcvdbyte=21653 sentpkt=24 rcvdpkt=34 appcat="unscanned" wanin=2152 wanout=2290 lanin=2000 lanout=2000 utmaction="block" countweb=3 utmref=65532-0
Sample web filter log
1: date=2021-04-27 time=15:25:37 eventtime=1619562338128550236 tz="-0700" logid="0347013664" type="utm" subtype="webfilter" eventtype="videofilter-category" level="warning" vd="vdom1" msg="Video category is blocked." policyid=10 sessionid=8230 srcip=10.1.100.11 dstip=172.217.3.206 srcport=60628 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" action="blocked" videoinfosource="Cache" profile="category_filter" videoid="EAyo3_zJj5c" videocategoryid=4 hostname="www.youtube.com" url="https://www.youtube.com/watch?v=EAyo3_zJj5c"
Troubleshooting and debugging
To verify if the FortiGuard video filtering license is valid:
# get system fortiguard fortiguard-anycast : enable fortiguard-anycast-source: debug protocol : https port : 443 ... webfilter-license : Contract webfilter-expiration: Fri Dec 13 2030 ... videofilter-license : Contract videofilter-expiration: Fri Dec 13 2030
The videofilter license should be synchronized with the webfilter license.
To verify the WAD worker is running:
# diagnose test app wad 1000
Process [0]: WAD manager type=manager(0) pid=232 diagnosis=yes.
Process [1]: type=worker(2) index=0 pid=294 state=running
diagnosis=no debug=enable valgrind=supported/disabled
...
Process [6]: type=YouTube-filter-cache-service(9) index=0 pid=290 state=running
diagnosis=no debug=enable valgrind=unsupported/disabled
...
To display and debug video filter cache:
# diagnose test app wad ?
....
321: Display Video Filter Cache stats.
322: Reset Video Filter Cache stats.
323: Flush Video Filter Cache entries.
324: Display Video Filter module stats.
325: Request category list from Youtube API.
326: Display FTGD agent module stats.
327: Reset FTGD agent module stats.
328: Toggle Video Filter Cache Check.
329: Toggle Video Filter FTGD Query.
330: Toggle Video Filter API Check.
To enable real-time WAD debugs:
# diagnose wad debug enable level verbose # diagnose wad debug enable category video # diagnose debug enable
Sample output
[p:274][s:8754][r:186] wad_http_req_exec_video_filter_check(167): hreq=0x7f1184f288e0, check video filter check videofilter [p:274][s:8754][r:186] wad_vf_req_submit(1869): node=0x7f1186694640, ctx=0x7f118502d1f8, youtube_channel_filter_id=0 [p:274][s:8754][r:186] wad_vf_match_pattern_cb(1551): ctx=0x7f118502d1f8 matched type video [p:274][s:8754][r:186] wad_vf_extract_video_id(297): str='v=EAyo3_zJj5c', start='v=', end='&' [p:274][s:8754][r:186] wad_vf_extract_video_id(297): str='v=EAyo3_zJj5c', start='v=', end='' [p:274][s:8754][r:186] wad_vf_extract_video_id(322): video-id: start=2, end=13 [p:274][s:8754][r:186] wad_vf_sync_task_trigger_async_task(1602): extracted vid=EAyo3_zJj5c ctx=0x7f118502d1f8 [p:274][s:8754][r:186] wad_vf_sync_task_trigger_async_task(1622): video filter ctx=0x7f118502d1f8 creates new task=0x7f118657e7a0 [p:274][s:8754][r:186] wad_vfc_client_lookup(159): oid=15194313278609724406 [p:274][s:8754][r:186] wad_vfc_core_lookup(277): youtube-filter-cache core(0x7f11864d2078) found the item! [p:274][s:8754][r:186] wad_vfc_client_lookup(174): local lookup: ret=0 result=hit, hit_cnt=51 local hit item, item's value: oid=15194313278609724406 vid="EAyo3_zJj5c" category="4" title="Youtube Data API V3 Video Search Example" channel="UCR6d0EiC3G4WA8-Rqji6a8g" desc(first 100 characters)="Youtube Data API V3 Video Search Example Welcome Folks My name is Gautam and Welcome to Coding Shik......" [p:274][s:8754][r:186] wad_vf_task_proc_cache_resp(1048): vf filter cache hit, item=0x7f116dacc060 [p:274][s:8754][r:186] wad_vf_async_task_run(1491): end of async task ret=0 [p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1686): task=0x7f118657e7a0 item=0x7f116dacc060 [p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1721): ctx(0x7f118502d1f8) channel UCR6d0EiC3G4WA8-Rqji6a8g not match [p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1733): ctx(0x7f118502d1f8) category result is block [p:274][s:8754][r:186] wad_vfc_client_add(230): oid=15194313278609724406