Fortinet black logo

Administration Guide

Filtering based on YouTube channel

Filtering based on YouTube channel

Video filtering can be configured to filter specific YouTube channels. When a video matches a YouTube channel, the video will take the corresponding action of allow, monitor, or block. Video filtering is only supported in proxy-based inspection mode, and deep inspection must be enabled in the firewall policy.

By default, when the FortiGuard category-based filter and YouTube channel override are used together, a video will be blocked if it matches either category or YouTube channel and the action is set to block.

The override-category option allows the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed when the override-category option is enabled (see Configuration with YouTube channel override).

Identifying the YouTube channel ID

The following table lists how to identify the YouTube channel ID based on different YouTube video URLs formats:

Video URL

Channel ID

www.youtube.com/channel/<channel-id>

<channel-id> indicates the ID for the channel.

www.youtube.com/user/<user-id>

Open the page source and locate:

<meta itemprop="channelId" content="<channel-id>">

<channel-id> indicates the channel ID for the user page.

www.youtube.com/watch?v=<string>

Open the page source and locate:

<meta itemprop="channelId" content="<channel-id>">

<channel-id> indicates the channel ID for the video.

In a YouTube channel filter profile, the default action is set to monitor when there is no match. Logging is also disabled by default.

config videofilter youtube-channel-filter
    edit <id>
        set default-action {block | monitor | allow}
        set log {enable | disable}
    next
end

Basic configuration

In the following example, the Fortinet YouTube channel ID (UCJHo4AuVomwMRzgkA5DQEOA) is blocked, and the video filter is applied to a policy.

To configure a video filter based on a YouTube channel in the GUI:
  1. Go to Security Profiles > Video Filter and click Create New.
  2. In the Channel override list section, click Create New. The New Channel Override Entry pane opens.
    1. Enter the Channel ID (UCJHo4AuVomwMRzgkA5DQEOA) and for Action, select Block.

    2. Click OK.
  3. Click OK.
  4. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Inspection Mode, select Proxy-based.
    3. Enable Video Filter and select the profile you created.
    4. For SSL Inspection, select deep-inspection.

    5. Configure the other settings as needed and click OK.
To configure a video filter based on a YouTube channel in the CLI:
  1. Configure the channel filter:
    config videofilter youtube-channel-filter
        edit 1
            set name "channel_filter"
            set default-action monitor
            set log enable
            config entries
                edit 1
                    set action block
                    set channel-id "UCJHo4AuVomwMRzgkA5DQEOA"
                next
            end
        next
    end
  2. Configure the video filter profile:
    config videofilter profile
        edit "channel_filter"
            set youtube-channel-filter 1
        next 
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set name "video-filter"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set videofilter-profile "channel_filter"
            set nat disable
        next
    end 

Configuration with YouTube channel override

In this example, all categories in the video filter are configured to be blocked. The YouTube channel filter list is configured with override-category enabled, which effectively creates an allowlist. The channel UCR6d0EiC3G4WA8-Rqji6a8g is allowed.

To configure YouTube channel override:
  1. Configure the YouTube channel filter:
    config videofilter youtube-channel-filter
        edit 1
            set name "vf1"
            set default-action monitor
            config entries
                edit 1
                    set comment "https://www.youtube.com/watch_v=EAyo3_zJj5c"
                    set action allow
                    set channel-id "UCR6d0EiC3G4WA8-Rqji6a8g"
                next
            end
            set override-category enable
            set log enable
        next
    end
  2. Configure the video filter profile:
    config videofilter profile
        edit "channel_filter_override"
            set youtube-channel-filter 1
            config fortiguard-category
                config filters
                    edit 1
                        set action block
                        set log enable
                    next
                    edit 2
                        set action block
                        set category-id 1
                        set log enable
                    next
                    edit 3
                        set action block
                        set category-id 2
                        set log enable
                    next
                    edit 4
                        set action block
                        set category-id 3
                        set log enable
                    next
                    edit 5
                        set action block
                        set category-id 4
                        set log enable
                    next
                    edit 6
                        set action block
                        set category-id 5
                        set log enable
                    next
                    edit 7
                        set action block
                        set category-id 6
                        set log enable
                    next
                    edit 8
                        set action block
                        set category-id 7
                        set log enable
                    next
                    edit 9
                        set action block
                        set category-id 8
                        set log enable
                    next
                    edit 10
                        set action block
                        set category-id 9
                        set log enable
                    next
                    edit 11
                        set action block
                        set category-id 10
                        set log enable
                    next
                end
            end
        next
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 10
            set name "client_yt_v4"
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "proxy"
            set ssl-ssh-profile "custom-deep-inspection"
            set videofilter-profile "channel_filter_override"
            set logtraffic all
            set nat enable
        next
    end
  4. Verify the logs. The category action is set to block and the channel action is set to allow, so video access is allowed:
    30: date=2022-05-27 time=13:40:13 eventtime=1653684013375716267 tz="-0700" logid="0348013682" type="utm" subtype="webfilter" eventtype="videofilter-channel" level="notice" vd="vdom1" msg="Video channel is allowed." policyid=10 sessionid=69958 srcip=10.1.100.11 dstip=142.251.33.78 srcport=42542 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" action="passthrough" videoinfosource="API" profile="channel_filter_override" videoid="EAyo3_zJj5c" videochannelid="UCR6d0EiC3G4WA8-Rqji6a8g" hostname="www.youtube.com" url="https://www.youtube.com/watch?v=EAyo3_zJj5c"
    Note

    If the category action is changed to allow and the channel action is changed to block, the video access would be blocked.

Filtering based on YouTube channel

Video filtering can be configured to filter specific YouTube channels. When a video matches a YouTube channel, the video will take the corresponding action of allow, monitor, or block. Video filtering is only supported in proxy-based inspection mode, and deep inspection must be enabled in the firewall policy.

By default, when the FortiGuard category-based filter and YouTube channel override are used together, a video will be blocked if it matches either category or YouTube channel and the action is set to block.

The override-category option allows the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed when the override-category option is enabled (see Configuration with YouTube channel override).

Identifying the YouTube channel ID

The following table lists how to identify the YouTube channel ID based on different YouTube video URLs formats:

Video URL

Channel ID

www.youtube.com/channel/<channel-id>

<channel-id> indicates the ID for the channel.

www.youtube.com/user/<user-id>

Open the page source and locate:

<meta itemprop="channelId" content="<channel-id>">

<channel-id> indicates the channel ID for the user page.

www.youtube.com/watch?v=<string>

Open the page source and locate:

<meta itemprop="channelId" content="<channel-id>">

<channel-id> indicates the channel ID for the video.

In a YouTube channel filter profile, the default action is set to monitor when there is no match. Logging is also disabled by default.

config videofilter youtube-channel-filter
    edit <id>
        set default-action {block | monitor | allow}
        set log {enable | disable}
    next
end

Basic configuration

In the following example, the Fortinet YouTube channel ID (UCJHo4AuVomwMRzgkA5DQEOA) is blocked, and the video filter is applied to a policy.

To configure a video filter based on a YouTube channel in the GUI:
  1. Go to Security Profiles > Video Filter and click Create New.
  2. In the Channel override list section, click Create New. The New Channel Override Entry pane opens.
    1. Enter the Channel ID (UCJHo4AuVomwMRzgkA5DQEOA) and for Action, select Block.

    2. Click OK.
  3. Click OK.
  4. Configure the firewall policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Inspection Mode, select Proxy-based.
    3. Enable Video Filter and select the profile you created.
    4. For SSL Inspection, select deep-inspection.

    5. Configure the other settings as needed and click OK.
To configure a video filter based on a YouTube channel in the CLI:
  1. Configure the channel filter:
    config videofilter youtube-channel-filter
        edit 1
            set name "channel_filter"
            set default-action monitor
            set log enable
            config entries
                edit 1
                    set action block
                    set channel-id "UCJHo4AuVomwMRzgkA5DQEOA"
                next
            end
        next
    end
  2. Configure the video filter profile:
    config videofilter profile
        edit "channel_filter"
            set youtube-channel-filter 1
        next 
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 1
            set name "video-filter"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set videofilter-profile "channel_filter"
            set nat disable
        next
    end 

Configuration with YouTube channel override

In this example, all categories in the video filter are configured to be blocked. The YouTube channel filter list is configured with override-category enabled, which effectively creates an allowlist. The channel UCR6d0EiC3G4WA8-Rqji6a8g is allowed.

To configure YouTube channel override:
  1. Configure the YouTube channel filter:
    config videofilter youtube-channel-filter
        edit 1
            set name "vf1"
            set default-action monitor
            config entries
                edit 1
                    set comment "https://www.youtube.com/watch_v=EAyo3_zJj5c"
                    set action allow
                    set channel-id "UCR6d0EiC3G4WA8-Rqji6a8g"
                next
            end
            set override-category enable
            set log enable
        next
    end
  2. Configure the video filter profile:
    config videofilter profile
        edit "channel_filter_override"
            set youtube-channel-filter 1
            config fortiguard-category
                config filters
                    edit 1
                        set action block
                        set log enable
                    next
                    edit 2
                        set action block
                        set category-id 1
                        set log enable
                    next
                    edit 3
                        set action block
                        set category-id 2
                        set log enable
                    next
                    edit 4
                        set action block
                        set category-id 3
                        set log enable
                    next
                    edit 5
                        set action block
                        set category-id 4
                        set log enable
                    next
                    edit 6
                        set action block
                        set category-id 5
                        set log enable
                    next
                    edit 7
                        set action block
                        set category-id 6
                        set log enable
                    next
                    edit 8
                        set action block
                        set category-id 7
                        set log enable
                    next
                    edit 9
                        set action block
                        set category-id 8
                        set log enable
                    next
                    edit 10
                        set action block
                        set category-id 9
                        set log enable
                    next
                    edit 11
                        set action block
                        set category-id 10
                        set log enable
                    next
                end
            end
        next
    end
  3. Configure the firewall policy:
    config firewall policy
        edit 10
            set name "client_yt_v4"
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "proxy"
            set ssl-ssh-profile "custom-deep-inspection"
            set videofilter-profile "channel_filter_override"
            set logtraffic all
            set nat enable
        next
    end
  4. Verify the logs. The category action is set to block and the channel action is set to allow, so video access is allowed:
    30: date=2022-05-27 time=13:40:13 eventtime=1653684013375716267 tz="-0700" logid="0348013682" type="utm" subtype="webfilter" eventtype="videofilter-channel" level="notice" vd="vdom1" msg="Video channel is allowed." policyid=10 sessionid=69958 srcip=10.1.100.11 dstip=142.251.33.78 srcport=42542 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" action="passthrough" videoinfosource="API" profile="channel_filter_override" videoid="EAyo3_zJj5c" videochannelid="UCR6d0EiC3G4WA8-Rqji6a8g" hostname="www.youtube.com" url="https://www.youtube.com/watch?v=EAyo3_zJj5c"
    Note

    If the category action is changed to allow and the channel action is changed to block, the video access would be blocked.