Enhance the video filter profile with a new level of customization and control 7.4.2

This information is also available in the FortiOS 7.4 Administration Guide: Filtering based on title Filtering based on description Configuring a video filter keyword list

Video filter profiles include a new level of customization and control with two keyword-based filters for video titles and descriptions that offer AND/OR logic options. Users can prioritize configured filters, and manage all categories and channels that match the filters using the new Any option.

By default, video filter profiles include an implicit rule set to allow the video. If a video does not match any of the other filters, it is subject to this implicit rule and passes through.

Unicode emoji character code is currently not supported for the title and description filters.

The YouTube API key must be configured to use this feature. Otherwise, the title and description filters will not retrieve the video information and bypass the traffic.

To configure the YouTube API key in the GUI:

1. Go to Security Profiles > Video Filter and select the Video Filter Settings tab.

2. Click the + to add an API key.

3. Click OK.

To configure the YouTube API key in the CLI:

config videofilter youtube-key
    edit <id>
        set key <string>
    next
end

This topic contains five video filter use cases:

• Example 1: blocking a video with a title containing the keywords 'API' or 'game'

• Example 2: blocking a video with a description containing the keywords 'API' and 'testing'

• Example 3: allowing a specific video by filtering the title while blocking others

• Example 4: allowing a specific video by filtering the description while blocking others

• Example 5: disabling a keyword in the keyword list

Example 1: blocking a video with a title containing the keywords 'API' or 'game'

In this example, videos are blocked that contain the keywords 'API' or 'game', so the keywords filter uses the Any match operator.

To configure the video filter profile in the GUI:

1. Configure the video filter keyword list:

   1. Go to Security Profiles > Video Filter, select the Video Filter Keyword tab, and click Create new.

   2. Enter a name (test-keyword-match-or) and set Match operator to Any.

      

   3. In the Keywords table, click Create new.

   4. Configure the API keyword with the following settings:

      1. In the Pattern field, enter API.

      2. Set the Pattern type to Wildcard.

         

      3. Click OK.

   5. Click Create new.

   6. Configure the game keyword with the following settings:

      1. In the Pattern field, enter Game.

      2. Set the Pattern type to Regular Expression.

         

      3. Click OK.

   7. Click OK to save the keyword list.

2. Configure the video filter profile:

   1. Go to Security Profiles > Video Filter, select the Video Filter Profile tab, and click Create new.

   2. Enter a name (title-filter-profile).

   3. In the Filters table, click Create new.

      

   4. Configure the filter with the following settings:

      1. Set the Type to Title.

      2. Set the Action to Block.

      3. Set the Keyword to test-keyword-match-or.

         

      4. Click OK.

   5. Click OK to save the video filter profile.

3. Apply the video filter in a firewall policy.

To configure the video filter profile in the CLI:

1. Configure the video filter keyword list:

   config videofilter keyword
       edit 1
           set name "test-keyword-match-or"
           set match or
           config word
               edit "API"
                   set pattern-type wildcard
                   set status enable
               next
               edit "Game"
                   set pattern-type regex
                   set status enable
               next
           end
       next
   end

2. Configure the video filter profile:

   config videofilter profile
       edit "title-filter-profile"
           config filters
               edit 1
                   set type title
                   set keyword 1
                   set action block
                   set log enable
               next
           end
       next
   end

3. Apply the video filter in a firewall policy.

To verify the configuration:

1. From a client, search for a video in YouTube named "How To Use Python Steam API || Steam game API python". The video is blocked.

   

2. Search for a video in YouTube named "Youtube Data API V3 Video Search Example". The video is blocked.

   

Sample logs:

6: date=2023-11-24 time=09:51:30 eventtime=1700848289598975941 tz="-0800" logid="0350013712" type="utm" subtype="webfilter" eventtype="unknown" level="warning" vd="vdom1" msg="Video title is blocked." policyid=1 poluuid="19841eb8-841c-51ee-7047-6a6860eb3522" sessionid=384813810 srcip=10.1.100.141 dstip=142.251.33.110 srcport=21473 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="GET" service="HTTPS" action="blocked" videoinfosource="API" profile="title-filter-profile" videoid="LaRHkSVvDjI" videotitle="How To Use Python Steam API  || Steam game API python" hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" url="https://www.youtube.com/watch?v=LaRHkSVvDjI"

17: date=2023-11-23 time=19:30:59 eventtime=1700796659106881476 tz="-0800" logid="0350013712" type="utm" subtype="webfilter" eventtype="unknown" level="warning" vd="vdom1" msg="Video title is blocked." policyid=1 poluuid="19841eb8-841c-51ee-7047-6a6860eb3522" sessionid=384811679 srcip=10.1.100.141 dstip=142.251.215.238 srcport=15058 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="GET" service="HTTPS" action="blocked" videoinfosource="API" profile="title-filter-profile" videoid="EAyo3_zJj5c" videotitle="Youtube Data API V3 Video Search Example" hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" url="https://www.youtube.com/watch?v=EAyo3_zJj5c"

Example 2: blocking a video with a description containing the keywords 'API' and 'testing'

In this example, videos are blocked where the description contains the keywords 'API' and 'testing', so the keywords filter uses the All match operator. The description filter supports the first 100 characters of the video description.

To configure the video filter profile in the GUI:

1. Configure the video filter keyword list:

   1. Go to Security Profiles > Video Filter, select the Video Filter Keyword tab, and click Create new.

   2. Enter a name (test-keyword-match-all) and set Match operator to All.

      

   3. In the Keywords table, click Create new.

   4. Configure the API keyword with the following settings:

      1. In the Pattern field, enter API.

      2. Set the Pattern type to Wildcard.

         

      3. Click OK.

   5. Click Create new.

   6. Configure the testing keyword with the following settings:

      1. In the Pattern field, enter testing.

      2. Set the Pattern type to Regular Expression.

         

      3. Click OK.

   7. Click OK to save the keyword list.

2. Configure the video filter profile:

   1. Go to Security Profiles > Video Filter, select the Video Filter Profile tab, and click Create new.

   2. Enter a name (test-description-filter).

   3. In the Filters table, click Create new.

   4. Configure the filter with the following settings:

      1. Set the Type to Description.

      2. Set the Action to Block.

      3. Set the Keyword to test-keyword-match-all.

         

      4. Click OK.

   5. Click OK to save the video filter profile.

3. Apply the video filter in a firewall policy.

To configure the video filter profile in the CLI:

1. Configure the video filter keyword list:

   config videofilter keyword
       edit 2
           set name "test-keyword-match-all"
           set match and
           config word
               edit "API"
                   set pattern-type wildcard
                   set status enable
               next
               edit "testing"
                   set pattern-type regex
                   set status enable
               next
           end
       next
   end

2. Configure the video filter profile:

   config videofilter profile
       edit "test-description-filter"
           config filters
               edit 1
                   set type description
                   set keyword 2
                   set action block
                   set log enable
               next
           end
       next
   end

3. Apply the video filter in a firewall policy.

To verify the configuration:

1. From a client, search for a video in YouTube named "Postman Tutorial #7 - HTTP Methods GET and POST in Postman". The description contains the text, "POSTMAN TUTORIAL - Complete API Testing and API Test Automation Course using Postman Tool...", so the video is blocked.

   

Sample log:

4: date=2023-11-24 time=16:08:51 eventtime=1700870931146681788 tz="-0800" logid="0351013728" type="utm" subtype="webfilter" eventtype="unknown" level="warning" vd="vdom1" msg="Video description is blocked." policyid=1 poluuid="090ca600-83e4-51ee-158a-a920fcf8f892" sessionid=100211 srcip=10.1.100.141 dstip=142.250.69.206 srcport=24948 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="GET" service="HTTPS" action="blocked" videoinfosource="API" profile="test-description-filter" videoid="pUGmhtqVJRk" videodesc="Get all my courses for USD 5.99/Month - https://bit.ly/all-c..." hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" url="https://www.youtube.com/watch?v=pUGmhtqVJRk"

Example 3: allowing a specific video by filtering the title while blocking others

In this example, specific videos are allowed using title filtering while blocking others. The video filter profile contains two filters. The first filter uses a keyword list (monitor and allow the keywords 'API' or 'game' with the Any match operator). The second filter uses a category filter to block any unmatched videos by title filtering.

To configure the video filter profile in the GUI:

1. Configure the video filter keyword list:

   1. Go to Security Profiles > Video Filter, select the Video Filter Keyword tab, and click Create new.

   2. Enter a name (test-keyword-match-or) and set Match operator to Any.

      

   3. In the Keywords table, click Create new.

   4. Configure the API keyword with the following settings:

      1. In the Pattern field, enter API.

      2. Set the Pattern type to Wildcard.

         

      3. Click OK.

   5. Click Create new.

   6. Configure the game keyword with the following settings:

      1. In the Pattern field, enter Game.

      2. Set the Pattern type to Regular Expression.

         

      3. Click OK.

   7. Click OK to save the keyword list.

2. Configure the video filter profile:

   1. Go to Security Profiles > Video Filter, select the Video Filter Profile tab, and click Create new.

   2. Enter a name (allow-specific-title).

   3. In the Filters table, click Create new.

   4. Configure the first filter with the following settings:

      1. Set the Type to Title.

      2. Set the Action to Monitor.

      3. Set the Keyword to test-keyword-match-or.

         

      4. Click OK.

   5. Configure the second filter with the following settings:

      1. Set the Type to Category.

      2. Set the Action to Block.

      3. Set the Category to Any.

         

      4. Click OK.

   6. Click OK to save the video filter profile.

3. Apply the video filter in a firewall policy.

To configure the video filter profile in the CLI:

1. Configure the video filter keyword list:

   config videofilter keyword
       edit 1
           set name "test-keyword-match-or"
           set match or
           config word
               edit "API"
                   set pattern-type wildcard
                   set status enable
               next
               edit "Game"
                   set pattern-type regex
                   set status enable
               next
           end
       next
   end

2. Configure the video filter profile:

   config videofilter profile
       edit "allow-specific-title"
           config filters
               edit 1
                   set type title
                   set keyword 1
                   set action monitor
                   set log enable
               next
               edit 2
                   set type category
                   set category "any"
                   set action block
                   set log enable
               next
           end
       next
   end

3. Apply the video filter in a firewall policy.

To verify the configuration:

1. From a client, search for a video in YouTube with a title containing the word "API" or "game". The video is allowed.

   

2. Search for another video without "API" or "game" in the title. The video is blocked.

   

Sample logs:

5: date=2023-11-24 time=17:37:45 eventtime=1700876265256758209 tz="-0800" logid="0350013713" type="utm" subtype="webfilter" eventtype="unknown" level="notice" vd="vdom1" msg="Video title is monitored." policyid=1 poluuid="090ca600-83e4-51ee-158a-a920fcf8f892" sessionid=106912 srcip=10.1.100.141 dstip=142.250.217.110 srcport=25224 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="GET" service="HTTPS" action="passthrough" videoinfosource="API" profile="allow-specific-title" videoid="EAyo3_zJj5c" videotitle="Youtube Data API V3 Video Search Example" hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" url="https://www.youtube.com/watch?v=EAyo3_zJj5c"

32: date=2023-11-24 time=17:38:58 eventtime=1700876338000614028 tz="-0800" logid="0347013664" type="utm" subtype="webfilter" eventtype="videofilter-category" level="warning" vd="vdom1" msg="Video category is blocked." policyid=1 poluuid="090ca600-83e4-51ee-158a-a920fcf8f892" sessionid=107051 srcip=10.1.100.141 dstip=142.250.217.110 srcport=25260 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="POST" service="HTTPS" action="blocked" videoinfosource="API" profile="allow-specific-title" videoid="7JhBGWSO108" videocategoryid=10 videocategoryname="Sports" hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" referralurl="https://www.youtube.com/" url="https://www.youtube.com/youtubei/v1/player?key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8&prettyPrint=false"

Example 4: allowing a specific video by filtering the description while blocking others

In this example, specific videos are allowed using description filtering while blocking others. The video filter profile contains two filters. The first filter uses a keyword list (monitor and allow the keywords 'API' and 'testing' with the All match operator). The second filter uses a channel filter to block any unmatched videos.

To configure the video filter profile in the GUI:

1. Configure the video filter keyword list:

   1. Go to Security Profiles > Video Filter, select the Video Filter Keyword tab, and click Create new.

   2. Enter a name (test-keyword-match-all) and set Match operator to All.

      

   3. In the Keywords table, click Create new.

   4. Configure the API keyword with the following settings:

      1. In the Pattern field, enter API.

      2. Set the Pattern type to Wildcard.

         

      3. Click OK.

   5. Click Create new.

   6. Configure the testing keyword with the following settings:

      1. In the Pattern field, enter testing.

      2. Set the Pattern type to Regular Expression.

         

      3. Click OK.

   7. Click OK to save the keyword list.

2. Configure the video filter profile:

   1. Go to Security Profiles > Video Filter, select the Video Filter Profile tab, and click Create new.

   2. Enter a name (test-allow-specific-description).

   3. In the Filters table, click Create new.

   4. Configure the first filter with the following settings:

      1. Set the Type to Description.

      2. Set the Action to Monitor.

      3. Set the Keyword to test-keyword-match-all.

         

      4. Click OK.

   5. Configure the second filter with the following settings:

      1. Set the Type to Channel.

      2. Set the Action to Block.

      3. Set the Channel to Any.

         

      4. Click OK.

   6. Click OK to save the video filter profile.

3. Apply the video filter in a firewall policy.

To configure the video filter profile in the CLI:

1. Configure the video filter keyword list:

   config videofilter keyword
       edit 1
           set name "test-keyword-match-all"
           set match and
           config word
               edit "API"
                   set pattern-type wildcard
                   set status enable
               next
               edit "testing"
                   set pattern-type regex
                   set status enable
               next
           end
       next
   end

2. Configure the video filter profile:

   config videofilter profile
       edit "test-allow-specific-description"
           config filters
               edit 1
                   set type description
                   set keyword 1
                   set action monitor
                   set log enable
               next
               edit 2
                   set type channel
                   set channel "any"
                   set action block
                   set log enable
               next
           end
       next
   end

3. Apply the video filter in a firewall policy.

To verify the configuration:

1. From a client, search for a video in YouTube with a description containing the words "API" and "testing". The video is allowed since the video description contains "In this Postman Tutorial, we will learn about HTTP Methods GET and POST in Postman."

   

2. Search for another video without "API" and "testing" in the description. The video is blocked.

   

Sample logs:

1: date=2023-11-24 time=18:07:46 eventtime=1700878066675991798 tz="-0800" logid="0351013729" type="utm" subtype="webfilter" eventtype="unknown" level="notice" vd="vdom1" msg="Video description is monitored." policyid=1 poluuid="090ca600-83e4-51ee-158a-a920fcf8f892" sessionid=109384 srcip=10.1.100.141 dstip=142.250.217.110 srcport=25452 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="GET" service="HTTPS" action="passthrough" videoinfosource="API" profile="test-allow-specific-description" videoid="pUGmhtqVJRk" videodesc="Get all my courses for USD 5.99/Month - https://bit.ly/all-c..." hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" url="https://www.youtube.com/watch?v=pUGmhtqVJRk"

32: date=2023-11-24 time=18:08:54 eventtime=1700878134354460846 tz="-0800" logid="0348013680" type="utm" subtype="webfilter" eventtype="videofilter-channel" level="warning" vd="vdom1" msg="Video channel is blocked." policyid=1 poluuid="090ca600-83e4-51ee-158a-a920fcf8f892" sessionid=109532 srcip=10.1.100.141 dstip=142.250.217.110 srcport=25498 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="POST" service="HTTPS" action="blocked" videoinfosource="Cache" profile="test-allow-specific-description" videoid="uB0AcaxR-eM" videochannelid="UCz8QaiQxApLq8sLNcszYyJw" hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" referralurl="https://www.youtube.com/watch?v=uB0AcaxR-eM" url="https://www.youtube.com/youtubei/v1/player?key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8&prettyPrint=false"

Example 5: disabling a keyword in the keyword list

To disable a keyword in the keyword list in the GUI:

1. Go to Security Profiles > Video Filter, select the Video Filter Keyword tab, and edit an entry.

2. In the Keywords table, select an entry and click Edit.

3. Set the Status to Disable.

   

4. Click OK.

5. Click OK to save the keyword list.

To disable a keyword in the keyword list in the CLI:

config videofilter keyword
    edit 1
        set name "test-keyword-match-all"
        set match and
        config word
            edit "API"
                set status disable
            next
        end
    next
end