Filtering based on YouTube channel
Video filtering can be configured to filter specific YouTube channels. When a video matches a YouTube channel, the video will take the corresponding action of allow, monitor, or block. Video filtering is only supported in proxy-based inspection mode, and deep inspection must be enabled in the firewall policy.
By default, when the FortiGuard category-based filter and YouTube channel override are used together, a video will be blocked if it matches either category or YouTube channel and the action is set to block.
The Channel override list allows the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed (see Configuration with YouTube channel override).
|
Videos are first filtered by channel action. If no match is found, then the category action is checked. If neither condition is met, the default action in the video filter profile is used. |
Identifying the YouTube channel ID
The following table lists how to identify the YouTube channel ID based on different YouTube video URLs formats:
|
Video URL |
Channel ID |
|---|---|
|
www.youtube.com/channel/<channel-id> |
<channel-id> indicates the ID for the channel. |
|
www.youtube.com/user/<user-id> |
Open the page source and locate: <meta itemprop="channelId" content="<channel-id>"> <channel-id> indicates the channel ID for the user page. |
|
www.youtube.com/watch?v=<string> |
Open the page source and locate: <meta itemprop="channelId" content="<channel-id>"> <channel-id> indicates the channel ID for the video. |
In a video filter profile, the default action is set to monitor when there is no match. Logging is enabled by default.
config videofilter profile
edit <name>
set default-action {block | monitor | allow}
set log {enable | disable}
next
end
Basic configuration
In the following example, the Fortinet YouTube channel ID (UCJHo4AuVomwMRzgkA5DQEOA) is blocked, and the video filter is applied to a policy.
To configure a video filter based on a YouTube channel in the GUI:
- Go to Security Profiles > Video Filter and click Create New.
- In the Channel override list section, click Create New. The New Channel Override Entry pane opens.
- Enter the Channel ID (UCJHo4AuVomwMRzgkA5DQEOA) and for Action, select Block.
- Click OK.
- Enter the Channel ID (UCJHo4AuVomwMRzgkA5DQEOA) and for Action, select Block.
- Click OK.
- Configure the firewall policy:
- Go to Policy & Objects > Firewall Policy and click Create New.
- For Inspection Mode, select Proxy-based.
- Enable Video Filter and select the profile you created.
- For SSL Inspection, select deep-inspection.
- Configure the other settings as needed and click OK.
To configure a video filter based on a YouTube channel in the CLI:
- Configure the channel filter:
config videofilter youtube-channel-filter edit 1 set name "channel_filter" set log enable config entries edit 1 set action block set channel-id "UCJHo4AuVomwMRzgkA5DQEOA" next end next end - Configure the video filter profile:
config videofilter profile edit "channel_filter" set default-action monitor set log enable set youtube-channel-filter 1 next end - Configure the firewall policy:
config firewall policy edit 1 set name "video-filter" set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "deep-inspection" set videofilter-profile "channel_filter" set nat disable next end
Configuration with YouTube channel override
In this example, all categories in the video filter are configured to be blocked. The YouTube channel filter list is configured with the action set to allow, which effectively creates an allowlist. The channel UCR6d0EiC3G4WA8-Rqji6a8g is allowed.
To configure YouTube channel override in the GUI:
- Go to Security Profiles > Video Filter and click Create New.
- In the Channel override list section, click Create New. The New Channel Override Entry pane opens.
- Enter the Channel ID (UCJHo4AuVomwMRzgkA5DQEOA) and for Action, select Allow.
- Click OK.
- In the FortiGuard Category Based Filter section, set the Action for all categories to Block.
- Click OK.
- Configure the firewall policy:
- Go to Policy & Objects > Firewall Policy and click Create New.
- For Inspection Mode, select Proxy-based.
- Enable Video Filter and select the profile you created.
- For SSL Inspection, select deep-inspection.
- Configure the other settings as needed and click OK.
To configure YouTube channel override in the CLI:
- Configure the YouTube channel filter:
config videofilter youtube-channel-filter edit 1 set name "vf1" config entries edit 1 set comment "https://www.youtube.com/watch_v=EAyo3_zJj5c" set action allow set channel-id "UCR6d0EiC3G4WA8-Rqji6a8g" next end set log enable next end - Configure the video filter profile:
config videofilter profile edit "channel_filter_override" set default-action monitor set log enable set youtube-channel-filter 1 config fortiguard-category config filters edit 1 set action block set log enable next edit 2 set action block set category-id 1 set log enable next edit 3 set action block set category-id 2 set log enable next edit 4 set action block set category-id 3 set log enable next edit 5 set action block set category-id 4 set log enable next edit 6 set action block set category-id 5 set log enable next edit 7 set action block set category-id 6 set log enable next edit 8 set action block set category-id 7 set log enable next edit 9 set action block set category-id 8 set log enable next edit 10 set action block set category-id 9 set log enable next edit 11 set action block set category-id 10 set log enable next end end next end - Configure the firewall policy:
config firewall policy edit 10 set name "client_yt_v4" set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "deep-inspection" set videofilter-profile "channel_filter_override" set logtraffic all set nat enable next end - Verify the logs. The category action is set to
blockand the channel action is set toallow, so video access is allowed:30: date=2023-05-03 time=16:38:41 eventtime=1683157121226033191 tz="-0700" logid="0348013682" type="utm" subtype="webfilter" eventtype="videofilter-channel" level="notice" vd="root" msg="Video channel is allowed." policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" sessionid=1971 srcip=172.20.120.13 dstip=142.251.33.78 srcport=63207 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="wan" proto=6 httpmethod="POST" service="HTTPS" action="passthrough" videoinfosource="Cache" profile="channel_filter_override" videoid="EAyo3_zJj5c" videochannelid="UCR6d0EiC3G4WA8-Rqji6a8g" hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" referralurl="https://www.youtube.com/watch?v=EAyo3_zJj5c" url="https://www.youtube.com/api/stats/qoe?fmt=135&afmt=251&cpn=RbyesMDI67aQvDBc&el=detailpage&ns=yt&fexp=23983296%2C23986017%2C24004644%2C24007246%2C24080738%2C24135310%2C24219382%2C24255165%2C24406084%2C24415864%2C24416290%2C24433679%2C24437577%2C24439361%2C24449113%2C24468691%2C24494396%2C24499792%2C24514873%2C24516157%2C24519085%2C24532855%2C24537881%2C24550458%2C24559266%2C24691625%2C39323074&cl=528338113&seq=3&docid=EAyo3_zJj5c&ei=VvBSZIbxI4_Ckgaa6aW4Dw&event=streamingstats&plid=AAX60ovFxSwqcWr-&cbr=Chrom"
If the category action is changed to
allowand the channel action is changed toblock, the video access would be blocked.