Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Filtering based on YouTube channel

Filtering based on YouTube channel

Video filtering can be configured to filter any or specific YouTube channels. When a video matches a YouTube channel, the video will take the corresponding action of allow, monitor, or block. Video filtering is only supported in proxy-based inspection mode, and deep inspection must be enabled in the firewall policy.

The YouTube API key must be configured when using this feature in conjunction with filtering based on FortiGuard categories. See YouTube API key for more information.

Note

Videos are filtered based on their sequence order, which could allow for specific categorization. A category can be blocked, but certain channels within that category can be allowed. If no match is found, then the video will be subjected to an implicit rule and allowed to pass through See Basic configuration for an example.

Identifying the YouTube channel ID

The following table lists how to identify the YouTube channel ID based on different YouTube video URLs formats:

Video URL

Channel ID

www.youtube.com/channel/<channel-id>

<channel-id> indicates the ID for the channel.

www.youtube.com/user/<user-id>

Open the page source and locate:

<meta itemprop="channelId" content="<channel-id>">

<channel-id> indicates the channel ID for the user page.

www.youtube.com/watch?v=<string>

Open the page source and locate:

<meta itemprop="channelId" content="<channel-id>">

<channel-id> indicates the channel ID for the video.
Note

It is recommended to block the QUIC protocol in application control profiles while applying video filter profiles (see Blocking QUIC manually). By default, FortiOS can only inspect QUIC traffic in HTTP3 in flow mode, and video filtering only operates in proxy mode. By explicitly blocking QUIC in application control, video traffic utilizing the QUIC protocol on UDP/443 will revert to TCP/443 without QUIC, allowing the FortiGate to successfully inspect the traffic.

Basic configuration

In this example, the Knowledge category in the video filter is configured to be blocked. The YouTube channel filter list is configured with the action set to monitor, which effectively creates an allowlist. The Fortinet YouTube channel ID UCJHo4AuVomwMRzgkA5DQEOA is allowed. This example uses the category_filter video filter profile and client_yt_v4 firewall policy configured in Filtering based on FortiGuard categories.

To configure a video filter based on a YouTube channel in the GUI:
  1. Go to Security Profiles > Video Filter, select the Video Filter Profile tab, and edit channel_filter.
  2. In the Filters table, click Create new.
  3. Set the Type to the Channel.
  4. Set the Action to Monitor.
  5. Set the Channel to Specify and enter the Channel ID, UCJHo4AuVomwMRzgkA5DQEOA.
  6. Click OK to save the filter.
  7. Click OK to save the video filter profile.
To configure a video filter based on a YouTube channel in the CLI:
config videofilter profile
    edit "category_filter"
        config filters
            edit 2
                set type channel
                set channel "UCJHo4AuVomwMRzgkA5DQEOA"
                set action monitor
                set log enable
            next
        end
    next
end

Verifying the configuration

Perform a search from a client for a video on YouTube that falls under the Knowledge category, such as any video from the Udemy channel. The result is a blocked video. However, searching for a video from the Fortinet YouTube channel results in an accessible video.

Sample logs:
1: date=2023-12-13 time=09:33:20 eventtime=1702488800873289004 tz="-0800" logid="0347013664" type="utm" subtype="webfilter" eventtype="videofilter-category" level="warning" vd="root" msg="Video category is blocked." policyid=1 poluuid="f4fe48a4-938c-51ee-8856-3e84e3b24af4" sessionid=33099 srcip=13.13.13.13 dstip=108.177.98.136 srcport=58844 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="POST" service="HTTPS" action="blocked" videoinfosource="FortiGuard" profile="category_filter" videoid="hG-rVFM62J4" videocategoryid=4 videocategoryname="Knowledge" hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" referralurl="https://www.youtube.com/results?search_query=udemy" url="https://www.youtube.com/youtubei/v1/player?key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8&prettyPrint=false"
2: date=2023-12-13 time=09:30:29 eventtime=1702488629127408526 tz="-0800" logid="0348013681" type="utm" subtype="webfilter" eventtype="videofilter-channel" level="notice" vd="root" msg="Video channel is monitored." policyid=1 poluuid="f4fe48a4-938c-51ee-8856-3e84e3b24af4" sessionid=32740 srcip=13.13.13.13 dstip=142.251.211.238 srcport=58685 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="POST" service="HTTPS" action="passthrough" videoinfosource="API" profile="category_filter" videoid="PZzW7rYMUJw" videochannelid="UCJHo4AuVomwMRzgkA5DQEOA" hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" referralurl="https://www.youtube.com/watch?v=PZzW7rYMUJw" url="https://www.youtube.com/youtubei/v1/player?key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8&prettyPrint=false"
Previous
Next

Filtering based on YouTube channel

Video filtering can be configured to filter any or specific YouTube channels. When a video matches a YouTube channel, the video will take the corresponding action of allow, monitor, or block. Video filtering is only supported in proxy-based inspection mode, and deep inspection must be enabled in the firewall policy.

The YouTube API key must be configured when using this feature in conjunction with filtering based on FortiGuard categories. See YouTube API key for more information.

Note

Videos are filtered based on their sequence order, which could allow for specific categorization. A category can be blocked, but certain channels within that category can be allowed. If no match is found, then the video will be subjected to an implicit rule and allowed to pass through See Basic configuration for an example.

Identifying the YouTube channel ID

The following table lists how to identify the YouTube channel ID based on different YouTube video URLs formats:

Video URL

Channel ID

www.youtube.com/channel/<channel-id>

<channel-id> indicates the ID for the channel.

www.youtube.com/user/<user-id>

Open the page source and locate:

<meta itemprop="channelId" content="<channel-id>">

<channel-id> indicates the channel ID for the user page.

www.youtube.com/watch?v=<string>

Open the page source and locate:

<meta itemprop="channelId" content="<channel-id>">

<channel-id> indicates the channel ID for the video.
Note

It is recommended to block the QUIC protocol in application control profiles while applying video filter profiles (see Blocking QUIC manually). By default, FortiOS can only inspect QUIC traffic in HTTP3 in flow mode, and video filtering only operates in proxy mode. By explicitly blocking QUIC in application control, video traffic utilizing the QUIC protocol on UDP/443 will revert to TCP/443 without QUIC, allowing the FortiGate to successfully inspect the traffic.

Basic configuration

In this example, the Knowledge category in the video filter is configured to be blocked. The YouTube channel filter list is configured with the action set to monitor, which effectively creates an allowlist. The Fortinet YouTube channel ID UCJHo4AuVomwMRzgkA5DQEOA is allowed. This example uses the category_filter video filter profile and client_yt_v4 firewall policy configured in Filtering based on FortiGuard categories.

To configure a video filter based on a YouTube channel in the GUI:
  1. Go to Security Profiles > Video Filter, select the Video Filter Profile tab, and edit channel_filter.
  2. In the Filters table, click Create new.
  3. Set the Type to the Channel.
  4. Set the Action to Monitor.
  5. Set the Channel to Specify and enter the Channel ID, UCJHo4AuVomwMRzgkA5DQEOA.
  6. Click OK to save the filter.
  7. Click OK to save the video filter profile.
To configure a video filter based on a YouTube channel in the CLI:
config videofilter profile
    edit "category_filter"
        config filters
            edit 2
                set type channel
                set channel "UCJHo4AuVomwMRzgkA5DQEOA"
                set action monitor
                set log enable
            next
        end
    next
end

Verifying the configuration

Perform a search from a client for a video on YouTube that falls under the Knowledge category, such as any video from the Udemy channel. The result is a blocked video. However, searching for a video from the Fortinet YouTube channel results in an accessible video.

Sample logs:
1: date=2023-12-13 time=09:33:20 eventtime=1702488800873289004 tz="-0800" logid="0347013664" type="utm" subtype="webfilter" eventtype="videofilter-category" level="warning" vd="root" msg="Video category is blocked." policyid=1 poluuid="f4fe48a4-938c-51ee-8856-3e84e3b24af4" sessionid=33099 srcip=13.13.13.13 dstip=108.177.98.136 srcport=58844 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="POST" service="HTTPS" action="blocked" videoinfosource="FortiGuard" profile="category_filter" videoid="hG-rVFM62J4" videocategoryid=4 videocategoryname="Knowledge" hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" referralurl="https://www.youtube.com/results?search_query=udemy" url="https://www.youtube.com/youtubei/v1/player?key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8&prettyPrint=false"
2: date=2023-12-13 time=09:30:29 eventtime=1702488629127408526 tz="-0800" logid="0348013681" type="utm" subtype="webfilter" eventtype="videofilter-channel" level="notice" vd="root" msg="Video channel is monitored." policyid=1 poluuid="f4fe48a4-938c-51ee-8856-3e84e3b24af4" sessionid=32740 srcip=13.13.13.13 dstip=142.251.211.238 srcport=58685 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="POST" service="HTTPS" action="passthrough" videoinfosource="API" profile="category_filter" videoid="PZzW7rYMUJw" videochannelid="UCJHo4AuVomwMRzgkA5DQEOA" hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" referralurl="https://www.youtube.com/watch?v=PZzW7rYMUJw" url="https://www.youtube.com/youtubei/v1/player?key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8&prettyPrint=false"
Previous
Next