Top application: YouTube example
Monitoring network traffic with SSL deep inspection
This example describes how to monitor network traffic for YouTube using FortiView Applications view with SSL deep inspection.
To monitor network traffic with SSL deep inspection:
-
Create a firewall policy with the following settings:
-
Application Control is enabled.
-
SSL Inspection is set to deep-inspection.
-
Log Allowed Traffic is set to All Sessions.
-
-
Go to Security Profiles > Application Control.
-
Select a related Application Control profile used by the firewall policy and click Edit.
-
Because YouTube cloud applications are categorized into Video/Audio, ensure the Video/Audio category is monitored. Monitored categories are indicate by an eye icon.
-
Click View Application Signatures and hover over YouTube cloud applications to view detailed information about YouTube application sensors.
-
Expand YouTube to view the Application Signatures associated with the application.
Application Signature
Description
Application ID
YouTube_Video.Access
An attempt to access a video on YouTube.
16420
YouTube_Channel.ID
An attempt to access a video on a specific channel on YouTube.
44956
YouTube_Comment.Posting
An attempt to post comments on YouTube.
31076
YouTube_HD.Streaming
An attempt to watch HD videos on YouTube.
33104
YouTube_Messenger
An attempt to access messenger on YouTube.
47858
YouTube_Video.Play
An attempt to download and play a video from YouTube.
38569
YouTube_Video.Upload
An attempt to upload a video to YouTube.
22564
YouTube
An attempt to access YouTube.
This application sensor does not depend on SSL deep inspection so it does not have a cloud or lock icon.
31077
YouTube_Channel.Access
An attempt to access a video on a specific channel on YouTube.
41598
To view the application signature description, click the ID link in the information window.
-
On the test PC, log into YouTube and play some videos.
-
On the FortiGate, go to Log & Report > Security Events, select Application Control, and look for log entries for browsing and playing YouTube videos.
In this example, note the Application User and Application Details. Also note that the Application Control ID is 38569 showing that this entry was triggered by the application sensor YouTube_Video.Play.
-
Go to Dashboard > FortiView Applications.
-
In the FortiView Applications monitor, double-click YouTube to view the drilldown information.
-
Click View session logs to see all the entries for the videos played. Check the sessions for YouTube_Video.Play with the ID 38569.
Monitoring network traffic without SSL deep inspection
This example describes how to monitor network traffic for YouTube using FortiView cloud application view without SSL deep inspection.
To monitor network traffic without SSL deep inspection:
-
Create a firewall policy with the following settings.
-
Application Control is enabled.
-
SSL Inspection is set to certificate-inspection.
-
Log Allowed Traffic is set to All Sessions.
-
-
On the test PC, log into YouTube and play some videos.
-
On the FortiGate, go to Log & Report > Security Events and look for log entries for browsing and playing YouTube videos in the Application Control card.
In this example, the log shows only applications with the name YouTube. The log cannot show YouTube application sensors which rely on SSL deep inspection.
-
Go to Dashboard > FortiView Applications.
The FortiView Application by Bytes monitor shows the YouTube cloud application without the video played information that requires SSL deep inspection.
-
Double-click YouTube and click View session logs.
These sessions were triggered by the application sensor YouTube with the ID 31077. This is the application sensor with cloud behavior which does not rely on SSL deep inspection.