Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Filtering based on FortiGuard categories

Video filtering is only proxy-based and uses the WAD daemon to inspect the video in four phases:

  1. When the WAD receives a video query from a client, it extracts the video ID (vid) and tries to check the category and channel from the local cache.
  2. If there is no match from the local cache, it connects to the FortiGuard video rating server to query the video category.
  3. If the FortiGuard rating fails, it uses the videofilter.youtube-key to communicate with the Google API server to get its category and channel ID. This is the API query setting and it requires the user’s own YouTube API key string. This configuration is optional.
  4. If all steps fail to match the video, the WAD calls on the IPS engine to match the video ID and channel ID from the application signature database.

In the following example, a new video filter profile is created to block the Knowledge category.

Tooltip

In the firewall policy settings, the default application control profile is recommended because it blocks QUIC traffic. Many Google services use the QUIC protocol on UDP/443. By blocking QUIC, YouTube will use standard HTTPS TCP/443 connections.

To configure a video filter based on FortiGuard categories in the GUI:
  1. Create the video filter profile:
    1. Go to Security Profiles > Video Filter and click Create New.
    2. Enter a name (category_filter).
    3. In the FortiGuard Category Based Filter section, set the Knowledge category Action to Block.
    4. Click OK.
  2. Create the firewall policy:
    1. Enter the following:

      Incoming Interface

      port2

      Outgoing Interface

      port1

      Source

      All

      Destination

      All

      Service

      All

      Inspection Mode

      Proxy-based

      NAT

      Enable

      Video Filter

      Enable and select category_filter

      Application Control

      Enable and select default

      SSL Inspection

      deep-inspection

      Log Allowed Traffic

      All Sessions

    2. Configure the other settings as needed and click OK.
To configure a video filter based on FortiGuard categories in the CLI:
  1. Create the video filter profile:
    config videofilter profile
        edit "category_filter"
            config fortiguard-category
                edit 5
                    set action block
                    set category-id 4
                    set log enable
                next
            end
        next
    end 
  2. Create the firewall policy:
    config firewall policy
        edit 10
            set name "client_yt_v4"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set application-list "default"
            set videofilter-profile "category_filter"
            set logtraffic all
            set nat enable
        next
    end
To configure the YouTube API key (optional):
config videofilter youtube-key
    edit 1
        set key ********
        set status enable
    next
end

Verifying that the video is blocked

When a user browses to YouTube and selects a video based in the Knowledge category, a replacement message will appear. This replacement message says the URL is blocked, and displays the URL of the YouTube video. On the FortiGate, verify the forward traffic and web filter logs.

Sample forward traffic log
2: date=2021-04-27 time=15:27:13 eventtime=1619562433424944288 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.11 srcport=60628 srcintf="port2" srcintfrole="undefined" dstip=172.217.3.206 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=8230 proto=6 action="client-rst" policyid=10 policytype="policy" poluuid="a5e991ba-a799-51eb-4efe-ce32b9f70b75" policyname="client_yt_v4" service="HTTPS" trandisp="snat" transip=172.16.200.1 transport=60628 duration=95 sentbyte=3546 rcvdbyte=21653 sentpkt=24 rcvdpkt=34 appcat="unscanned" wanin=2152 wanout=2290 lanin=2000 lanout=2000 utmaction="block" countweb=3 utmref=65532-0
Sample web filter log
1: date=2021-04-27 time=15:25:37 eventtime=1619562338128550236 tz="-0700" logid="0347013664" type="utm" subtype="webfilter" eventtype="videofilter-category" level="warning" vd="vdom1" msg="Video category is blocked." policyid=10 sessionid=8230 srcip=10.1.100.11 dstip=172.217.3.206 srcport=60628 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" action="blocked" videoinfosource="Cache" profile="category_filter" videoid="EAyo3_zJj5c" videocategoryid=4 hostname="www.youtube.com" url="https://www.youtube.com/watch?v=EAyo3_zJj5c"

Troubleshooting and debugging

To verify if the FortiGuard video filtering license is valid:
# get system fortiguard

fortiguard-anycast  : enable
fortiguard-anycast-source: debug
protocol            : https
port                : 443
...
webfilter-license   : Contract
webfilter-expiration: Fri Dec 13 2030
...
videofilter-license : Contract
videofilter-expiration: Fri Dec 13 2030

The videofilter license should be synchronized with the webfilter license.

To verify the WAD worker is running:
# diagnose test app wad 1000
Process [0]: WAD manager type=manager(0) pid=232 diagnosis=yes.
Process [1]: type=worker(2) index=0 pid=294 state=running
              diagnosis=no debug=enable valgrind=supported/disabled
...
Process [6]: type=YouTube-filter-cache-service(9) index=0 pid=290 state=running
              diagnosis=no debug=enable valgrind=unsupported/disabled
...
To display and debug video filter cache:
# diagnose test app wad ?
....
        321:  Display Video Filter Cache stats.
        322:  Reset Video Filter Cache stats.  
        323:  Flush Video Filter Cache entries. 
        324:  Display Video Filter module stats.   
        325:  Request category list from Youtube API.
        326:  Display FTGD agent module stats.      
        327:  Reset FTGD agent module stats.     
        328:  Toggle Video Filter Cache Check.
        329:  Toggle Video Filter FTGD Query.     
        330:  Toggle Video Filter API Check.
To enable real-time WAD debugs:
# diagnose wad debug enable level verbose
# diagnose wad debug enable category video
# diagnose debug enable
Sample output
[p:274][s:8754][r:186] wad_http_req_exec_video_filter_check(167): hreq=0x7f1184f288e0, check video filter check videofilter
[p:274][s:8754][r:186] wad_vf_req_submit(1869): node=0x7f1186694640, ctx=0x7f118502d1f8, youtube_channel_filter_id=0
[p:274][s:8754][r:186] wad_vf_match_pattern_cb(1551): ctx=0x7f118502d1f8 matched type video
[p:274][s:8754][r:186] wad_vf_extract_video_id(297): str='v=EAyo3_zJj5c', start='v=', end='&'
[p:274][s:8754][r:186] wad_vf_extract_video_id(297): str='v=EAyo3_zJj5c', start='v=', end=''
[p:274][s:8754][r:186] wad_vf_extract_video_id(322): video-id: start=2, end=13
[p:274][s:8754][r:186] wad_vf_sync_task_trigger_async_task(1602): extracted vid=EAyo3_zJj5c ctx=0x7f118502d1f8
[p:274][s:8754][r:186] wad_vf_sync_task_trigger_async_task(1622): video filter ctx=0x7f118502d1f8 creates new task=0x7f118657e7a0
[p:274][s:8754][r:186] wad_vfc_client_lookup(159): oid=15194313278609724406
[p:274][s:8754][r:186] wad_vfc_core_lookup(277): youtube-filter-cache core(0x7f11864d2078) found the item!
[p:274][s:8754][r:186] wad_vfc_client_lookup(174): local lookup: ret=0 result=hit, hit_cnt=51
local hit item, item's value:
  oid=15194313278609724406
  vid="EAyo3_zJj5c"
  category="4"
  title="Youtube Data API V3 Video Search Example"
  channel="UCR6d0EiC3G4WA8-Rqji6a8g"
  desc(first 100 characters)="Youtube Data API V3 Video Search Example

Welcome Folks My name is Gautam and Welcome to Coding Shik......"
[p:274][s:8754][r:186] wad_vf_task_proc_cache_resp(1048): vf filter cache hit, item=0x7f116dacc060
[p:274][s:8754][r:186] wad_vf_async_task_run(1491): end of async task ret=0
[p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1686): task=0x7f118657e7a0 item=0x7f116dacc060
[p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1721): ctx(0x7f118502d1f8) channel UCR6d0EiC3G4WA8-Rqji6a8g not match
[p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1733): ctx(0x7f118502d1f8) category result is block
[p:274][s:8754][r:186] wad_vfc_client_add(230): oid=15194313278609724406

Filtering based on FortiGuard categories

Video filtering is only proxy-based and uses the WAD daemon to inspect the video in four phases:

  1. When the WAD receives a video query from a client, it extracts the video ID (vid) and tries to check the category and channel from the local cache.
  2. If there is no match from the local cache, it connects to the FortiGuard video rating server to query the video category.
  3. If the FortiGuard rating fails, it uses the videofilter.youtube-key to communicate with the Google API server to get its category and channel ID. This is the API query setting and it requires the user’s own YouTube API key string. This configuration is optional.
  4. If all steps fail to match the video, the WAD calls on the IPS engine to match the video ID and channel ID from the application signature database.

In the following example, a new video filter profile is created to block the Knowledge category.

Tooltip

In the firewall policy settings, the default application control profile is recommended because it blocks QUIC traffic. Many Google services use the QUIC protocol on UDP/443. By blocking QUIC, YouTube will use standard HTTPS TCP/443 connections.

To configure a video filter based on FortiGuard categories in the GUI:
  1. Create the video filter profile:
    1. Go to Security Profiles > Video Filter and click Create New.
    2. Enter a name (category_filter).
    3. In the FortiGuard Category Based Filter section, set the Knowledge category Action to Block.
    4. Click OK.
  2. Create the firewall policy:
    1. Enter the following:

      Incoming Interface

      port2

      Outgoing Interface

      port1

      Source

      All

      Destination

      All

      Service

      All

      Inspection Mode

      Proxy-based

      NAT

      Enable

      Video Filter

      Enable and select category_filter

      Application Control

      Enable and select default

      SSL Inspection

      deep-inspection

      Log Allowed Traffic

      All Sessions

    2. Configure the other settings as needed and click OK.
To configure a video filter based on FortiGuard categories in the CLI:
  1. Create the video filter profile:
    config videofilter profile
        edit "category_filter"
            config fortiguard-category
                edit 5
                    set action block
                    set category-id 4
                    set log enable
                next
            end
        next
    end 
  2. Create the firewall policy:
    config firewall policy
        edit 10
            set name "client_yt_v4"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set application-list "default"
            set videofilter-profile "category_filter"
            set logtraffic all
            set nat enable
        next
    end
To configure the YouTube API key (optional):
config videofilter youtube-key
    edit 1
        set key ********
        set status enable
    next
end

Verifying that the video is blocked

When a user browses to YouTube and selects a video based in the Knowledge category, a replacement message will appear. This replacement message says the URL is blocked, and displays the URL of the YouTube video. On the FortiGate, verify the forward traffic and web filter logs.

Sample forward traffic log
2: date=2021-04-27 time=15:27:13 eventtime=1619562433424944288 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.11 srcport=60628 srcintf="port2" srcintfrole="undefined" dstip=172.217.3.206 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=8230 proto=6 action="client-rst" policyid=10 policytype="policy" poluuid="a5e991ba-a799-51eb-4efe-ce32b9f70b75" policyname="client_yt_v4" service="HTTPS" trandisp="snat" transip=172.16.200.1 transport=60628 duration=95 sentbyte=3546 rcvdbyte=21653 sentpkt=24 rcvdpkt=34 appcat="unscanned" wanin=2152 wanout=2290 lanin=2000 lanout=2000 utmaction="block" countweb=3 utmref=65532-0
Sample web filter log
1: date=2021-04-27 time=15:25:37 eventtime=1619562338128550236 tz="-0700" logid="0347013664" type="utm" subtype="webfilter" eventtype="videofilter-category" level="warning" vd="vdom1" msg="Video category is blocked." policyid=10 sessionid=8230 srcip=10.1.100.11 dstip=172.217.3.206 srcport=60628 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" action="blocked" videoinfosource="Cache" profile="category_filter" videoid="EAyo3_zJj5c" videocategoryid=4 hostname="www.youtube.com" url="https://www.youtube.com/watch?v=EAyo3_zJj5c"

Troubleshooting and debugging

To verify if the FortiGuard video filtering license is valid:
# get system fortiguard

fortiguard-anycast  : enable
fortiguard-anycast-source: debug
protocol            : https
port                : 443
...
webfilter-license   : Contract
webfilter-expiration: Fri Dec 13 2030
...
videofilter-license : Contract
videofilter-expiration: Fri Dec 13 2030

The videofilter license should be synchronized with the webfilter license.

To verify the WAD worker is running:
# diagnose test app wad 1000
Process [0]: WAD manager type=manager(0) pid=232 diagnosis=yes.
Process [1]: type=worker(2) index=0 pid=294 state=running
              diagnosis=no debug=enable valgrind=supported/disabled
...
Process [6]: type=YouTube-filter-cache-service(9) index=0 pid=290 state=running
              diagnosis=no debug=enable valgrind=unsupported/disabled
...
To display and debug video filter cache:
# diagnose test app wad ?
....
        321:  Display Video Filter Cache stats.
        322:  Reset Video Filter Cache stats.  
        323:  Flush Video Filter Cache entries. 
        324:  Display Video Filter module stats.   
        325:  Request category list from Youtube API.
        326:  Display FTGD agent module stats.      
        327:  Reset FTGD agent module stats.     
        328:  Toggle Video Filter Cache Check.
        329:  Toggle Video Filter FTGD Query.     
        330:  Toggle Video Filter API Check.
To enable real-time WAD debugs:
# diagnose wad debug enable level verbose
# diagnose wad debug enable category video
# diagnose debug enable
Sample output
[p:274][s:8754][r:186] wad_http_req_exec_video_filter_check(167): hreq=0x7f1184f288e0, check video filter check videofilter
[p:274][s:8754][r:186] wad_vf_req_submit(1869): node=0x7f1186694640, ctx=0x7f118502d1f8, youtube_channel_filter_id=0
[p:274][s:8754][r:186] wad_vf_match_pattern_cb(1551): ctx=0x7f118502d1f8 matched type video
[p:274][s:8754][r:186] wad_vf_extract_video_id(297): str='v=EAyo3_zJj5c', start='v=', end='&'
[p:274][s:8754][r:186] wad_vf_extract_video_id(297): str='v=EAyo3_zJj5c', start='v=', end=''
[p:274][s:8754][r:186] wad_vf_extract_video_id(322): video-id: start=2, end=13
[p:274][s:8754][r:186] wad_vf_sync_task_trigger_async_task(1602): extracted vid=EAyo3_zJj5c ctx=0x7f118502d1f8
[p:274][s:8754][r:186] wad_vf_sync_task_trigger_async_task(1622): video filter ctx=0x7f118502d1f8 creates new task=0x7f118657e7a0
[p:274][s:8754][r:186] wad_vfc_client_lookup(159): oid=15194313278609724406
[p:274][s:8754][r:186] wad_vfc_core_lookup(277): youtube-filter-cache core(0x7f11864d2078) found the item!
[p:274][s:8754][r:186] wad_vfc_client_lookup(174): local lookup: ret=0 result=hit, hit_cnt=51
local hit item, item's value:
  oid=15194313278609724406
  vid="EAyo3_zJj5c"
  category="4"
  title="Youtube Data API V3 Video Search Example"
  channel="UCR6d0EiC3G4WA8-Rqji6a8g"
  desc(first 100 characters)="Youtube Data API V3 Video Search Example

Welcome Folks My name is Gautam and Welcome to Coding Shik......"
[p:274][s:8754][r:186] wad_vf_task_proc_cache_resp(1048): vf filter cache hit, item=0x7f116dacc060
[p:274][s:8754][r:186] wad_vf_async_task_run(1491): end of async task ret=0
[p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1686): task=0x7f118657e7a0 item=0x7f116dacc060
[p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1721): ctx(0x7f118502d1f8) channel UCR6d0EiC3G4WA8-Rqji6a8g not match
[p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1733): ctx(0x7f118502d1f8) category result is block
[p:274][s:8754][r:186] wad_vfc_client_add(230): oid=15194313278609724406