Fortinet black logo

Administration Guide

Filtering based on FortiGuard categories

Filtering based on FortiGuard categories

Video filtering is only proxy-based and uses the WAD daemon to inspect the video in four phases:

  1. When the WAD receives a video query from a client, it extracts the video ID (vid) and tries to check the category and channel from the local cache.
  2. If there is no match from the local cache, it connects to the FortiGuard video rating server to query the video category.
  3. If the FortiGuard rating fails, it uses the videofilter.youtube-key to communicate with the Google API server to get its category and channel ID. This is the API query setting and it requires the user’s own YouTube API key string. This configuration is optional.
  4. If all steps fail to match the video, the WAD calls on the IPS engine to match the video ID and channel ID from the application signature database.
Note

The FortiGuard anycast service must be enabled to use this feature.

In this example, a new video filter profile is created to block the Knowledge category.

Note

It is recommended to block the QUIC protocol in application control profiles while applying video filter profiles (see Blocking QUIC manually). By default, FortiOS can only inspect QUIC traffic in HTTP3 in flow mode, and video filtering only operates in proxy mode. By explicitly blocking QUIC in application control, video traffic utilizing the QUIC protocol on UDP/443 will revert to TCP/443 without QUIC, allowing the FortiGate to successfully inspect the traffic.

To configure a video filter based on FortiGuard categories in the GUI:
  1. Create the video filter profile:
    1. Go to Security Profiles > Video Filter, select the Video Filter Profile tab, and click Create new.
    2. Enter a name (category_filter).
    3. Create the filter:
      1. In the Filters table, click Create new.
      2. Set the Type to the Category.
      3. Set the Action to Block.
      4. Set the Category to Knowledge.
      5. Click OK to save the filter.
    4. Click OK to save the video filter profile.
  2. Create the firewall policy:
    1. Enter the following:

      Incoming Interface

      port2

      Outgoing Interface

      port1

      Source

      All

      Destination

      All

      Service

      All

      Inspection Mode

      Proxy-based

      NAT

      Enable

      Video Filter

      Enable and select category_filter

      Application Control

      Enable and select default

      SSL Inspection

      deep-inspection

      Log Allowed Traffic

      All Sessions

    2. Configure the other settings as needed and click OK.
To configure a video filter based on FortiGuard categories in the CLI:
  1. Create the video filter profile:
    config videofilter profile
        edit "category_filter"
            config filters
                edit 1
                    set type category
                    set category "4"
                    set action block
                    set log enable
                next
            end
        next
    end
  2. Create the firewall policy:
    config firewall policy
        edit 10
            set name "client_yt_v4"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set application-list "default"
            set videofilter-profile "category_filter"
            set logtraffic all
            set nat enable
        next
    end

Verifying that the video is blocked

When a user browses to YouTube and selects a video based in the Knowledge category, a replacement message will appear (see Example 3: blocking the video based on FortiGuard category on YouTube for an example replacement message). On the FortiGate, verify the forward traffic and web filter logs.

Sample forward traffic log:
2: date=2023-12-05 time=09:05:32 eventtime=1701796727673178582 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.11 srcport=50568 srcintf="port2" srcintfrole="undefined" dstip=142.251.179.93 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="United States" dstcountry="United States" sessionid=480384 proto=6 action="client-rst" policyid=1 policytype="policy" poluuid="f4fe48a4-938c-51ee-8856-3e84e3b24af4" policyname="client_yt_v4" service="HTTPS" trandisp="snat" transip=172.16.200.1 transport=50568 appcat="unknown" applist="default" duration=821 sentbyte=303404 rcvdbyte=3601568 sentpkt=1824 rcvdpkt=2688 wanin=3493278 wanout=201892 lanin=126344 lanout=3493868 utmaction="block" countweb=2 countapp=3 sentdelta=0 rcvddelta=0 utmref=65514-4674
Sample web filter log:
1: date=2023-12-05 time=09:05:37 eventtime=1701795937361806440 tz="-0800" logid="0347013664" type="utm" subtype="webfilter" eventtype="videofilter-category" level="warning" vd="root" msg="Video category is blocked." policyid=1 poluuid="f4fe48a4-938c-51ee-8856-3e84e3b24af4" sessionid=480384 srcip=10.1.100.11 dstip=142.251.179.93 srcport=50568 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="POST" service="HTTPS" action="blocked" videoinfosource="FortiGuard" profile="category_filter" videoid="hG-rVFM62J4" videocategoryid=4 videocategoryname="Knowledge" hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" referralurl="https://www.youtube.com/results?search_query=udemy" url="https://www.youtube.com/youtubei/v1/player?key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8&prettyPrint=false"

Troubleshooting and debugging

To verify if the FortiGuard video filtering license is valid:
# get system fortiguard

fortiguard-anycast  : enable
fortiguard-anycast-source: fortinet
protocol            : https
port                : 443
...
webfilter-license   : Contract
webfilter-expiration: Mon Oct 28 2024
...
To verify the WAD worker is running:
# diagnose test app wad 1000
Process [0]: WAD manager type=manager(0) pid=232 diagnosis=yes.
Process [1]: type=worker(2) index=0 pid=294 state=running
              diagnosis=no debug=enable valgrind=supported/disabled
...
Process [6]: type=YouTube-filter-cache-service(9) index=0 pid=290 state=running
              diagnosis=no debug=enable valgrind=unsupported/disabled
...
To display and debug video filter cache:
# diagnose test app wad ?
....
        321:  Display Video Filter Cache stats.
        322:  Reset Video Filter Cache stats.  
        323:  Flush Video Filter Cache entries. 
        324:  Display Video Filter module stats.   
        325:  Request category list from Youtube API.
        326:  Display FTGD agent module stats.      
        327:  Reset FTGD agent module stats.     
        328:  Toggle Video Filter Cache Check.
        329:  Toggle Video Filter FTGD Query.     
        330:  Toggle Video Filter API Check.
To enable real-time WAD debugs:
# diagnose wad debug enable level verbose
# diagnose wad debug enable category video
# diagnose debug enable
Sample output
[p:274][s:8754][r:186] wad_http_req_exec_video_filter_check(167): hreq=0x7f1184f288e0, check video filter check videofilter
[p:274][s:8754][r:186] wad_vf_req_submit(1869): node=0x7f1186694640, ctx=0x7f118502d1f8, youtube_channel_filter_id=0
[p:274][s:8754][r:186] wad_vf_match_pattern_cb(1551): ctx=0x7f118502d1f8 matched type video
[p:274][s:8754][r:186] wad_vf_extract_video_id(297): str='v=EAyo3_zJj5c', start='v=', end='&'
[p:274][s:8754][r:186] wad_vf_extract_video_id(297): str='v=EAyo3_zJj5c', start='v=', end=''
[p:274][s:8754][r:186] wad_vf_extract_video_id(322): video-id: start=2, end=13
[p:274][s:8754][r:186] wad_vf_sync_task_trigger_async_task(1602): extracted vid=EAyo3_zJj5c ctx=0x7f118502d1f8
[p:274][s:8754][r:186] wad_vf_sync_task_trigger_async_task(1622): video filter ctx=0x7f118502d1f8 creates new task=0x7f118657e7a0
[p:274][s:8754][r:186] wad_vfc_client_lookup(159): oid=15194313278609724406
[p:274][s:8754][r:186] wad_vfc_core_lookup(277): youtube-filter-cache core(0x7f11864d2078) found the item!
[p:274][s:8754][r:186] wad_vfc_client_lookup(174): local lookup: ret=0 result=hit, hit_cnt=51
local hit item, item's value:
  oid=15194313278609724406
  vid="EAyo3_zJj5c"
  category="4"
  title="Youtube Data API V3 Video Search Example"
  channel="UCR6d0EiC3G4WA8-Rqji6a8g"
  desc(first 100 characters)="Youtube Data API V3 Video Search Example

Welcome Folks My name is Kiki and Welcome to Coding Shik......"
[p:274][s:8754][r:186] wad_vf_task_proc_cache_resp(1048): vf filter cache hit, item=0x7f116dacc060
[p:274][s:8754][r:186] wad_vf_async_task_run(1491): end of async task ret=0
[p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1686): task=0x7f118657e7a0 item=0x7f116dacc060
[p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1721): ctx(0x7f118502d1f8) channel UCR6d0EiC3G4WA8-Rqji6a8g not match
[p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1733): ctx(0x7f118502d1f8) category result is block
[p:274][s:8754][r:186] wad_vfc_client_add(230): oid=15194313278609724406

Filtering based on FortiGuard categories

Video filtering is only proxy-based and uses the WAD daemon to inspect the video in four phases:

  1. When the WAD receives a video query from a client, it extracts the video ID (vid) and tries to check the category and channel from the local cache.
  2. If there is no match from the local cache, it connects to the FortiGuard video rating server to query the video category.
  3. If the FortiGuard rating fails, it uses the videofilter.youtube-key to communicate with the Google API server to get its category and channel ID. This is the API query setting and it requires the user’s own YouTube API key string. This configuration is optional.
  4. If all steps fail to match the video, the WAD calls on the IPS engine to match the video ID and channel ID from the application signature database.
Note

The FortiGuard anycast service must be enabled to use this feature.

In this example, a new video filter profile is created to block the Knowledge category.

Note

It is recommended to block the QUIC protocol in application control profiles while applying video filter profiles (see Blocking QUIC manually). By default, FortiOS can only inspect QUIC traffic in HTTP3 in flow mode, and video filtering only operates in proxy mode. By explicitly blocking QUIC in application control, video traffic utilizing the QUIC protocol on UDP/443 will revert to TCP/443 without QUIC, allowing the FortiGate to successfully inspect the traffic.

To configure a video filter based on FortiGuard categories in the GUI:
  1. Create the video filter profile:
    1. Go to Security Profiles > Video Filter, select the Video Filter Profile tab, and click Create new.
    2. Enter a name (category_filter).
    3. Create the filter:
      1. In the Filters table, click Create new.
      2. Set the Type to the Category.
      3. Set the Action to Block.
      4. Set the Category to Knowledge.
      5. Click OK to save the filter.
    4. Click OK to save the video filter profile.
  2. Create the firewall policy:
    1. Enter the following:

      Incoming Interface

      port2

      Outgoing Interface

      port1

      Source

      All

      Destination

      All

      Service

      All

      Inspection Mode

      Proxy-based

      NAT

      Enable

      Video Filter

      Enable and select category_filter

      Application Control

      Enable and select default

      SSL Inspection

      deep-inspection

      Log Allowed Traffic

      All Sessions

    2. Configure the other settings as needed and click OK.
To configure a video filter based on FortiGuard categories in the CLI:
  1. Create the video filter profile:
    config videofilter profile
        edit "category_filter"
            config filters
                edit 1
                    set type category
                    set category "4"
                    set action block
                    set log enable
                next
            end
        next
    end
  2. Create the firewall policy:
    config firewall policy
        edit 10
            set name "client_yt_v4"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set application-list "default"
            set videofilter-profile "category_filter"
            set logtraffic all
            set nat enable
        next
    end

Verifying that the video is blocked

When a user browses to YouTube and selects a video based in the Knowledge category, a replacement message will appear (see Example 3: blocking the video based on FortiGuard category on YouTube for an example replacement message). On the FortiGate, verify the forward traffic and web filter logs.

Sample forward traffic log:
2: date=2023-12-05 time=09:05:32 eventtime=1701796727673178582 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.11 srcport=50568 srcintf="port2" srcintfrole="undefined" dstip=142.251.179.93 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="United States" dstcountry="United States" sessionid=480384 proto=6 action="client-rst" policyid=1 policytype="policy" poluuid="f4fe48a4-938c-51ee-8856-3e84e3b24af4" policyname="client_yt_v4" service="HTTPS" trandisp="snat" transip=172.16.200.1 transport=50568 appcat="unknown" applist="default" duration=821 sentbyte=303404 rcvdbyte=3601568 sentpkt=1824 rcvdpkt=2688 wanin=3493278 wanout=201892 lanin=126344 lanout=3493868 utmaction="block" countweb=2 countapp=3 sentdelta=0 rcvddelta=0 utmref=65514-4674
Sample web filter log:
1: date=2023-12-05 time=09:05:37 eventtime=1701795937361806440 tz="-0800" logid="0347013664" type="utm" subtype="webfilter" eventtype="videofilter-category" level="warning" vd="root" msg="Video category is blocked." policyid=1 poluuid="f4fe48a4-938c-51ee-8856-3e84e3b24af4" sessionid=480384 srcip=10.1.100.11 dstip=142.251.179.93 srcport=50568 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 httpmethod="POST" service="HTTPS" action="blocked" videoinfosource="FortiGuard" profile="category_filter" videoid="hG-rVFM62J4" videocategoryid=4 videocategoryname="Knowledge" hostname="www.youtube.com" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" referralurl="https://www.youtube.com/results?search_query=udemy" url="https://www.youtube.com/youtubei/v1/player?key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8&prettyPrint=false"

Troubleshooting and debugging

To verify if the FortiGuard video filtering license is valid:
# get system fortiguard

fortiguard-anycast  : enable
fortiguard-anycast-source: fortinet
protocol            : https
port                : 443
...
webfilter-license   : Contract
webfilter-expiration: Mon Oct 28 2024
...
To verify the WAD worker is running:
# diagnose test app wad 1000
Process [0]: WAD manager type=manager(0) pid=232 diagnosis=yes.
Process [1]: type=worker(2) index=0 pid=294 state=running
              diagnosis=no debug=enable valgrind=supported/disabled
...
Process [6]: type=YouTube-filter-cache-service(9) index=0 pid=290 state=running
              diagnosis=no debug=enable valgrind=unsupported/disabled
...
To display and debug video filter cache:
# diagnose test app wad ?
....
        321:  Display Video Filter Cache stats.
        322:  Reset Video Filter Cache stats.  
        323:  Flush Video Filter Cache entries. 
        324:  Display Video Filter module stats.   
        325:  Request category list from Youtube API.
        326:  Display FTGD agent module stats.      
        327:  Reset FTGD agent module stats.     
        328:  Toggle Video Filter Cache Check.
        329:  Toggle Video Filter FTGD Query.     
        330:  Toggle Video Filter API Check.
To enable real-time WAD debugs:
# diagnose wad debug enable level verbose
# diagnose wad debug enable category video
# diagnose debug enable
Sample output
[p:274][s:8754][r:186] wad_http_req_exec_video_filter_check(167): hreq=0x7f1184f288e0, check video filter check videofilter
[p:274][s:8754][r:186] wad_vf_req_submit(1869): node=0x7f1186694640, ctx=0x7f118502d1f8, youtube_channel_filter_id=0
[p:274][s:8754][r:186] wad_vf_match_pattern_cb(1551): ctx=0x7f118502d1f8 matched type video
[p:274][s:8754][r:186] wad_vf_extract_video_id(297): str='v=EAyo3_zJj5c', start='v=', end='&'
[p:274][s:8754][r:186] wad_vf_extract_video_id(297): str='v=EAyo3_zJj5c', start='v=', end=''
[p:274][s:8754][r:186] wad_vf_extract_video_id(322): video-id: start=2, end=13
[p:274][s:8754][r:186] wad_vf_sync_task_trigger_async_task(1602): extracted vid=EAyo3_zJj5c ctx=0x7f118502d1f8
[p:274][s:8754][r:186] wad_vf_sync_task_trigger_async_task(1622): video filter ctx=0x7f118502d1f8 creates new task=0x7f118657e7a0
[p:274][s:8754][r:186] wad_vfc_client_lookup(159): oid=15194313278609724406
[p:274][s:8754][r:186] wad_vfc_core_lookup(277): youtube-filter-cache core(0x7f11864d2078) found the item!
[p:274][s:8754][r:186] wad_vfc_client_lookup(174): local lookup: ret=0 result=hit, hit_cnt=51
local hit item, item's value:
  oid=15194313278609724406
  vid="EAyo3_zJj5c"
  category="4"
  title="Youtube Data API V3 Video Search Example"
  channel="UCR6d0EiC3G4WA8-Rqji6a8g"
  desc(first 100 characters)="Youtube Data API V3 Video Search Example

Welcome Folks My name is Kiki and Welcome to Coding Shik......"
[p:274][s:8754][r:186] wad_vf_task_proc_cache_resp(1048): vf filter cache hit, item=0x7f116dacc060
[p:274][s:8754][r:186] wad_vf_async_task_run(1491): end of async task ret=0
[p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1686): task=0x7f118657e7a0 item=0x7f116dacc060
[p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1721): ctx(0x7f118502d1f8) channel UCR6d0EiC3G4WA8-Rqji6a8g not match
[p:274][s:8754][r:186] wad_vf_sync_task_proc_async_result(1733): ctx(0x7f118502d1f8) category result is block
[p:274][s:8754][r:186] wad_vfc_client_add(230): oid=15194313278609724406