Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Youtube restriction by channel - sort of works

Hi

My kids have to use chromebooks as that is what school  issue so I am stuck with Chrome browser.

I setup new web category and added keywords for the channels that they can watch without time restriction

and another one for domain. I think when combined it doesn't work so I split it

I had to a couple extra keyword like generate_204 and youtubei

however if my kids keep hitting refresh and retry it eventually allows them through

this is my firewall rule, where traffic with  youtube domain it  is directed to this FW and goes to the webpolicy

it seems chrome is somehow bypass my firewall or rules are not applied consistently

I do have block QUIC enabled

I am on firmware SFOS 19.5.2 MR-2-Build624

thx in advance

David



This thread was automatically locked due to age.
Parents
  • Hi,

    please change you Source to LAN and Network to the IP address range of the network your children's devices connect to? Also tick logging and is the rule at the top of your  firewall list?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi,

    please change you Source to LAN and Network to the IP address range of the network your children's devices connect to? Also tick logging and is the rule at the top of your  firewall list?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Hi Ian

    Change source to LAN and network to kids device subnet but still allowing it through if you hit retry a number of times.

    thx

    David

  • Hi,

    thank you for the update. After you made the changes did the kid's devices perform a restart or were they still connected? Another change is to reduce the port range to http and https because any will allow the devices to access ports outside to the proxy controlled ports.  Also you might try restarting the XG.

    After the above please post a copy of the updated firewall rule and the log entries showing the rule in use.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi

    No device restart but i did close my browser and restart it.

    here are some extra observation 

    It is hitting quota /video host web rule   which should stop the load

    but if I look at Chrome in developer mode the URL is getting through

    I already restrict service to https only

    and traffic is hitting that firewall rule

    thx

    David

  • Hi.

    thank you for the update. Please post the bottom half of that rule.
    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    in your policy you have a number of items with v=, what does the v= do, it is not part of the url?
    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ian

    This is the bottom half of the rule

    As to V=? that is the permitted channel the kids can watch without any quota

    only youtube matching the keyword should be allowed through

    but as you can see from previous post, the keyword filter works (sort of) as you get the "connect retry" message but if you hit the refresh enough time chrome somehow bypass the keyword filter and loads up youtube homepage or a video not in the keyword list

    thx
    David

  • Hi David,

    You need tick the other boxes in the web proxy. Also the v= is in a string field where the string is referenced against the url, v= is not part of the url. Do you have IPS enabled using LAN to WAN and application to allow all.

    The retry succeeds because the browser has found a path to the sites through another rule. Other rules that the kids use need to have a block function for the web sites enabled.

    The decrypt  https only works if you have installed the XG CA on the chrome books.

    Ian

    Please read this KBA.

    https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/121482/sophos-firewall-https-decrypt-and-scan-faq

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Ian

    I have disable all other rules except allow youtube

    enable all ticks in the web filtering option

    Yes i have the man in the middle Cert working

    so now that i have disabled all the rule except youtube allow

    nothing goes through, youtubei and allowed keyword in test show it goes through right policy

    but in reality is block by a quota rule which should not happen 

  • Hi David,

    youtube is also an application, you will need to enable Application - ALLOW ALL, then create an application file for YouTube. Then change the ALLOW ALL to your application filter policy.

    Where is your quota setup and how is it applied, looks like to all?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello David,

    Blocking certain parts of YouTube (and not others) is going to be almost impossible. And is basically because of the way YouTube is designed. Each video has a unique identifier (as shown below in red):

    https://www.youtube.com/watch?v=INZnosVwXJ0 

    This means, there's no rule that can be created to restrict only to videos in a single channel (which I understood is what you want). (I tried doing that from multiple angles in the past, and failed to the point where I control youtube like an on/off switch, is available or is not, but not partially). 

    Even though your first post talks about YouTube channels, what your screenshot showed (The Web Category screen) are actually the unique ids of videos (example "v=65fN_OUawjk").  A playlist link looks more like this:

    https://www.youtube.com/playlist?list=PLKnm0NFN_gbkq6l_EOZsUFEjPRs0Yg4mT  (Sophos Endpoint Protection). 

    This groups multiple videos in a "list".  However, Each video still has its unique ID.  If you play any video from the above play list, the URL will look like:

    Red: Video ID

    Blue: Playlist ID

    https://www.youtube.com/watch?v=INZnosVwXJ0&list=PLKnm0NFN_gbkq6l_EOZsUFEjPRs0Yg4mT 

    Again, using the Playlist ID as the criteria to allow or block content in Sophos does nothing, because a play list is just a group of videos in a list. YouTube does NOT enforce having a Playlist ID in the URL in order to play the videos from the list (or any other videos for that matter). 

    By looking at your screenshot, I think you can be more restrictive on how to block access to youtube (and only allow what you want), which based on experience is only a list of Video IDs (like your first screenshot / first post).

    In order to do this, I would create a Web Category that looks more like this:

    youtube.com

    youtu.be

    www.youtube.com

    ytimg.com

    ytimg.l.google.com

    s.ytimg.com

    googlevideo.com

    i.google.com

    ggpht.com

    If you want to be thorough on this, you can check (YouTube - Domains, IPs and App Information (netify.ai)), however, what I put above should block the site enough to convert a blocked YouTube experience from this: 

      

    To this:

    I can also confirm this rule will work on every device (Android, iOS, Windows, MacOS, etc.), and no matter how many times you try, XG will not let it through.. Wink

    How you get there?

    Configure your Web Policy like this (sample):

    In the log, the request will look like:

    I hope this helps you..