Youtube restriction by channel - sort of works

Question

Hi 
 My kids have to use chromebooks as that is what school issue so I am stuck with Chrome browser. 
 
 I setup new web category and added keywords for the channels that they can watch without time restriction 
 and another one for domain. I think when combined it doesn't work so I split it

I had to a couple extra keyword like generate_204 and youtubei

however if my kids keep hitting refresh and retry it eventually allows them through

this is my firewall rule, where traffic with youtube domain it is directed to this FW and goes to the webpolicy

it seems chrome is somehow bypass my firewall or rules are not applied consistently 
 I do have block QUIC enabled 
 I am on firmware SFOS 19.5.2 MR-2-Build624 
 
 thx in advance 
 
 David

cm00001 · Answer

Hello David, 
 Blocking certain parts of YouTube (and not others) is going to be almost impossible . And is basically because of the way YouTube is designed. Each video has a unique identifier (as shown below in red): 
 https://www.youtube.com/watch?v= INZnosVwXJ0 
 This means, there's no rule that can be created to restrict only to videos in a single channel (which I understood is what you want). (I tried doing that from multiple angles in the past, and failed to the point where I control youtube like an on/off switch, is available or is not, but not partially). 
 Even though your first post talks about YouTube channels, what your screenshot showed (The Web Category screen) are actually the unique ids of videos (example " v=65fN_OUawjk "). A playlist link looks more like this: 
 https://www.youtube.com/playlist?list=PLKnm0NFN_gbkq6l_EOZsUFEjPRs0Yg4mT ( Sophos Endpoint Protection). 
 This groups multiple videos in a "list". However, Each video still has its unique ID. If you play any video from the above play list, the URL will look like: 
 Red: Video ID 
 Blue: Playlist ID 
 https://www.youtube.com/watch?v= INZnosVwXJ0 &list= PLKnm0NFN_gbkq6l_EOZsUFEjPRs0Yg4mT 
 Again, using the Playlist ID as the criteria to allow or block content in Sophos does nothing , because a play list is just a group of videos in a list. YouTube does NOT enforce having a Playlist ID in the URL in order to play the videos from the list (or any other videos for that matter). 
 By looking at your screenshot, I think you can be more restrictive on how to block access to youtube (and only allow what you want), which based on experience is only a list of Video IDs (like your first screenshot / first post). 
 In order to do this, I would create a Web Category that looks more like this: 
 
 youtube.com 
 youtu.be 
 www.youtube.com 
 ytimg.com 
 ytimg.l.google.com 
 s.ytimg.com 
 googlevideo.com 
 i.google.com 
 ggpht.com

If you want to be thorough on this, you can check ( YouTube - Domains, IPs and App Information (netify.ai) ), however, what I put above should block the site enough to convert a blocked YouTube experience from this:

To this: 
 
 I can also confirm this rule will work on every device (Android, iOS, Windows, MacOS, etc.), and no matter how many times you try, XG will not let it through.. 
 How you get there? 
 Configure your Web Policy like this (sample):

In the log, the request will look like:

I hope this helps you..