Filtering based on YouTube channel

Video filtering can be configured to filter specific YouTube channels. When a video matches a YouTube channel, the video will take the corresponding action of allow, monitor, or block. Video filtering is only supported in proxy-based inspection mode, and deep inspection must be enabled in the firewall policy.

By default, when the FortiGuard category-based filter and YouTube channel override are used together, a video will be blocked if it matches either category or YouTube channel and the action is set to block.

The override-category option allows the channel action to override the category action. A category can be blocked, but certain channels in that category can be allowed when the override-category option is enabled (see Configuration with YouTube channel override).

Identifying the YouTube channel ID

The following table lists how to identify the YouTube channel ID based on different YouTube video URLs formats:

Video URL	Channel ID
www.youtube.com/channel/<channel-id>	<channel-id> indicates the ID for the channel.
www.youtube.com/user/<user-id>	Open the page source and locate: <meta itemprop="channelId" content="<channel-id>"> <channel-id> indicates the channel ID for the user page.
www.youtube.com/watch?v=<string>	Open the page source and locate: <meta itemprop="channelId" content="<channel-id>"> <channel-id> indicates the channel ID for the video.

Video URL

Channel ID

www.youtube.com/channel/<channel-id>

<channel-id> indicates the ID for the channel.

www.youtube.com/user/<user-id>

Open the page source and locate:

<meta itemprop="channelId" content="<channel-id>">

<channel-id> indicates the channel ID for the user page.

www.youtube.com/watch?v=<string>

Open the page source and locate:

<meta itemprop="channelId" content="<channel-id>">

<channel-id> indicates the channel ID for the video.

In a YouTube channel filter profile, the default action is set to monitor when there is no match. Logging is also disabled by default.

config videofilter youtube-channel-filter
    edit <id>
        set default-action {block | monitor | allow}
        set log {enable | disable}
    next
end

Basic configuration

In the following example, the Fortinet YouTube channel ID (UCJHo4AuVomwMRzgkA5DQEOA) is blocked, and the video filter is applied to a policy.

To configure a video filter based on a YouTube channel in the GUI:

Go to Security Profiles > Video Filter and click Create New.
In the Channel override list section, click Create New. The New Channel Override Entry pane opens.
1. Enter the Channel ID (UCJHo4AuVomwMRzgkA5DQEOA) and for Action, select Block.
2. Click OK.
Click OK.
Configure the firewall policy:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. For Inspection Mode, select Proxy-based.
3. Enable Video Filter and select the profile you created.
4. For SSL Inspection, select deep-inspection.
5. Configure the other settings as needed and click OK.

To configure a video filter based on a YouTube channel in the CLI:

Configure the channel filter:

config videofilter youtube-channel-filter
    edit 1
        set name "channel_filter"
        set default-action monitor
        set log enable
        config entries
            edit 1
                set action block
                set channel-id "UCJHo4AuVomwMRzgkA5DQEOA"
            next
        end
    next
end

Configure the video filter profile:

config videofilter profile
    edit "channel_filter"
        set youtube-channel-filter 1
    next 
end

Configure the firewall policy:

config firewall policy
    edit 1
        set name "video-filter"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "deep-inspection"
        set videofilter-profile "channel_filter"
        set nat disable
    next
end

Configuration with YouTube channel override

In this example, all categories in the video filter are configured to be blocked. The YouTube channel filter list is configured with override-category enabled, which effectively creates an allowlist. The channel UCR6d0EiC3G4WA8-Rqji6a8g is allowed.

To configure YouTube channel override:

Configure the YouTube channel filter:

config videofilter youtube-channel-filter
    edit 1
        set name "vf1"
        set default-action monitor
        config entries
            edit 1
                set comment "https://www.youtube.com/watch_v=EAyo3_zJj5c"
                set action allow
                set channel-id "UCR6d0EiC3G4WA8-Rqji6a8g"
            next
        end
        set override-category enable
        set log enable
    next
end

Configure the video filter profile:

config videofilter profile
    edit "channel_filter_override"
        set youtube-channel-filter 1
        config fortiguard-category
            config filters
                edit 1
                    set action block
                    set log enable
                next
                edit 2
                    set action block
                    set category-id 1
                    set log enable
                next
                edit 3
                    set action block
                    set category-id 2
                    set log enable
                next
                edit 4
                    set action block
                    set category-id 3
                    set log enable
                next
                edit 5
                    set action block
                    set category-id 4
                    set log enable
                next
                edit 6
                    set action block
                    set category-id 5
                    set log enable
                next
                edit 7
                    set action block
                    set category-id 6
                    set log enable
                next
                edit 8
                    set action block
                    set category-id 7
                    set log enable
                next
                edit 9
                    set action block
                    set category-id 8
                    set log enable
                next
                edit 10
                    set action block
                    set category-id 9
                    set log enable
                next
                edit 11
                    set action block
                    set category-id 10
                    set log enable
                next
            end
        end
    next
end

Configure the firewall policy:

config firewall policy
    edit 10
        set name "client_yt_v4"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set profile-protocol-options "proxy"
        set ssl-ssh-profile "custom-deep-inspection"
        set videofilter-profile "channel_filter_override"
        set logtraffic all
        set nat enable
    next
end

Verify the logs. The category action is set to block and the channel action is set to allow, so video access is allowed:

30: date=2022-05-27 time=13:40:13 eventtime=1653684013375716267 tz="-0700" logid="0348013682" type="utm" subtype="webfilter" eventtype="videofilter-channel" level="notice" vd="vdom1" msg="Video channel is allowed." policyid=10 sessionid=69958 srcip=10.1.100.11 dstip=142.251.33.78 srcport=42542 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" action="passthrough" videoinfosource="API" profile="channel_filter_override" videoid="EAyo3_zJj5c" videochannelid="UCR6d0EiC3G4WA8-Rqji6a8g" hostname="www.youtube.com" url="https://www.youtube.com/watch?v=EAyo3_zJj5c"

If the category action is changed to allow and the channel action is changed to block, the video access would be blocked.

Filtering based on YouTube channel

Identifying the YouTube channel ID

The following table lists how to identify the YouTube channel ID based on different YouTube video URLs formats:

Video URL	Channel ID
www.youtube.com/channel/<channel-id>	<channel-id> indicates the ID for the channel.
www.youtube.com/user/<user-id>	Open the page source and locate: <meta itemprop="channelId" content="<channel-id>"> <channel-id> indicates the channel ID for the user page.
www.youtube.com/watch?v=<string>	Open the page source and locate: <meta itemprop="channelId" content="<channel-id>"> <channel-id> indicates the channel ID for the video.

Video URL

Channel ID

www.youtube.com/channel/<channel-id>

<channel-id> indicates the ID for the channel.

www.youtube.com/user/<user-id>

Open the page source and locate:

<meta itemprop="channelId" content="<channel-id>">

<channel-id> indicates the channel ID for the user page.

www.youtube.com/watch?v=<string>

Open the page source and locate:

<meta itemprop="channelId" content="<channel-id>">

<channel-id> indicates the channel ID for the video.

In a YouTube channel filter profile, the default action is set to monitor when there is no match. Logging is also disabled by default.

config videofilter youtube-channel-filter
    edit <id>
        set default-action {block | monitor | allow}
        set log {enable | disable}
    next
end

Basic configuration

In the following example, the Fortinet YouTube channel ID (UCJHo4AuVomwMRzgkA5DQEOA) is blocked, and the video filter is applied to a policy.

To configure a video filter based on a YouTube channel in the GUI:

Go to Security Profiles > Video Filter and click Create New.
In the Channel override list section, click Create New. The New Channel Override Entry pane opens.
1. Enter the Channel ID (UCJHo4AuVomwMRzgkA5DQEOA) and for Action, select Block.
2. Click OK.
Click OK.
Configure the firewall policy:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. For Inspection Mode, select Proxy-based.
3. Enable Video Filter and select the profile you created.
4. For SSL Inspection, select deep-inspection.
5. Configure the other settings as needed and click OK.

To configure a video filter based on a YouTube channel in the CLI:

Configure the channel filter:

config videofilter youtube-channel-filter
    edit 1
        set name "channel_filter"
        set default-action monitor
        set log enable
        config entries
            edit 1
                set action block
                set channel-id "UCJHo4AuVomwMRzgkA5DQEOA"
            next
        end
    next
end

Configure the video filter profile:

config videofilter profile
    edit "channel_filter"
        set youtube-channel-filter 1
    next 
end

Configure the firewall policy:

config firewall policy
    edit 1
        set name "video-filter"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "deep-inspection"
        set videofilter-profile "channel_filter"
        set nat disable
    next
end

Configuration with YouTube channel override

To configure YouTube channel override:

Configure the YouTube channel filter:

config videofilter youtube-channel-filter
    edit 1
        set name "vf1"
        set default-action monitor
        config entries
            edit 1
                set comment "https://www.youtube.com/watch_v=EAyo3_zJj5c"
                set action allow
                set channel-id "UCR6d0EiC3G4WA8-Rqji6a8g"
            next
        end
        set override-category enable
        set log enable
    next
end

Configure the video filter profile:

config videofilter profile
    edit "channel_filter_override"
        set youtube-channel-filter 1
        config fortiguard-category
            config filters
                edit 1
                    set action block
                    set log enable
                next
                edit 2
                    set action block
                    set category-id 1
                    set log enable
                next
                edit 3
                    set action block
                    set category-id 2
                    set log enable
                next
                edit 4
                    set action block
                    set category-id 3
                    set log enable
                next
                edit 5
                    set action block
                    set category-id 4
                    set log enable
                next
                edit 6
                    set action block
                    set category-id 5
                    set log enable
                next
                edit 7
                    set action block
                    set category-id 6
                    set log enable
                next
                edit 8
                    set action block
                    set category-id 7
                    set log enable
                next
                edit 9
                    set action block
                    set category-id 8
                    set log enable
                next
                edit 10
                    set action block
                    set category-id 9
                    set log enable
                next
                edit 11
                    set action block
                    set category-id 10
                    set log enable
                next
            end
        end
    next
end

Configure the firewall policy:

config firewall policy
    edit 10
        set name "client_yt_v4"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set profile-protocol-options "proxy"
        set ssl-ssh-profile "custom-deep-inspection"
        set videofilter-profile "channel_filter_override"
        set logtraffic all
        set nat enable
    next
end

Verify the logs. The category action is set to block and the channel action is set to allow, so video access is allowed:

30: date=2022-05-27 time=13:40:13 eventtime=1653684013375716267 tz="-0700" logid="0348013682" type="utm" subtype="webfilter" eventtype="videofilter-channel" level="notice" vd="vdom1" msg="Video channel is allowed." policyid=10 sessionid=69958 srcip=10.1.100.11 dstip=142.251.33.78 srcport=42542 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" action="passthrough" videoinfosource="API" profile="channel_filter_override" videoid="EAyo3_zJj5c" videochannelid="UCR6d0EiC3G4WA8-Rqji6a8g" hostname="www.youtube.com" url="https://www.youtube.com/watch?v=EAyo3_zJj5c"

If the category action is changed to allow and the channel action is changed to block, the video access would be blocked.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

Filtering based on YouTube channel

Filtering based on YouTube channel

Identifying the YouTube channel ID

Basic configuration

To configure a video filter based on a YouTube channel in the GUI:

To configure a video filter based on a YouTube channel in the CLI:

Configuration with YouTube channel override

To configure YouTube channel override:

Filtering based on YouTube channel

Filtering based on YouTube channel

Identifying the YouTube channel ID

Basic configuration

To configure a video filter based on a YouTube channel in the GUI: