Scribd
Upload
23 views9 pages

How To Block Youtube 2

The document outlines three solutions to block YouTube: URL filtering with SSL inspection, DNS snooping, and using the YouTube app with an SSL proxy. Each solution includes step-by-step configurations and considerations for effective blocking, emphasizing the need for SSL inspection due to YouTube's HTTPS nature. It also suggests combining solutions for enhanced effectiveness and provides logging commands to verify the blocking status.

Uploaded by

itzfpl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
23 views9 pages

How To Block Youtube 2

The document outlines three solutions to block YouTube: URL filtering with SSL inspection, DNS snooping, and using the YouTube app with an SSL proxy. Each solution includes step-by-step configurations and considerations for effective blocking, emphasizing the need for SSL inspection due to YouTube's HTTPS nature. It also suggests combining solutions for enhanced effectiveness and provides logging commands to verify the blocking status.

Uploaded by

itzfpl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

How To Block Youtube

Generally there are the following 3 solutions to block Youtube, you can select one of the
solutions, and maybe in some special scenario one solution can’t block all you want, if so, we
suggest deploy two or three of the solutions at the same time and test again to see the effect.

Solution1: URL filtering + SSL inspection


Solution2: DNS Snooping
Solution3: Youtube APP + SSL proxy

The following tests are based on E1100 5.5R5P7.

Solution1: URL filtering + SSL inspection

1. Create URL filtering template by the following steps.


Here, remember enable SSL inspection function since Youtube is HTTPS website.
We suggest add 3 URL together to block Youtube page: www.youtube.com, youtube.com,
*.youtube.com.

2. Enable URL filter template in policy.


Here, the policy action needs to be “permit”.
3. While browsing Youtube, it is blocked.

Note:
If Youtube was opened on the client PC earlier, please clear the browser cache and then test to see
the result. If reboot the client PC, partial cache will be expired, we can still see partial Youtube
page content if cache is not cleaned manually but Youtube can’t connect well.

4. Check firewall urlfilter logs.

SG-6000(config)# show logging traffic urlfilter


Total: 8
2019-03-31 10:30:21, INFO@FLOW: WEB: IP
192.168.200.200:51225(10.88.16.239:51225)->172.217.6.78:443(172.217.6.78:443), user -,
vrouter trust-vr, url https://www.youtube.com, category youtube, method GET, action block,
reason URLDB
2019-03-31 10:30:21, INFO@FLOW: WEB: IP
192.168.200.200:51224(10.88.16.239:51224)->172.217.6.78:443(172.217.6.78:443), user -,
vrouter trust-vr, url https://www.youtube.com, category youtube, method GET, action block,
reason URLDB
Solution2: DNS Snooping
For this solution, it requires that the DNS packet go through Hillstone.
Note:
Currently Youtube and some Google services share the same server IP, this solution may block
partial Google service together with Youtube.

1. Do the following configuration on StoneOS.

address "youtube"
host "*.youtube.com" vr "trust-vr"
host "*.googlevideo.com" vr "trust-vr"
exit
//match the 2 typical domain names by wildcard, “*.googlevideo.com” is to match video traffic

rule id 4
action permit
src-zone "Any"
dst-zone "Any"
src-addr "Any"
dst-addr "Any"
service "DNS" //This policy is to allow DNS packet
exit
rule id 3
action deny
log policy-deny //enable logs function
log session-start
log session-end
src-zone "Any"
dst-zone "Any"
src-addr "Any"
dst-addr "youtube" // Deny destination IP of Youtube, which is translated by DNS function
service "Any"
exit

2. Make sure DNS server setting is working on Hillstone (can ping internet domain like
www.google.com from Hillstone).

3. Browse Youtube from the client, you will find Youtube is blocked.
4. Check translated IP of youtube by command <show ip dns-resp-snooping> or <show dns-
address>.

SG-6000# show ip dns-resp-snooping (this command is supported by earlier R versions)


Dns response packet snooping config:
======================================================================
Packet limit: 0
TTL value: 86400 seconds
Specific domain snooping: Disabled
======================================================================

Cached entries of wildcard domain:


Total:4
======================================================================
Wildcard domain Age RR_TYPE Address VR
NAME
--------------------------------------------------------------------------------
*.youtube.com www.youtube.com 85225 A 172.217.0.46 trust-vr
172.217.5.110
172.217.6.78
172.217.164.110
216.58.192.14
216.58.194.174
216.58.195.78
216.58.195.238
84611 A 172.217.0.46 trust-vr
172.217.5.110
172.217.6.78
172.217.164.110
216.58.194.174
216.58.195.78
216.58.195.238
*.googlevideo.com r3---sn-n4v7sn7z~ 85004 A 74.125.170.217 trust-vr
r5---sn-a5mekne7~ 85462 A 74.125.166.139 trust-vr
r2---sn-hp57yne6~ 83500 A 172.217.128.72 trust-vr
======================================================================
SG-6000#

5. Check deny logs.


Here, need to enable command <logging traffic session on> in advance.

SG-6000# show logging traffic session


Total: 14
2019-04-01 11:07:03, INFO@FLOW: SESSION:
192.168.200.200:64079->216.58.195.78:443(TCP), interface ethernet0/0, vr trust-vr, policy 3,
user -@-, host -, session deny
2019-04-01 11:07:03, INFO@FLOW: SESSION:
192.168.200.200:64078->216.58.195.78:443(TCP), interface ethernet0/0, vr trust-vr, policy 3,
user -@-, host -, session deny
2019-04-01 11:07:02, INFO@FLOW: SESSION:
192.168.200.200:64075->172.217.5.110:443(TCP), interface ethernet0/0, vr trust-vr, policy 3,
user -@-, host -, session deny
2019-04-01 11:07:01, INFO@FLOW: SESSION:
192.168.200.200:64074->172.217.5.110:443(TCP), interface ethernet0/0, vr trust-vr, policy 3,
user -@-, host -, session deny
2019-04-01 11:06:59, INFO@FLOW: SESSION:
192.168.200.200:64080->172.217.5.110:443(TCP), interface ethernet0/0, vr trust-vr, policy 3,
user -@-, host -, session deny

Solution3: Youtube APP + SSL proxy


For this solution, if the client is browsing web page or watching video, after enabling the policy,
the running service of the client may be not blocked successfully due to application mechanism.
For such failure, we suggest use solutoin2 at the same time to increase the effect of blocking.

1. Make sure the current application signature is latest professional version.

SG-6000# show app info


Application identification engine version: 03.55
Application identification signature version: 3.0.190307(Professional)
Release time: 2019-03-07 11:12

Note:
Only professional application signature supports Youtube.
If the signature is standard version, do command <exec app update professional> to change it as
professional version.

2. Export Hillstone certificate to local computer.

By default, the exported certificate name is “pki_export_cert”, then add suffix “.cer”, the complete
file name changes as “pki_export_cert.cer”.

3. Import the certificate “pki_export_cert.cer” into client PC’s web browser, here is Chrome for
example: SettingsAdvancedManage Certificates.

4. Make sure Hillstone SSL proxy “Trust Domain” is same with the domain from which you
export Hillstone certificate.
5. Do Hillstone policy.

rule id 2
action deny
log policy-deny //Enable logs function
log session-start
log session-end
src-zone "any"
dst-zone "Any"
src-addr "Any"
dst-addr "Any"
service "Any"
application "YouTube" //Deny Youtube application. For Google service, it is better add QUIC.
application "QUIC"
sslproxy "SSL"
exit
rule id 1
action permit
src-zone "Any"
dst-zone "Any"
src-addr "Any"
dst-addr "Any"
service "Any"
exit

6. While user visits Youtube, it is blocked.


7. We can see the following deny logs from Hillstone.
Here, need to enable command <logging traffic session on> in advance.

SG-6000# show logging traffic session


Total: 8
2019-04-01 13:31:32, INFO@FLOW: SESSION:
192.168.200.200:57560->173.194.167.7:443(TCP), application YouTube,interface ethernet0/0, vr
trust-vr, policy 2, user -@-, host -,send packets 1,send bytes 54,
receive packets 1,receive bytes 54,start time 2019-04-01 13:31:31,close time 2019-04-01
13:31:32,session end,Block
2019-04-01 13:31:32, INFO@FLOW: SESSION:
192.168.200.200:57558->173.194.167.7:443(TCP), application YouTube,interface ethernet0/0, vr
trust-vr, policy 2, user -@-, host -,send packets 1,send bytes 54,
receive packets 1,receive bytes 54,start time 2019-04-01 13:31:30,close time 2019-04-01
13:31:32,session end,Block
2019-04-01 13:31:32, INFO@FLOW: SESSION:
192.168.200.200:57556->173.194.166.108:443(TCP), application YouTube,interface ethernet0/0,
vr trust-vr, policy 2, user -@-, host -,send packets 1,send bytes 5
4,receive packets 1,receive bytes 54,start time 2019-04-01 13:31:30,close time 2019-04-01
13:31:32,session end,Block
2019-04-01 13:31:32, INFO@FLOW: SESSION:
192.168.200.200:57555->173.194.166.108:443(TCP), application YouTube,interface ethernet0/0,
vr trust-vr, policy 2, user -@-, host -,send packets 1,send bytes 5
4,receive packets 1,receive bytes 54,start time 2019-04-01 13:31:30,close time 2019-04-01
13:31:32,session end,Block
2019-04-01 13:31:31, INFO@FLOW: SESSION:
192.168.200.200:57560->173.194.167.7:443(TCP), interface ethernet0/0, vr trust-vr, policy 2,
user -@-, host -, session deny
2019-04-01 13:31:31, INFO@FLOW: SESSION:
192.168.200.200:57558->173.194.167.7:443(TCP), interface ethernet0/0, vr trust-vr, policy 2,
user -@-, host -, session deny
2019-04-01 13:31:30, INFO@FLOW: SESSION:
192.168.200.200:57556->173.194.166.108:443(TCP), interface ethernet0/0, vr trust-vr, policy 2,
user -@-, host -, session deny
2019-04-01 13:31:30, INFO@FLOW: SESSION:
192.168.200.200:57555->173.194.166.108:443(TCP), interface ethernet0/0, vr trust-vr, policy 2,
user -@-, host -, session deny
SG-6000#

You might also like