Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10768
Views
0
Helpful
9
Replies

How do you allow specific youtube content?

Go to solution
noelciscoman
Level 1
Level 1

‎02-24-2016 02:16 PM - edited ‎03-08-2019 05:38 PM

I have been struggling allowing specific youtube videos.  Are default filter blocks streaming media, and as a result when a user goes to youtube, they are blocked.  Occasionally, I have been asked to allow specific videos, and as such I have added the URL of the specific video to the exceptions list to the default filter.  However, users are still blocked.  I am looking for best practice method configuration that will allow me to block streaming media, but allow specific youtube videos.  I have opened TAC cases, but to no avail.

Anyone?

Here is a policy trace for

https://www.youtube.com/watch?v=3zkSH793SGo  (this url is in the exception list of the 'TEAM Filter') 

Identified user 'ss_bagley' from IP address 10.10.1.121 as part of company 'Team Industries Inc.'
User belongs to groups [LDAP://ss_bagley]
User belongs to static groups [default]
Application recognized as 'youtube'
Site categorized as 'Streaming Video'

Evaluating 11 rules after reading request headers
Evaluating rule 'Block All'
Rule 'Block All' doesn't match
Evaluating rule 'Allow Audubon Guest'
Rule 'Allow Audubon Guest' doesn't match
Evaluating rule 'Allow Bagley Guest'
Rule 'Allow Bagley Guest' doesn't match
Evaluating rule 'Allow Andrews Guest'
Rule 'Allow Andrews Guest' doesn't match
Evaluating rule 'Allow Cambridge Guest'
Rule 'Allow Cambridge Guest' doesn't match
Evaluating rule 'Allow Cambridge'
Rule 'Allow Cambridge' doesn't match
Evaluating rule 'Allow Detroit Lakes Guest'
Rule 'Allow Detroit Lakes Guest' doesn't match
Evaluating rule 'Allow Park Rapids Guest'
Rule 'Allow Park Rapids Guest' doesn't match
Evaluating rule 'Allow YouTube'
Rule 'Allow YouTube' doesn't match
Evaluating rule 'Empower'
Rule 'Empower' doesn't match
Evaluating rule 'TEAM Filter'
Taking block action because of category 'Streaming Video'
Evaluating 3 HTTPS rules
HTTPS rule 'Cambridge Youtube' doesnt match
HTTPS rule 'Do not inspect https' doesnt match
HTTPS rule 'TEAM Https' matches, using certificate 'TEAM Cert' to decrypt
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Edan Mudachi
Cisco Employee
Cisco Employee
In response to noelciscoman

‎02-25-2016 04:46 AM

Hi Noel,

First off you must enable HTTPs Inspection in your portal, otherwise we are unable to filter against the traffic on the tower.

For your rule above the block rule for streaming media, you must allow the following:

googlevideo.com
ytimg.com
youtube.com/watch?v=NuNcc3DzeKw
youtube.com/watch?v=cIexS4Ahbc8

*where "youtube.com" based URI is the one you’d like to be allowed.

 

Then in a rule below, you may block youtube.com or Streaming media as a whole: 

youtube.com (or Streaming Media in general)

Sincerely,

Edan Mudachi

View solution in original post

0 Helpful
9 Replies 9

Go to solution
noelciscoman
Level 1
Level 1

‎02-24-2016 02:48 PM

I should have prefaced:  Using Cisco Cloud Web Security with ISR G2 as connector.

0 Helpful

Go to solution
Edan Mudachi
Cisco Employee
Cisco Employee
In response to noelciscoman

‎02-25-2016 04:46 AM

Hi Noel,

First off you must enable HTTPs Inspection in your portal, otherwise we are unable to filter against the traffic on the tower.

For your rule above the block rule for streaming media, you must allow the following:

googlevideo.com
ytimg.com
youtube.com/watch?v=NuNcc3DzeKw
youtube.com/watch?v=cIexS4Ahbc8

*where "youtube.com" based URI is the one you’d like to be allowed.

 

Then in a rule below, you may block youtube.com or Streaming media as a whole: 

youtube.com (or Streaming Media in general)

Sincerely,

Edan Mudachi

0 Helpful

Go to solution
noelciscoman
Level 1
Level 1
In response to Edan Mudachi

‎02-25-2016 07:29 AM

Edan,

Thanks for you reply.  I do have HTTPS inspection enabled, as you can see in the last line of my policy trace, the URL I am trying to allow does match a decrypt rule:

HTTPS rule 'TEAM Https' matches, using certificate 'TEAM Cert' to decrypt

In the next part of your answer, you reference a "rule above the block rule" as a means to allow the traffic.  I do not have such a rule at the moment.  I am trying to use the exception list in the block rule.  Will the exception list in the block rule not work for allowing this content?

Thanks again, I really appreciate the help.

0 Helpful

Go to solution
noelciscoman
Level 1
Level 1
In response to Edan Mudachi

‎02-25-2016 08:34 AM

Edan,

I added an "allow rule" above the "block rule" like you described and this does work perfectly.  Thank you.  Is there an explanation as to why this cannot be accomplished with the exceptions list in the block rule?

Thanks again.  Very helpful.  I have opened three different cases regarding allowing specific youtube videos.  I was aware of the domains in play due to these TAC cases, but I was always utilizing the exceptions list.  TAC never once suggested that this should be accomplished with an additional rule.

0 Helpful

Go to solution
Edan Mudachi
Cisco Employee
Cisco Employee
In response to noelciscoman

‎02-25-2016 08:45 AM

Hi Noel,

Absolutely my pleasure. It is dependant on how you have your policy configured. When you create an exception to a filter you are simply amending it from the action taken on that rule, not applying the opposite action. The policy structure is similar to an access list so it does first match and then exits. It will continue down the list until the object has hit on it again.

Sincerely,

Edan Mudachi

0 Helpful

Go to solution
dvizzle
Level 1
Level 1
In response to Edan Mudachi

‎11-08-2024 06:12 AM

This might have been the solution at the time of this posting, but it is no longer an acceptable solution.

Allowing googlevideo.com will allow any video that pops up as a suggested video, not just the ones you whitelist.

The lack of static urls and the ways wildcarding in Umbrella works, makes this insanely difficult to accomplish.

If there is a way Umbrella can do regex entries like the Virtual Web Appliance, then this would doable
https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance-virtual/221765-enable-specific-youtube-channel-video-an.html

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to dvizzle

‎11-08-2024 07:49 AM

You get that you're replying to a question from 8 years ago for a solution that no longer exists (Cisco Cloud Web Security), right? 

0 Helpful

Go to solution
dvizzle
Level 1
Level 1
In response to Ken Stieers

‎11-08-2024 08:06 AM

 Cisco is still pointing people towards this thread and referencing it in TAC cases.
Maybe they shouldn't?

We specifically requested this ability when we were sold Umbrella and was told it's possible. Not it magically isn't.....

 

0 Helpful

Go to solution
atiqbay023
Level 1
Level 1

‎11-22-2024 08:34 AM - edited ‎11-23-2024 07:37 AM

To resolve your issue, try adjusting the filter rule order so that the "Allow YouTube" rule takes priority over the "Streaming Video" block. Ensure the exception URL is properly formatted and covers both HTTP and HTTPS traffic. If the issue persists, refine your filtering criteria or use domain-based filtering. Similar to apps like DixMax which you can download online, sometimes face blocking issues despite exceptions, your network filters may need fine-tuning to allow specific content while blocking others.

0 Helpful
Customers Also Viewed These Support Documents