Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4555
Views
5
Helpful
4
Replies

Cannot block YouTube as an application

Enid Vallja
Level 1
Level 1

‎05-12-2017 05:42 AM - edited ‎03-12-2019 06:23 AM

Hi guys!

I need some help with the Access Control policies.

I'm trying to block YouTube for some object groups but when I block https://www.youtube.com I see other links of YouTube that are allowed, like:

https://img.youtube.com

https://s.youtube.com

https://consent.youtube.com

https://fcmatch.youtube.com

https://youtubei.youtube.com etc.

I'm blocking all the url-s one by one but new ones come out again and again.

I tried to block "*youtube.com" which I thought will cover all these pages but it still don't work. Tried "^youtube.com" but still not.

Any idea what to do?

Labels:
Preview file
48 KB
Preview file
79 KB
0 Helpful
4 Replies 4

Veronika Klauzova
Cisco Employee
Cisco Employee

‎05-16-2017 02:11 PM

Hello,

Web pages like youtube and/or facebook will request multiple pages upon loading. In order to allow their "web-site dependencies" - images, videos etc. is to allow CDN URL web category, but this requires URL filtering license applied on the device.

Best regards,

Veronika

Enid Vallja
Level 1
Level 1
In response to Veronika Klauzova

‎05-16-2017 11:35 PM

Thank you Veronika!

In fact yesterday I found a partial solution, so I blocked https://*.youtube.com and than the urls:

https://img.youtube.com

https://s.youtube.com

https://consent.youtube.com

https://fcmatch.youtube.com

https://youtubei.youtube.com

were blocked. But I see some Conection Events of YouTube which don't show an url but just the applications (YouTube & YouTube Upload). I tried to block YouTube app and YouTube Upload app but still nothing.

Regards,

Enid

0 Helpful

Veronika Klauzova
Cisco Employee
Cisco Employee
In response to Enid Vallja

‎05-22-2017 07:29 AM

Hi Enid,

this requirement should be possible to be achieved by creating simple ACP rule with one URL object with "youtube.com" entry as it will match *youtube.com*. This way you can simply deny the whole youtube access without need of URL license and without need for SSL decryption.

I cannot see your full access control policy rule from the provided screenshots, but is seems that you have Application and URL columns filled in at the same time. Please note that between those columns in rule is AND operation which means that one of the listed applications and one of the URL's listed in rule needs to match at the same time otherwise the rule will not match. 

If above still does not determine an issue on your end, could you provide debug output from sensor CLI:

>system support firewall-engine-debug

(filter for specific connection to avoid having much noise here)

and

provide screenshot from FMC GUI Help -> About section.

Best regards,

Veronika

0 Helpful

enidvallja
Level 1
Level 1
In response to Veronika Klauzova

‎07-12-2017 03:16 AM

Hi Veronika,

it's been 2 months now and I'm still confused with some new changes I'm making.

Sometimes it works when you block the url with * like *google.com, and sometimes with https://*.google.com. I've even seen some cases written like ^google.com.

What shall I to use to generalize the url for the entire Google pages like translate, maps, drive etc.

Regards,

Enid.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card