@balaji.bandi I believe both youtube.com and twitter.com use both HTTP Strict Transport Security (HSTS) and Public Key Pinning (PKP). We can confirm this in Chrome via the query box at chrome://net-internals/#hsts

This creates a problem for a middleware box like Firepower since it cannot reliably intercept the traffic. For example, certificate SNI inspection doesn't work since yourtube.com uses *.google.com as its certificate.

The best and much more reliable way to block these clients is to use Cisco Umbrella which works by preventing the sites' DNS resolution and instead redirecting the client to a block page.

@Marvin Rhoads i can understand what you saying, but if the VPN Terminate in to FTD, (if the user do no have umbrella or other DNS Sec solution) - can we achieve this using ACL filtering with FQDN ( as per my understand FTD support this feature)

I do agree the video is bit away from this issue, The video just given example to understand how one can filter.

what would be the soluition or best approach, happy to hear / listen and understand what iam missing here ?

Sorry for the delay - I had on my list to test this. I just checked it in my lab and found that www.twitter.com and www.youtube.com were blocked just fine with a URL filtering ACP rule.

I noticed the original post had "youtube" application in the policy. When my client was blocked it was categorized as simply "https" application and "ssl client".

Here're the working policy and results for me: