Because the firewall is not controlled by my local site, if I operate on the firewall, what operations should I ask the firewall administrator to perform?

you can give administrator set of ip addresses from > to and things needs to block or allow such as protocols, applications, websites, etc.

What should I do if I can only set up a Layer 3 switch?

Thanks, but I would prefer to implement these configurations on a tier 3 switch.

Preferences are all fine and good, but sometimes a preference cannot be met for your end goal is to be accomplished.

Generally L3 switches do not support NBAR, although I recall (???) I may have read some of the very latest Cisco switches support some NBAR features.

Without NBAR and/or overriding DNS results, it may be very difficult to selectively block certain protocol access to named hosts which have multiple IPs.  Maybe something might be done within an EEM script, but I have no experience with that (believe there's another forum on that topic).

For example, assume you want to block your production network from www.youtube.com.  Assuming an EEM script to occasionally do an nslookup for that server name

getting, for example:

www.youtube.com
Server: UnKnown
Address: 192.168.42.30

Non-authoritative answer:
Name: youtube-ui.l.google.com
Addresses: 2607:f8b0:4009:81a::200e
2607:f8b0:4009:819::200e
2607:f8b0:4009:818::200e
2607:f8b0:4009:81b::200e
142.251.32.14
172.217.4.78
172.217.5.14
142.250.191.110
142.250.191.238
172.217.4.46
142.250.191.174
172.217.2.46
142.250.191.142
142.250.190.110
142.250.191.206
172.217.1.110
142.250.190.14
172.217.4.206
142.250.190.142
172.217.0.174

if might (re)build an ACL dynamically.

Thanks very much. I know it is difficult to carry out such an operation with such limited resources, but I still want to try it for various reasons. If there is no better way, I will seek more resources.

Yea, again, if you're limited to just your L3 switch's capabilities, it might be difficult to impossible to meet your goal on it.

Different devices have different capabilities, to suit different issues.  LAN type L2/L3 switches often only handle typical LAN type issues.  (Even among switches, their capabilities vary, such as between basic "appliance" LAN switches, large chassis Enterprise switches, and MAN switches.)   Advanced security, generally, is more often found on routers and/or firewalls (probably because both, especially the latter, are often demarcation points for administrative domains, e.g. "inside" vs. "outside").

Also keep in mind, if you can concoct some very unusual solution on your switch, such as some involved EEM script, that "solution" creates additional operational and maintenance issues.  (For example, you leave your company, who maintains that solution, then?  Who can your company later hire that has experience in "your" solution?)

When you remind your company of the above, assuming they truly want a solution, often they will then be willing to purchase a more usual (commercial) solution.

Yes, I was limited in the technical aspects and neglected some other aspects, thank you for reminding me.