How to block YouTube access by schedule

Zyxel_Jeff

This is an example of using the USG Flex/ATP to block access YouTube access by schedule. You can use Application Patrol and security policy with schedule settings to make sure that YouTube cannot be accessed in your network at a specific prohibited time. This article will guide you on how to deploy it.

USG Flex/ATP with Scheduled YouTube Access Settings Example

Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG FLEX 200 (Firmware Version: ZLD 5.31).

Set Up the Schedule on the USG Flex/ATP

In the USG Flex/ATP, go to CONFIGURATION > Object > Schedule > Recurring > Add Schedule Recurring Rule. Configure a Name for you to identify the Schedule Recurring Rule. Specify the Day Time hour and minute when the schedule begins and ends each day. In the Weekly schedule, select each day of the week that the recurring schedule is effective.

CONFIGURATION > Object > Schedule > Recurring

Create the Application Patrol profile on the USG Flex/ATP

In the USG Flex/ATP, go to CONFIGURATION > Security Service > App Patrol > Profile Management. To add an App Patrol profile, configure the profile name and select “Search Application(s) By Name”. Then enter the keyword “youtube” to search the key-related results.

Select all YouTube-related apps and press Add To My Application.

Modify Action from “forward” to “drop” and press Save & Exit.

Set Up the Security Policy on the USG Flex/ATP

In the USG Flex/ATP, go to CONFIGURATION > Object > Service to add a UDP 443 service object.

Go to CONFIGURATION > Security Policy > Policy Control to configure a Name for you to identify the Security Policy profile. For From and To policies, select the direction of travel of packets to which the policy applies. Select the service QUIC_UDP443 and select the Schedule that defines when the policy would be applied.  In this example, select “Youtube_Blocked_Time”.

Add another security policy to block YouTube by schedule. To configure a Name and the From, To traffic direction. Select the Schedule that defines when the policy would be applied.. Finally, to scroll down the Profile, check Application Patrol and select a profile from the list box. In this example, Schedule: Youtube_Block_Time; Application Patrol: Youtube.

Then go back to the security policy page and move the security priority of block UDP 443 is higher than block YouTube by schedule.

Test the Result

Type the URL http://www.youtube.com/ or https://www.youtube.com/ onto the browser and cannot browse YouTube, as below:

Open the YouTube APP on the phone and cannot access to YouTube, as below:

Go to Monitor > Log, you will see [alert] log of blocked messages.

What Could Go Wrong?

If you are not  able to configure any Application Patrol policies or it’s not working, there are two possible reasons:

1. You have not subscribed for the Application Patrol service.
2. You have subscribed for the Application Patrol service but the license is expired.

You can click the link from the CONFIGURATION > Licensing > Registration screen of your Zyxel device’s Web GUI (http://portal.myzyxel.com/) to register license service or extend your Application Patrol license on Zyxel Marketplace  (https://marketplace.zyxel.com/).

Finally, go to the CONFIGURATION > Licensing > Registration > Service and click the Service License Refresh button to update the status and the Application Patrol service shall be working.