USG 210 UTM profil not working for youtube

frerealexis
frerealexis Posts: 21  Freshman Member
First Anniversary First Comment
edited April 2021 in Security

My USG210 is running on FW 4.35. I have excluded youtube for a utm profile based on a whitelist. If I enter youtube.com directly, the USG blocks it. But if I enter youtube into google and access youtube via google, the USG does not block it.

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @frerealexis,

    If you’d like to allow YouTube, add YouTube to the list of Trusted Web Site.

    In the App Patrol profile, enable “Enable Custom Service” and “Check Common Trusted/Forbidden List”.

    In the security policy rule, apply Content Filter profile and SSL Inspection profile.

    Result:

    No matter you access YouTube by entering youtube.com directly or by searching youtube in Google, YouTube is able to be accessed because it is on the Trusted Web Site.

  • frerealexis
    frerealexis Posts: 21  Freshman Member
    First Anniversary First Comment

    Hi Emily, you do not understand : I want to FORBID youtube.

    I have placed youtube.com and in the commun blacklist and in the custom "forbidden wet sites" AND "blocked URL keywords" of this profile, as you can see below

    Of course I have checked "enable custom service" and I have checked "check commun trusted/forbidden list". But I can still go to youtube via google.

    SSL : I have not activated it

    1. because I cannot update the certificat (I created a post on this subject yesterday)
    2. In the past I never had to activate SSL inspection. The utm filter worked just fine. I think the problem is since FW 4.35.


  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @frerealexis,

    To use SSL Inspection, you don’t have to update the certificate. Just export the default certificate and import it to your test PC.

    To block YouTube, you can also use App Patrol to block YouTube.

    Make sure signature for IDP/App Patrol are updated to the latest version.

    Create a new application.

    Create App Patrol profile.

    Apply App Patrol profile and SSL Inspection to security policy rule.

  • frerealexis
    frerealexis Posts: 21  Freshman Member
    First Anniversary First Comment

    I cannot install a certifcat on 40 computers on our network. There should be no need to. In the past the UTM profile worked : no need to use IDP. I will reboot the zyxel hoping this will solve the issue...

  • frerealexis
    frerealexis Posts: 21  Freshman Member
    First Anniversary First Comment

    No, rebooting did not solve the issue...

  • frerealexis
    frerealexis Posts: 21  Freshman Member
    First Anniversary First Comment

    To illustrate my case : the first logs (in the orange rectangle) show that the utm filter is blocking youtube when I enter youtube directly in the url bar.

    The last logs (in green rectangle) show connexions to google and from there I can click on a link to youtube and I have access but no logs specifically mention youtube, but I promise you that I do have access to youtube via google link, which is not normal.


  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @frerealexis,

    On small models such as USG40 which doesn’t have SSL inspection, you need to enable “Enable HTTPS Domain Filter for HTTPS traffic”.

    YouTube uses Quic protocol and the main goal is to improve the application performance that are currently using TCP. Quic is using UDP protocol.

    If you found Content Filtering is still unable to block the Google service for instance YouTube, you can simply edit the firewall rule to block UDP 443 make it use TCP to connect with server.

  • frerealexis
    frerealexis Posts: 21  Freshman Member
    First Anniversary First Comment

    I do have SSL on the USG210 but it is not activated. blocking UDP 443 does help (the videos are not visible) but the website youtube remains accessible.

Security Highlight