Restricting YouTube to Specific Channels on FortiGate Firewalls

Please note that YouTube is changing the way it categorizes content to comply with COPPA (Children’s Online Privacy Protection Act).  You will need to either set your video or the entire channel as “Made for Kids”.  When a video is categorized as “Made for Kids”  there will be some features not available:

• Comments
• Personalized Ads
• Info Cards
• End Screens

When the entire channel is “Made for Kids” other features will not be available either such as:

• Stories
• Community Tab
• Notification Bell
• Save to watch later
• Save to playlist

Here is a great video explaining the details By: Head of Family Partnership at YouTube

Lets get started.

Getting Channel ID

First thing we need to do is identify the the YouTube channel-ID.  To do this, you will need to go to the YouTube channel and copy the URL

https://www.youtube.com/channel/UCzQUP1qoWDoEbmsQxvdjxgQ

In the case above, the channel ID is UCzQUP1qoWDoEbmsQxvdjxgQ

This is the channel ID for Joe Rogan Experience one of my favorite podcaster/YouTuber.

Now lets go to the ForitGate

FortiGate Configuration 

You will need to go to:

1. Security Profiles
2. Web Filter
3. In my case, MonkeyBusiness-Web

We will focus on three locations inside the Web Filter profile.  Next I will show the details of what needs to be modified.

Restrict YouTube Access

In order for this to work correctly, you will need to set the Restrict YouTube Access to Moderate

Enable it be clicking the radio button and selecting Moderate

URL Filtering

Next you will need to enable URL filtering by clicking the radio button.

Next you will need to select Create New

Enter *.youtube.com and ensure that you select the Wildcard type, and finally set the action to Block.

This will block all of YouTube except for the whitelist below.

Whitelist YouTube Channel

We will need to enable this section by again clicking the radio button to turn it on.

Next you will need to Create New

As you can see in the screenshot, the Channel ID matches the Joe Rogan Experience channel ID from the first section UCzQUP1qoWDoEbmsQxvdjxgQ.  Optionally, but recommended, you can add a comment.  Click OK to save the channel ID.

Save this Web Filtering Profile to be used next.

Creating the IPv4 Policy

We will now need to create a policy to put it all together.

Here are the components for my policy.

1. Give the policy a name
2. Incoming Interface (This is my SSID where I have my test Windows 10 machine)
3. Outgoing Interface (My 1Gb Internet Connection)
4. This is an address object representing the IP address of my Windows 10.
5. Make sure this policy is in Proxy-based inspection mode.  In older versions of FortiOS, you will need to set this globally.
6. Choose the Web Filter profile we created earlier.

Additionally, you will need to have Deep Packet Inspection enabled as well.

Optional (If you do not have this already pushed to PC)

In my case, I had not installed my FortiGate certificate for SSL decryption.

I logged into the FortiGate from my Windows 10 machine.  Went to Security Profiles then SSL/SSH Inspection .  Next I chose the Manny-DPi profile and choose to Download from this screen.

I downloaded it to the Desktop and then double clicked on it.  It displayed the certificate and I chose to Install Certificate from the bottom of the window.

You will be presented with a Security Warning and you will need to choose Yes

You will need to install it into the Trusted Root Certificate Authorities store.

Choose Finish

 

Results

These are the results

Here we can see a YouTube channel I tried to watch and it was blocked with the standard (in my case, custom) Block Page.

Here we can see the Joe Rogan Experience YouTube Channel.

 

Hope this helps.