Forum Discussion

Soon's avatar
Soon
Comet
6 days ago

Use Case: Block Youtube category but allow some specific youtube video ID(full path url)

Hi All,

I am exploring the way to block all youtube but allow some specific youtube video id. 
The full path url is configured in Application Control policy with action allow and the youtube category is block in Internet Firewall policy. It is not working because application control only take effect with the traffic is allowed in Internet Firewall policy.

FYI, full path url is not configureable in Internet Firewall policy.

Appreciate if anyone from community can give some ideas.

Thanks.

  • bizzle90's avatar
    bizzle90
    Icon for Cato Employee rankCato Employee

    Hi Soon,

    Thank you for your comment and query in the Cato Community channel!

    So as you have stated correctly, you cannot use Application Control Policy with a block INET FW rule, this is because the traffic needs to be allowed before we can process the traffic further within the Cato stack.

    Also at this time (I have also attempted to lab this myself to confirm), you cannot use a Full Path URL in the INET FW stack, as I was attempting to create an exception rule and add the Full Path URL which was not accepted.

    I would politely suggest in this use case is to create an RFE and raise it with your respective Cato customer service representative. 

    Or raise a support ticket (if not already done so), and request an RFE for Full Path URL to be added into INET FW stack.

     

  • bizzle90's avatar
    bizzle90
    Icon for Cato Employee rankCato Employee

    Hey Soon,

    Just to further add, please see this KB which providers some understanding of the Cato SPACE architecture:

    https://support.catonetworks.com/hc/en-us/articles/12545093882909-Understanding-Packet-Flow-with-Cato-SPACE-Architecture

  • Soon,

    The Application Control policy (CASB), is a licensed service that provides the type of granular control that you are looking for, this granular control is not supported by the Int FW policy.

    You can create an Application Control rule that allows the Full Path URL for the specific videos, and then the rule after which blocks the YouTube app.

    Thanks!

    Yaakov Simon

  • If you're going to leverage the Application Control Policy to do this; you could additionally create a value set of all allowed URL paths and use this in a single rule. It would reduce the administrative headache in the future, and put all 'allowed youtube videos' in a single place for you to monitor