Use Case: Block Youtube category but allow some specific youtube video ID(full path url)

Hi Soon,

Thank you for your comment and query in the Cato Community channel!

So as you have stated correctly, you cannot use Application Control Policy with a block INET FW rule, this is because the traffic needs to be allowed before we can process the traffic further within the Cato stack.

Also at this time (I have also attempted to lab this myself to confirm), you cannot use a Full Path URL in the INET FW stack, as I was attempting to create an exception rule and add the Full Path URL which was not accepted.

I would politely suggest in this use case is to create an RFE and raise it with your respective Cato customer service representative. 

Or raise a support ticket (if not already done so), and request an RFE for Full Path URL to be added into INET FW stack.

Hey Soon,

Just to further add, please see this KB which providers some understanding of the Cato SPACE architecture:

https://support.catonetworks.com/hc/en-us/articles/12545093882909-Understanding-Packet-Flow-with-Cato-SPACE-Architecture

Soon,

The Application Control policy (CASB), is a licensed service that provides the type of granular control that you are looking for, this granular control is not supported by the Int FW policy.

You can create an Application Control rule that allows the Full Path URL for the specific videos, and then the rule after which blocks the YouTube app.

Thanks!

Yaakov Simon

If you're going to leverage the Application Control Policy to do this; you could additionally create a value set of all allowed URL paths and use this in a single rule. It would reduce the administrative headache in the future, and put all 'allowed youtube videos' in a single place for you to monitor

Hi Soon, 

Did you manage to give a go with the required configurations on CASB?
Cheers!