How to create in step by step a Video Filter to YouTube with FortiGate

The video filter security feature, present on FortiGate, allows the administrator to create a more granular access to YouTube. That access could be provided by FortiGuard categories, inside of video filter profile, or more restrictive by channel ID from YouTube channels that you desire or need to allow.

For success of this procedure, some requirements are mandatory.

01 - Is necessary to insert an API Key* from YouTube
02 - The Firewall Policy and Web Filter, both need to be set to "proxy" for the type of inspection.
03 - The Application Control needs to block the QUIC protocol.
04 - The inspection SSL need to be "deep-inspection" for "man in the middle".

*(You could click here to know how to get the YouTube API Key)

Stay aware of these requirement to have success.

Creating the Video Filter Profile

Go to the "Security Profiles" and "Video Filter". The process is similar to other security profiles. If that option doesn't appear in the Security Profiles, go to the CLI and insert:

config system settings
set gui-proxy-inspection enable
end

Go to the menu, System > Feature Visibility and on the "Security Features" mark the option "Video Filter". Now, that menu will be available.

On the Video Filter profile, you will have the categories from FortiGuard. That categories are based on the most common kind of channels on YouTube. Options like Music, News or Games will be present.

You will have the option of using predefined categories or blocking all and only allowing access by channel. Two interesting examples of this last option are, the first, a company that only allows its channel to be accessed on all of YouTube or a set of predefined channels. The second, a more effective parental control where only trusted and proven children's channels are allowed and accessed. The possibilities here are many and will depend on the need.

Even if you choose to filter by FortiGuard's existing categories, you will need the YouTube API Key. If you want to use the channel filter, you will need to obtain the channel ID for the latter. To obtain it, go to the desired channel in your preferred browser and:

01 - Ctrl + U = This will open the page inspection mode in a new tab. Or right-click to "inspect code" or similar.
02 - Ctrl + L and search for "channelIds" = In quotes, exactly as it is here, it will make it easier to find. After the quotes, the channel ID value will be there.

The following gallery, the first and second copies are from a Forti OS version 7.2.10.

The API Key must be configured in the Video filter profile or in the CLI.

config videofilter youtube-key
edit 1
set key <insert the API Key>
end

Web Filter and Application Control

YouTube control will be via the Video Filter profile, so for both Web Filter and Application Control profiles, the action will be allow. Remember to configure the Web Filter in Proxy mode and block the QUIC protocol in
Application Control.

Firewall Policy and Results

The firewall rule must contain the 03 profiles created, Web Filter in proxy mode allowing the YouTube category, Application Control allowing YouTube but blocking the QUIC protocol and the Video Filter that was created. The SSL profile used here was the default FortiGate Deep Inspection but another one can be used as long as it is "Deep". The Firewall rule is in "Proxy" mode. In our Video Filter, we blocked all news channels but only released CNN Brazil based on the channel ID.