cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ZanG
Level 8
Report Inappropriate Content
Message 1 of 6

Whitelisting a specific URL

Jump to solution

Hi,

I would like to know if there is a possibility to whitelist only a specific url - for example a specific video on Youtube.

We have Youtube blocked for most of our users, but would like to allow all of them to see only videos from our youtube channel.

I've tried with this rule:

Youtube.JPG

I've entered the url in a few different ways (with and without the protocol, with * at the end, etc):

Youtube2.JPG

And it doesn't work - I get a blocked screen.

I would like to point out that the rule works if I choose url.host as criteria and put in only the domain (www.youtube.com) - but then the wole youtube is accessible, which I don't want.

Thank you and best regards,
Zan

1 Solution

Accepted Solutions
aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Whitelisting a specific URL

Jump to solution
5 Replies
mkutrieba
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Whitelisting a specific URL

Jump to solution

Hello,

at first, we have a youtube API v3 filtering rule set for better managing:
https://contentsecurity.mcafee.com/ruleset_library?q=%22youtube+api+v3%22

Regarding the request, this is depending on how you block youtube videos.

If you block by category Streaming media for example, then this is nearly impossible on this way. Problem is that multiple requests are made in background for single youtube video and the video itself is not coming from youtube but from googlevideocontent or googleusercontent or similar. Means, you also would need to allow these URL hosts. This is a lot of work and complicated.
This could be checked with rule traces.

If you only block youtube URL host and not by category streaming media, then most-likely the CONNECT requests is already blocked. The full URL can only be seen on MWG if SSL Scanner was triggered and content inspection was made.
The order is 1) CONNECT request to youtube.com (and here often the youtube block rule hits), 2) CERTVERIFY request and 3) GET request to youtube.com (here you see the full URL which you can use for filtering.
So this means, that a bypass rule needs to be made, to allow CONNECT and CERTVERIFY cycle for such URL hosts in the rule set where you block youtube by URL.Host property. Once this is allowed, the CONNECT will be bypass and not be blocked, same for CERTVERIFY, then content inspection is made, full URL is seen and the GET request should run into your bypass rule where you want to allow specific URLs and should match.

Example:
Rule set "URL Filtering"
1. bypass CONNECT and CERTVERIFY for special URL hosts
(Command.Name equals CONNECT OR Command.Name equals CERTVERIFY) AND URL.Host equals youtube.com (alternatively "is in list <listname>"), Action: Stop Rule set
2. Bypass specific Youtube URLs
URL matches/is in list <list with full URL>, Action: Stop Rule Set
3. Block Youtube
URL.Host equals youtube.com, Action: Block

So, CONNECT and CERTVERIFY would be allowed in first rule, then GET request comes in and goes to second rule. Here it is bypassed if it is matching and if not, it will be blocked in third rule. If you do not have this, CONNECT request is running in second rule but not matching as it only sees CONNECT youtube.com and then it would be blocked in third rule already.

It is little bit complicated to understand only by text. So if there are open questions or you still cannot get it to work, would advise to create a ticket and attach feedback file, rule trace and call the URL you want to bypass.

Regarding the youtube filtering rule set, this, of course, also only works if streaming media is allowed. If you block streaming media in total, all other URL hosts where videos are coming from are blocked, means the filtering rule set would also not help.

Hope this helps a little bit and let me know if you have further questions.

Regards,
Marcel Kutrieba
Technical Support Engineer

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
ZanG
Level 8
Report Inappropriate Content
Message 3 of 6

Re: Whitelisting a specific URL

Jump to solution

Thank you for your quick reply.

Yes, we block content by category. I tried with rule trace and it shows me only that youtube domain was blocked by category blocklist:

Youtube3.JPG

I tried to combine both rules - the one that allows certain users to access whole youtube (1st one, url.host - this one by its own works) and the one that should only allow certain urls (2nd one, URL):

Youtube4.JPG

But it still doesn't work.

Thank you.

aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Whitelisting a specific URL

Jump to solution

@ZanG 

 

PFA

ZanG
Level 8
Report Inappropriate Content
Message 5 of 6

Re: Whitelisting a specific URL

Jump to solution

Thank you both! At the end I tried importing aloksard's rule. I had to modify it a bit (for the needs of our organisation) and it works!

Thanks again!

mkutrieba
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Whitelisting a specific URL

Jump to solution

Hello,

yes rest of the URLs like googleusercontent is now shown as youtube.com is already blocked and the other URLs would be requested from youtube in the background, therefore you do not see them yet.

So special whitelisting for certain URL hosts is needed and Alok provided a rule set which you can import doing such tasks. Might be possible that it perfectly works, might be possible that some things needs to be update in case on youtube's end something has changed. But this rule set refers to my mentioned point 1, that multiple things needs to be bypassed from category block as youtube videos are coming from other resources.

Have a look and try it out, let us know if you have further questions.

Regards,
Marcel Kutrieba
Technical Support Engineer

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community