Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 30 subscribers
  • Views 16767 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to SFOS 17.0.0 GA Many content in youtube are block by web Filter

Adi Darmawan

Dear All,

 

I want to ask about our issue, here is the detail; When we Upgrade the firmware into 17.0.0 GA many Internet User are complaint about content in youtube is not show all ressult.

1. After i compare with my laptop that open youtube and serch the same title, the ressult are difrent my Laptop(Using Modem Usb) show more ressult than my  PC (very2 small ressult)

2. So i try to check my Web Filter and technicaly my web filter is not blocking anything even a Porn.

3. I try not using Web Filter to make sure that all content youtube are perform, the ressult is all content in youtube show.

 

My Question is why Web Filter is Blocking content in youtube even there is no policy for blocking negative content like Nude & adult.

 

Please Help.

Thank you.



This thread was automatically locked due to age.
Parents
  • 0

    One of our clients is having the same issues on XG 17.0.6 MR-6.

    Creating exceptions in both the web filter and firewall appears to have no effect on the issue. There also seems to be some degree of randomness to when it does/doesn't occur, the same video may work one day but not the next.

    The only way we've found to work around the issue is to disable SafeSearch, this is not always an acceptable solution. It would be great to independently enable/disable SafeSearch settings. eg. Turn on for Google and Yahoo but disable for YouTube.

  • 0 in reply to ShayH

    We will be bringing more granular controls to youtube and safesearch in 17.2, with the ability to set them independently and on a per policy basis.  I do not have an ETA for 17.2.

    Any "randomness" comes from Google (who owns YouTube).  They are the ones who decide whether a video should be restricted.  However we have heard feedback that they are being a little overprotective.  I don't think there should be any randomness day to day.

    If it is an absolute deal breaker where you must have safesearch and you also must have youtube unrestricted, there is a workaround.  Create FQDN Host definitions for the domains listed in here https://support.google.com/a/answer/6214622?hl=en and then a higher level firewall rule with those as a destination network, applying to service HTTP/HTTPS but with no Malware or Web Policy.

  • 0 in reply to Michael Dunn

    Thanks Michael. We've had a top level firewall rule for YouTube applied for sometime now, this hasn't fixed our issues.

    Here's an example of some of the randomness we're seeing.

    1. Try video, confirmed that it won't load as it's restricted, https://www.youtube.com/watch?v=Uyfe0aFSVio. Noted that the restricted option in YouTube says it's enabled and set by the network administrator.
    2. Disabled the current "allow YouTube" firewall rule and created a new one, just to test. Ensured that the YouTube URLs were as per the Google article and no Web/Malware filtering was enabled on the rule.
    3. Load video, confirmed it's working now. YouTube restricted mode is off.
    4. Disable the new "allow YouTube" firewall rule and re-enabled to old one.
    5. Video still loads. YouTube restricted mode is off.
    6. Try manually enabling restricted mode in YouTube. Video still loads.

    Based on the above it feels as though there is an issue in the way the XG enables SafeSearch. I understand it's simply a DNS thing, but when manually enabling restricted on YouTube doesn't block the video makes me question the implementation on the XG.

    We've been struggling with this for a while now. We'll make a change in the XG and everything looks to be working. Some period of time later (hours, days) we'll have another wave of videos that aren't working and the process will loop back to the start.

    It's a deal breaker for the client to disable SafeSearch globally, they're a K-12 school. Staff have worked YouTube into their lesson plans, as you can imagine they become quite frustrated when videos don't work while at school but do at home. This paints IT in a very bad light.

  • 0 in reply to ShayH
    Thank you for the link to the video.  What you were experiencing is definitely strange and I can understand your frustration.   Yhis led me into some things that I was not aware of.
     
    To most users, YouTube presents two options:  restricted mode on or off.
     
    From my recollection of when we implemented the CNAME override in our first product a few years ago it was the same.  They had one option, to turn resticted mode on you CNAME to restrict.youtube.com
     
    Then it appears YouTube changed and has another level presented to admins.  They can choose Strict Restricted or Moderate Restricted.  This might have been implemented when Youtube for Education (which also had abilities to do restriction) was rolled into GSuite.  See here for more.  support.google.com/.../6212415
     
    They also introduced restrictmoderate.youtube.com.  But here is the thing....  When the user does the on/off toggle for restricted mode, they are really turning on and off Moderate Restricted.  YouTube changed the meaning of restrict.youtube.com.  It used to mean the same level as the user-based restrict mode and now it means a stricter level.
     
    In 17.2 we will add the ability to choose whether you want to enable YouTube restricted mode and also be able to set the level (moderate or strict).
     
    However this doesn't address the weirdness where you have to enable and disable rules.  That suggests to me that the traffic is not hitting the correct firewall rule.
     
    Two questions:  Do you have HTTPS scanning turned on?  Are you using transparent or direct (explicit) mode?
     
    One more place to get information.  Go to the log viewer.  Click the icon for Detailed View, then switch to the web filter module.  Add a filter or a search (eg www.youtube.com).  Now you can see two things:
    messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="2" user="bob" user_group="Open Group" web_policy_id="1" web_policy="" category="Video hosting" category_type="Unproductive" url="https://www.youtube.com/" content_type="" override_token="" response_code="" src_ip="10.99.112.29" dst_ip="216.239.38.119" protocol="TCP" src_port="62001" dst_port="443" bytes_sent="24131" bytes_received="353700" domain="www.youtube.com" exception="" activity_name="" reason="" user_agent="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" status_code="200" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1355008" app_name="Youtube Website" app_is_cloud="0"
     
    Lets pull out three relevant things:
    fw_rule_id="2"
    url="https://www.youtube.com/"
    dst_ip="216.239.38.119"
     
    If the dst_ip is the same as restrict.youtube.com then you know that the web proxy is enforcing.  But more than that - the very fact that you are getting web proxy logs for youtube at all is an issue.  That means your "allow YouTube" firewall rule that should be being used that bypasses the proxy is not being hit.  You can use the fw_rule_id to see which one is being hit instead (matches the id number in left column of firewall rules).

    Two more things to be aware of when testing.
    Firewall rules are evaluated when the connection is opened.  HTTPS connections are persistant (they are reused).  So if you are changing firewall rules it is best to restart the browser to ensure to ensure they are new connection.
    If you have HTTPS decryption off, the proxy only logs the connection when it is closed.
     
    My suggestion is next time that you see a restricted video, try looking at the log and find out what firewall rule is being hit.  Then if you can, work out why that rule is being hit and not the one you want.  If you can't figure it out, post your rules here.
Reply
  • 0 in reply to ShayH
    Thank you for the link to the video.  What you were experiencing is definitely strange and I can understand your frustration.   Yhis led me into some things that I was not aware of.
     
    To most users, YouTube presents two options:  restricted mode on or off.
     
    From my recollection of when we implemented the CNAME override in our first product a few years ago it was the same.  They had one option, to turn resticted mode on you CNAME to restrict.youtube.com
     
    Then it appears YouTube changed and has another level presented to admins.  They can choose Strict Restricted or Moderate Restricted.  This might have been implemented when Youtube for Education (which also had abilities to do restriction) was rolled into GSuite.  See here for more.  support.google.com/.../6212415
     
    They also introduced restrictmoderate.youtube.com.  But here is the thing....  When the user does the on/off toggle for restricted mode, they are really turning on and off Moderate Restricted.  YouTube changed the meaning of restrict.youtube.com.  It used to mean the same level as the user-based restrict mode and now it means a stricter level.
     
    In 17.2 we will add the ability to choose whether you want to enable YouTube restricted mode and also be able to set the level (moderate or strict).
     
    However this doesn't address the weirdness where you have to enable and disable rules.  That suggests to me that the traffic is not hitting the correct firewall rule.
     
    Two questions:  Do you have HTTPS scanning turned on?  Are you using transparent or direct (explicit) mode?
     
    One more place to get information.  Go to the log viewer.  Click the icon for Detailed View, then switch to the web filter module.  Add a filter or a search (eg www.youtube.com).  Now you can see two things:
    messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="2" user="bob" user_group="Open Group" web_policy_id="1" web_policy="" category="Video hosting" category_type="Unproductive" url="https://www.youtube.com/" content_type="" override_token="" response_code="" src_ip="10.99.112.29" dst_ip="216.239.38.119" protocol="TCP" src_port="62001" dst_port="443" bytes_sent="24131" bytes_received="353700" domain="www.youtube.com" exception="" activity_name="" reason="" user_agent="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" status_code="200" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1355008" app_name="Youtube Website" app_is_cloud="0"
     
    Lets pull out three relevant things:
    fw_rule_id="2"
    url="https://www.youtube.com/"
    dst_ip="216.239.38.119"
     
    If the dst_ip is the same as restrict.youtube.com then you know that the web proxy is enforcing.  But more than that - the very fact that you are getting web proxy logs for youtube at all is an issue.  That means your "allow YouTube" firewall rule that should be being used that bypasses the proxy is not being hit.  You can use the fw_rule_id to see which one is being hit instead (matches the id number in left column of firewall rules).

    Two more things to be aware of when testing.
    Firewall rules are evaluated when the connection is opened.  HTTPS connections are persistant (they are reused).  So if you are changing firewall rules it is best to restart the browser to ensure to ensure they are new connection.
    If you have HTTPS decryption off, the proxy only logs the connection when it is closed.
     
    My suggestion is next time that you see a restricted video, try looking at the log and find out what firewall rule is being hit.  Then if you can, work out why that rule is being hit and not the one you want.  If you can't figure it out, post your rules here.
Children
No Data