Important Points
1. When you configure the time-based access policy rules to block a specific YouTube category:
• The time-based rules that you set do not apply to the videos that are already opened and playing at the time you configure
the access policy.
• The rules will apply only to the videos that are newly opened after you set the rules.
2. Make sure that googleapis.com is not blocked in the upstream proxy or upstream firewall. If you have configured an exception for
Cisco update server and WBNP telemetry server, configure the same for googleapis.com as well.
3. Customers cannot block the video that appears on the main page of a channel, even if the video belongs to a blocked YouTube
category. For example: you blocked autos and vehicles under the YouTube category. If you open a video under the specified
category on the main page of a channel related to autos and vehicles, the video will not be blocked. If you try to open the same
video in a separate tab, it will be blocked as expected.
4. The default routing table is Data for YouTube API request traffic if Data and Management interface both are enabled. You can also
choose the routing table through which the YouTube category traffic passes through:
• Data: For P1 and P2 interfaces
• Management: For M1 interface
5. If split routing is not enabled on the WSA, make sure you add an exception for googleapis.com for upstream traffic from the M1 interface.
6. To re-categorize YouTube videos, the customer has to reach out to the video owner. Neither Talos nor Cisco have any control
over YouTube video categories.
Note: Options 3 and 4 are only available
if you have configured two separate
routing tables for data and management
services (Network > Interfaces)
Conguration Guide
Cisco Public
Filter YouTube Video with Cisco
Web Security Appliance
Introduction
Cisco® Web Security Appliance (WSA) with URL filtering, Application Visibility Control (AVC), Anti-
Malware scanning, Advanced Malware Protection and many more is an all-in-one highly secure web
gateway that offers broad protection, extensive controls, and investment value.
It offers an array of competitive web security deployment options, each of which includes Cisco’s market-
leading global threat intelligence infrastructure. In the continuous development process, Cisco® makes
sure to deliver best in market proxy solution which ultimately helps our customers to enforce the right and
granular restrictions to protect user’s web traffic.
Starting from AsyncOS 12.5, Cisco® Web Security Appliance (WSA) can integrate with YouTube API
server with just a few clicks to enable YouTube video filtering based on the categories controlled and
defined by Google - YouTube. Cisco WSA communicates with the YouTube API server and downloads
the YouTube Video Categories. Using Access Policy URL Filtering option you can define an action for
different categories based on your business requirement.
Generate API key using Google Account
Google Account is required to access the Google API Console, and request an API key.
Create a project in the Google Developers Console and obtain authorization credentials
so your application can submit API requests.
After creating your project, make sure the YouTube Data API is one of the services that
your application is registered to use:
1. Go to the API Console and select the project that you just registered.
2. Visit the Enabled APIs page. In the list of APIs, make sure the status is ON for the
YouTube Data API v3.
Steps to get API key from Google (Can be used with existing Gmail/Google Account)
Note: For each video category retrieval Cisco® Web Security Appliance (WSA) consumes a
single token and the daily API query limit is 10000 per API Key. The token can be extended
up to 1 million by sending a request to Google and providing a business use case.
How to increase the Token Quota from Google
Step 1: Enable HTTPS proxy
To monitor and decrypt HTTPS traffic, you must enable the HTTPS Proxy. When you enable the HTTPS Proxy, you must configure what
the appliance uses for a root certificate when it sends self-signed server certificates to the client applications on the network. You can
upload a root certificate and key that your organization already has, or you can configure the appliance to generate a certificate and key
with information you enter. Once the HTTPS Proxy is enabled, all HTTPS policy decisions are handled by Decryption Policies. Also, on
this page, you can configure what the appliance does with HTTPS traffic when the server certificate is invalid.
Step 4. Congure Action for YouTube Video Categories
To define the desired action for YouTube Video category, go to Access Policy and under URL Filtering define an action for Listed
Video Category
Logging and Alerts
Navigate to Web Security Manager >
Access Policy > URL Filtering >
Verification:
Access any YouTube Video for which the
defined action is Block/Warn.
`
Important
If you are generating the API key
using wizard, under YouTube
Data API v3:
1. From the Where will you be
calling the API from? drop-down
list, choose Other non-UI
(e.g. cron job, daemon).
2. In the What data will you be
accessing section, choose
Public data.
3. Click What credentials do I
need? then click Done.
Conguration on the Cisco WSA
Summary
1. Enable HTTPS proxy on the Cisco WSA to decrypt the request to extract the
video token ID.
2. Configure Custom and External URL category to match YouTube traffic.
3. Configure Decryption Policy.
4. Enable YouTube Categorization and configure API Key to communicate with
YouTube API server.
5. Configure URL Categories under Access Policy to define an action for categories.
API Console: Copy the API Key from the Credentials section
Blocked YouTube video
Update alert from WSA
HTTPS decryption is required for
YouTube traffic to retrieve the token ID
from the URL.
Navigate to Security Services >
HTTPS Proxy
1. Click on Enable and Edit Settings
2. Accept the HTTPS Proxy License
Agreement
3. Verify the Enable HTTPS Proxy field is
enabled.
4. In the HTTPS Ports to Proxy field,
enter the ports the appliance should
check for HTTPS traffic. Port 443 is
the default port.
5. Upload or generate a root/signing
certificate to use for decryption.
6. In the HTTPS Transparent Request
section, select one of the following
options:
• Decrypt the HTTPS request and
redirect for authentication
• Deny the HTTPS request
Note: This setting only applies to
transactions that use IP address as the
authentication surrogate and when the
user has not yet been authenticated. This
field only appears when the appliance is
deployed in transparent mode.
7. In the Applications that Use HTTPS
section, choose whether to enable
decryption for enhanced application
visibility and control.
8. Submit and commit your changes.
Note: Enable option for YouTube
Categorization remains disabled under
Acceptable Use Controls Settings if
HTTPS proxy is not enabled.
Example URL
Submitted changes to HTTP proxy settings
HTTPS proxy disabled
HTTPS proxy enabled
Step 1: Click on Enable and Edit Settings
Step 2: Congure Custom and External URL category
You can create custom and external live-feed URL categories that describe specific hostnames and IP addresses. The Web Security
Appliance uses the first four characters of custom URL category names preceded by “c_” in the access logs. If you want to include
the full name of a custom URL category in the access logs, add the %XF format specifier to the access logs.
Navigate to Web Security Manager >
Custom and External URL Categories
1. Click on Add Category
2. Create Local Custom Category
Add YouTube sites www.youtube.com
and m.youtube.com to match traffic
and Click on Submit button.
Click on Add Category
Add YouTube sites to the Local Custom Category
Step 3: Congure Decryption Policy
Configured decryption policy using the Custom and External URL category, with action as ‘decrypt’.
Navigate to Web Security Manager >
Decryption Policy >
Set action to ‘decrypt’
Step 4: Enable YouTube Categorization under Acceptable Use Controls Settings
Copy the API Key from Google API &
Services
Go to the API Console and select the
project. Navigate to the Credentials
section and copy the API Key.
Go Back to WSA UI:
Navigate to Security Services > Click on
Acceptable Use Controls > Click on Edit
Global Settings button >
Check Enable option, enter copied API
Key and Query Timeout (default is 10
Seconds)
Note: Option to choose an interface for
YouTube API traffic is only available if you
have configured two separate routing tables
for data and management services (Network
> Interfaces). Check Important Point 4.
API Console: Copy the API Key from the Credentials section
Enable Youtube Categorization
1596805758.780 104 192.168.0.150 TCP_MISS_SSL/200 39
CONNECT tunnel://www.youtube.com:443/ - DIRECT/www.youtube.com
- DECRYPT_CUSTOMCAT_7-DefaultGroup-DefaultGroup-NONE-NONE-
NONE-DefaultGroup-NONE <”C_yout”,-,-,”-”,-,-,-,-,”-”,-,-,-,”-”,-,-,”-”,”-
”,-,-,”-”,-,”-”,”-”,”-”,”-”,”-”,”-”,”-”,3.00,0,-,”-”,”-”,-,”-”,-,-,”-”,”-”,-,-,”-”,-,->
- -
1596805434.944 1686 192.168.0.150 TCP_MISS_SSL/200 68378 GET https://
www.youtube.com:443/watch?v=S-sPJtZjld8 - DIRECT/www.youtube.com
application/octet-stream DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-
NONE-NONE-DefaultGroup-NONE <”IW_vid”,9.2,1,”-”,0,0,0,1,”-”,-,-,-,”-”,0,0,”-
”,”-”,-,-,”IW_vid”,-,”Unknown”,”Streaming Video”,”-”,”YouTube”,”Media”,”Unsafe
Rewrite”,”-”,324.45,0,-,”Unknown”,”-”,0,”-”,0,0,”watch”,”ff1b1f1cb0970194d87beb3
cdb075a87d26f95473975e910483f7dc2a38a49d2”,4,-,”-”,-,YT_Scie> - -
1. Access logs
2. Proxy logs (in debug mode) Fri Aug 7 18:53:33 2020 Debug: PROXY : 1860 : [48930:0] Launching YTC scan
(1860) of www.youtube.com/watch?v=S-sPJtZjld8
Fri Aug 7 18:53:33 2020 Debug: PROXY : 1860 : [48930:0] Trace: YTC PROXY : - :
Response len: 12
Fri Aug 7 18:53:33 2020 Debug: PROXY : 1860 : [48930:0] Trace: YTC PROXY : - :
Category Response for Transction ID 1860: 28
Example log for URL with no
YouTube Category
Mon Aug 10 18:21:49 2020 Debug: PROXY : 5110 : [93245:0] Trace: YTC PROXY : - :
Non YT URL Category: 1073741824
3. Upon YouTube API per day Token
Exhaustion, WSA generates the
Warning alert and Monitor action will
apply by default for all YouTube Videos.
Warning Alert message from WSA
4. Upon YouTube Category List update,
WSA generates the Update alert
notifying Administrators to take action.
Search result
New Search field introduced for YouTube
Category detail under Web Tracking Search
Tracking
YouTube Category search field
Search results
Request count on the Google API Dashboard
Routing table configuration for points 3 and 4
Verication on Google end
Administrator can also review the API
request count and other details on
Google API Dashboard.
About this Document
This document is for Cisco engineers, partners and customers who want to
integrate the Cisco® Web Security Appliance (WSA) with a YouTube API server.
The aim is to filter the YouTube videos based on video categories without blocking
the entire Streaming Video Category or YouTube using AVC or Custom Category.
Product Requirement:
• Product: Cisco Web Security Appliance
(Physical or Virtual Appliance)
• Software Versions: AsyncOS 12.5 or beyond.
• Google Account to create API & Services Project.
Traffic Flow with YouTube Categorization feature
This Page Cannot Be Displayed
Based on your organization’s access policies, access to the website (https://www.youtube.
com/watch?v-S-sPJtZjld8) has been blocked because the YouTube category “Science &
Technology” is not allowed.
If you have questions, please contact your organization’s network administrator and provide
the codes shown below.
Date: Fri 02 Oct 2020 18:39:18 IST
Username:
Source IP: 192.168.0.150
URL_GET https://www.youtube.com/watch?v=S-sPJtZjld8
YouTube Category: Science & Technology
Reason: BLOCK_YTCAT
Notification: YTCAT
3
5
4
YouTube
YouTube API
1https://www.youtube.com/ 2https://www.youtube.com/
watch?v=gFsBpL_Uy6Y
v=gFsBpL_Uy6Y
Category = 10 (Music)
WSA Action
Action
Block
Monitor
Warn
Quota-Based
Time-Based
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of
Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/
trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not
imply a partnership relationship between Cisco and any other company. 2198653 | 10/20