Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LAYER 7 FIREWALL ON YOU TUBE

Gerald3K
Comes here often
‎Feb 26 2023 11:15 PM
‎Feb 26 2023 11:15 PM

LAYER 7 FIREWALL ON YOU TUBE

Hi Team

I have a problem with youtube,i have denied it on layer seven firewall on group policies but i can access it using android application 

 

0 Kudos
Subscribe
11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 27 2023 2:52 AM
‎Feb 27 2023 2:52 AM

The rule will not prevent you from opening the application, but you must not play the videos.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 27 2023 3:41 AM
‎Feb 27 2023 3:41 AM

You can try blocking QUIC.

 

QUIC (Quick UDP Internet Connections, pronounced quick) is an experimental transport layer network protocol developed by Google. QUIC supports a set of multiplexed connections between two endpoints over User Datagram Protocol (UDP), and was designed to provide security protection equivalent to TLS/SSL, along with reduced connection and transport latency, and bandwidth estimation in each direction to avoid congestion. QUIC's main goal is to optimize connection-oriented web applications currently using TCP. An experimental implementation is being put in place in Chrome by a team of engineers at Google.

 

What happens if QUIC is not blocked?

 

Chrome browsers have the QUIC protocol enabled by default. When users try to access Google applications using the Chrome browser, a session to a Google server is established using the QUIC protocol instead of TLS/SSL. QUIC is an experimental protocol at its early stages of development, and it uses proprietery encryption methods.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Gerald3K
Comes here often
‎Feb 27 2023 4:25 AM
‎Feb 27 2023 4:25 AM

thank you @alemabrahao so what are the steps or how can i block using QUIC

0 Kudos
Subscribe
In response to Gerald3K
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 27 2023 5:01 AM
‎Feb 27 2023 5:01 AM

@Gerald3K  try creating an additional L3 policy to block QUIC UDP traffic (UDP/443 and UDP/80). And yes, It uses UDP instead TCP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
Gerald3K
Comes here often
‎Feb 27 2023 11:16 PM
‎Feb 27 2023 11:16 PM

hi @alemabrahao  i have tried to create L3  policy but nothing changed

0 Kudos
Subscribe
In response to Gerald3K
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 28 2023 3:08 AM
‎Feb 28 2023 3:08 AM

Have you tried block YouTube on content filtering page?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Flashback
Here to help
‎Jun 2 2023 3:36 AM
‎Jun 2 2023 3:36 AM

Would the correct way to block it be:

Deny
UDP Any 443,80 Any 443,80
?

When I have that in place I'm not seeing any hits against it (am trying to access Facebook, YouTube and Gmail to trigger it, using Chrome). The rule is at the bottom of our deny rules list, but placed before any allow rules if that makes any difference.
0 Kudos
Subscribe
In response to Flashback
Flashback
Here to help
‎Jun 2 2023 3:51 AM
‎Jun 2 2023 3:51 AM

I think I've fixed this now - I had to change the source port from 443,80 to Any and I can now see hits against it and when using the 'Security' tab in Developer Tools it now shows TLS 1.3 rather than QUIC.

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 27 2023 11:51 AM
‎Feb 27 2023 11:51 AM

You could also create a L3 firewall rule to block the FQDN youtube.com.

0 Kudos
Subscribe
In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 28 2023 9:55 AM
‎Feb 28 2023 9:55 AM

Security & SD-WAN/Firewall

 

PhilipDAth_0-1677606940066.png

 

0 Kudos
Subscribe
Gerald3K
Comes here often
‎Feb 27 2023 11:15 PM
‎Feb 27 2023 11:15 PM

thank you @PhilipDAth  how can i block the FQDN youtube

 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.