LAYER 7 FIREWALL ON YOU TUBE

Gerald3K
Comes here often

LAYER 7 FIREWALL ON YOU TUBE

Hi Team

I have a problem with youtube,i have denied it on layer seven firewall on group policies but i can access it using android application 

 

11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal

The rule will not prevent you from opening the application, but you must not play the videos.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

You can try blocking QUIC.

 

QUIC (Quick UDP Internet Connections, pronounced quick) is an experimental transport layer network protocol developed by Google. QUIC supports a set of multiplexed connections between two endpoints over User Datagram Protocol (UDP), and was designed to provide security protection equivalent to TLS/SSL, along with reduced connection and transport latency, and bandwidth estimation in each direction to avoid congestion. QUIC's main goal is to optimize connection-oriented web applications currently using TCP. An experimental implementation is being put in place in Chrome by a team of engineers at Google.

 

What happens if QUIC is not blocked?

 

Chrome browsers have the QUIC protocol enabled by default. When users try to access Google applications using the Chrome browser, a session to a Google server is established using the QUIC protocol instead of TLS/SSL. QUIC is an experimental protocol at its early stages of development, and it uses proprietery encryption methods.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Gerald3K
Comes here often

thank you @alemabrahao so what are the steps or how can i block using QUIC

alemabrahao
Kind of a big deal
Kind of a big deal

@Gerald3K  try creating an additional L3 policy to block QUIC UDP traffic (UDP/443 and UDP/80). And yes, It uses UDP instead TCP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Gerald3K
Comes here often

hi @alemabrahao  i have tried to create L3  policy but nothing changed

alemabrahao
Kind of a big deal
Kind of a big deal

Have you tried block YouTube on content filtering page?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Flashback
Here to help

Would the correct way to block it be:

Deny
UDP Any 443,80 Any 443,80
?

When I have that in place I'm not seeing any hits against it (am trying to access Facebook, YouTube and Gmail to trigger it, using Chrome). The rule is at the bottom of our deny rules list, but placed before any allow rules if that makes any difference.
Flashback
Here to help

I think I've fixed this now - I had to change the source port from 443,80 to Any and I can now see hits against it and when using the 'Security' tab in Developer Tools it now shows TLS 1.3 rather than QUIC.

PhilipDAth
Kind of a big deal
Kind of a big deal

You could also create a L3 firewall rule to block the FQDN youtube.com.

PhilipDAth
Kind of a big deal
Kind of a big deal

Security & SD-WAN/Firewall

 

PhilipDAth_0-1677606940066.png

 

Gerald3K
Comes here often

thank you @PhilipDAth  how can i block the FQDN youtube

 

Get notified when there are additional replies to this discussion.