Configuration Guide Cisco Public

Filter YouTube Video with Cisco Web Security Appliance

About this Document This document is for Cisco engineers, partners and customers who want to integrate the Cisco® Web Security Appliance (WSA) with a YouTube API server. The aim is to filter the YouTube videos based on video categories without blocking the entire Streaming Video Category or YouTube using AVC or Custom Category.

Product Requirement: • Product: Cisco Web Security Appliance (Physical or Virtual Appliance) • Software Versions: AsyncOS 12.5 or beyond. • Account to create API & Services Project.

Introduction Cisco® Web Security Appliance (WSA) with URL filtering, Application Visibility Control (AVC), Anti- Malware scanning, Advanced Malware Protection and many more is an all-in-one highly secure web gateway that offers broad protection, extensive controls, and investment value. It offers an array of competitive web security deployment options, each of which includes Cisco’s market- leading global threat intelligence infrastructure. In the continuous development process, Cisco® makes sure to deliver best in market proxy solution which ultimately helps our customers to enforce the right and granular restrictions to protect user’s web traffic. Starting from AsyncOS 12.5, Cisco® Web Security Appliance (WSA) can integrate with YouTube API server with just a few clicks to enable YouTube video filtering based on the categories controlled and defined by Google - YouTube. Cisco WSA communicates with the YouTube API server and downloads the YouTube Video Categories. Using Access Policy URL Filtering option you can define an action for different categories based on your business requirement.

3 v=gFsBpL_Uy6Y

YouTube API 4 Category = 10 (Music)

Action WSA 5 Action https://www.youtube.com/ YouTube 1 https://www.youtube.com/ 2 Block watch?v=gFsBpL_Uy6Y Monitor Warn Quota-Based Time-Based

Traffic Flow with YouTube Categorization feature

Configuration on the Cisco WSA Summary 1. Enable HTTPS proxy on the Cisco WSA to decrypt the request to extract the video token ID. 2. Configure Custom and External URL category to match YouTube traffic. 3. Configure Decryption Policy. 4. Enable YouTube Categorization and configure API Key to communicate with YouTube API server. 5. Configure URL Categories under Access Policy to define an action for categories.

Generate API key using `Important Google Account is required to access the Google API Console, and request an API key. If you are generating the API key Create a project in the Console and obtain authorization credentials using wizard, under YouTube so your application can submit API requests. Data API v3: After creating your project, make sure the YouTube Data API is one of the services that 1. From the Where will you be your application is registered to use: calling the API from? drop-down 1. Go to the API Console and select the project that you just registered. list, choose Other non-UI 2. Visit the Enabled page. In the list of APIs, make sure the status is ON for the (e.g. cron job, daemon). YouTube Data API v3. 2. In the What data will you be accessing section, choose Steps to get API key from Google (Can be used with existing /Google Account) Public data. Note: For each video category retrieval Cisco® Web Security Appliance (WSA) consumes a 3. Click What credentials do I single token and the daily API query limit is 10000 per API Key. The token can be extended need? then click Done. up to 1 million by sending a request to Google and providing a business use case. How to increase the Token Quota from Google

Step 1: Enable HTTPS proxy To monitor and decrypt HTTPS traffic, you must enable the HTTPS Proxy. When you enable the HTTPS Proxy, you must configure what the appliance uses for a root certificate when it sends self-signed server certificates to the client applications on the network. You can upload a root certificate and key that your organization already has, or you can configure the appliance to generate a certificate and key with information you enter. Once the HTTPS Proxy is enabled, all HTTPS policy decisions are handled by Decryption Policies. Also, on this page, you can configure what the appliance does with HTTPS traffic when the server certificate is invalid.

HTTPS decryption is required for YouTube traffic to retrieve the token ID from the URL.

Example URL

Navigate to Security Services > HTTPS Proxy 1. Click on Enable and Edit Settings

Step 1: Click on Enable and Edit Settings

2. Accept the HTTPS Proxy License Agreement 3. Verify the Enable HTTPS Proxy field is enabled. 4. In the HTTPS Ports to Proxy field, enter the ports the appliance should check for HTTPS traffic. Port 443 is the default port. 5. Upload or generate a root/signing certificate to use for decryption. 6. In the HTTPS Transparent Request section, select one of the following options: • Decrypt the HTTPS request and redirect for authentication • Deny the HTTPS request Note: This setting only applies to transactions that use IP address as the authentication surrogate and when the user has not yet been authenticated. This field only appears when the appliance is deployed in transparent mode. 7. In the Applications that Use HTTPS section, choose whether to enable decryption for enhanced application visibility and control.

8. Submit and commit your changes. Submitted changes to HTTP proxy settings

Note: Enable option for YouTube Categorization remains disabled under Acceptable Use Controls Settings if HTTPS proxy is not enabled.

HTTPS proxy disabled

HTTPS proxy enabled

Step 2: Configure Custom and External URL category You can create custom and external live-feed URL categories that describe specific hostnames and IP addresses. The Web Security Appliance uses the first four characters of custom URL category names preceded by “c_” in the access logs. If you want to include the full name of a custom URL category in the access logs, add the %XF format specifier to the access logs.

Navigate to Web Security Manager > Custom and External URL Categories 1. Click on Add Category

Click on Add Category

2. Create Local Custom Category Add YouTube sites www.youtube.com and m.youtube.com to match traffic and Click on Submit button.

Add YouTube sites to the Local Custom Category

Step 3: Configure Decryption Policy Configured decryption policy using the Custom and External URL category, with action as ‘decrypt’.

Navigate to Web Security Manager > Decryption Policy >

Set action to ‘decrypt’

Step 4: Enable YouTube Categorization under Acceptable Use Controls Settings

Copy the API Key from Google API & Services Go to the API Console and select the project. Navigate to the Credentials section and copy the API Key.

API Console: Copy the API Key from the Credentials section Go Back to WSA UI: Navigate to Security Services > Click on Acceptable Use Controls > Click on Edit Global Settings button > Check Enable option, enter copied API Key and Query Timeout (default is 10 Seconds)

Enable Youtube Categorization

Note: Option to choose an interface for YouTube API traffic is only available if you have configured two separate routing for data and management services (Network > Interfaces). Check Important Point 4.

Step 4. Configure Action for YouTube Video Categories To define the desired action for YouTube Video category, go to Access Policy and under URL Filtering define an action for Listed Video Category

Navigate to Web Security Manager > Access Policy > URL Filtering >

API Console: Copy the API Key from the Credentials section

Verification: Access any YouTube Video for which the defined action is Block/Warn.

This Page Cannot Be Displayed

Based on your organization’s access policies, access to the website (https://www.youtube. com/watch?v-S-sPJtZjld8) has been blocked because the YouTube category “Science & Technology” is not allowed.

If you have questions, please contact your organization’s network administrator and provide the codes shown below.

Date: Fri 02 Oct 2020 18:39:18 IST Username: Source IP: 192.168.0.150 URL_GET https://www.youtube.com/watch?v=S-sPJtZjld8 YouTube Category: Science & Technology Reason: BLOCK_YTCAT Notification: YTCAT

Blocked YouTube video

Logging and Alerts 1. Access logs 1596805758.780 104 192.168.0.150 TCP_MISS_SSL/200 39 CONNECT tunnel://www.youtube.com:443/ - DIRECT/www.youtube.com - DECRYPT_CUSTOMCAT_7-DefaultGroup-DefaultGroup-NONE-NONE- NONE-DefaultGroup-NONE <”C_yout”,-,-,”-”,-,-,-,-,”-”,-,-,-,”-”,-,-,”-”,”- ”,-,-,”-”,-,”-”,”-”,”-”,”-”,”-”,”-”,”-”,3.00,0,-,”-”,”-”,-,”-”,-,-,”-”,”-”,-,-,”-”,-,-> - - 1596805434.944 1686 192.168.0.150 TCP_MISS_SSL/200 68378 GET https:// www.youtube.com:443/watch?v=S-sPJtZjld8 - DIRECT/www.youtube.com application/octet-stream DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE- NONE-NONE-DefaultGroup-NONE <”IW_vid”,9.2,1,”-”,0,0,0,1,”-”,-,-,-,”-”,0,0,”- ”,”-”,-,-,”IW_vid”,-,”Unknown”,”Streaming Video”,”-”,”YouTube”,”Media”,”Unsafe Rewrite”,”-”,324.45,0,-,”Unknown”,”-”,0,”-”,0,0,”watch”,”ff1b1f1cb0970194d87beb3 cdb075a87d26f95473975e910483f7dc2a38a49d2”,4,-,”-”,-,YT_Scie> - -

2. Proxy logs (in debug mode) Fri Aug 7 18:53:33 2020 Debug: PROXY : 1860 : [48930:0] Launching YTC scan (1860) of www.youtube.com/watch?v=S-sPJtZjld8 Fri Aug 7 18:53:33 2020 Debug: PROXY : 1860 : [48930:0] Trace: YTC PROXY : - : Response len: 12 Fri Aug 7 18:53:33 2020 Debug: PROXY : 1860 : [48930:0] Trace: YTC PROXY : - : Category Response for Transction ID 1860: 28

Example log for URL with no Mon Aug 10 18:21:49 2020 Debug: PROXY : 5110 : [93245:0] Trace: YTC PROXY : - : YouTube Category Non YT URL Category: 1073741824

3. Upon YouTube API per day Token Exhaustion, WSA generates the Warning alert and Monitor action will apply by default for all YouTube Videos.

Warning Alert message from WSA

4. Upon YouTube Category List update, WSA generates the Update alert notifying Administrators to take action.

Update alert from WSA

Tracking New Search field introduced for YouTube Category detail under Web Tracking Search

YouTube Category search field

Search result

Search results

Verification on Google end Administrator can also review the API request count and other details on Google API Dashboard.

Request count on the Google API Dashboard

Important Points 1. When you configure the time-based access policy rules to block a specific YouTube category: • The time-based rules that you set do not apply to the videos that are already opened and playing at the time you configure the access policy. • The rules will apply only to the videos that are newly opened after you set the rules. 2. Make sure that googleapis.com is not blocked in the upstream proxy or upstream firewall. If you have configured an exception for Cisco update server and WBNP telemetry server, configure the same for googleapis.com as well. 3. Customers cannot block the video that appears on the main page of a channel, even if the video belongs to a blocked YouTube category. For example: you blocked autos and vehicles under the YouTube category. If you open a video under the specified category on the main page of a channel related to autos and vehicles, the video will not be blocked. If you try to open the same video in a separate tab, it will be blocked as expected. 4. The default routing table is Data for YouTube API request traffic if Data and Management interface both are enabled. You can also choose the routing table through which the YouTube category traffic passes through: • Data: For P1 and P2 interfaces • Management: For M1 interface 5. If split routing is not enabled on the WSA, make sure you add an exception for googleapis.com for upstream traffic from the M1 interface. 6. To re-categorize YouTube videos, the customer has to reach out to the video owner. Neither Talos nor Cisco have any control over YouTube video categories.

Note: Options 3 and 4 are only available if you have configured two separate routing tables for data and management services (Network > Interfaces)

Routing table configuration for points 3 and 4

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/ trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. 2198653 | 10/20