Restrict YouTube Access Based on Asset Behavior
You can set up Threat Defender to restrict access to certain websites for a certain time. This example shows how to use the following concepts:
Behavior-based correlation for assets
Dynamic network objects
Schedules
Objective
Outside office hours, YouTube access is permitted without restrictions. During office hours, however, YouTube access is restricted to 5 minutes. Afterwards, YouTube is blocked for an hour.
In this example, the restriction is implemented by tracking the behavior of assets. This means if a new user logs in on a device that is blocked for Youtube, this new user will also be blocked for YouTube until the blocking period expires. If you want to see how to restrict access for specific users independently of the devices they use, refer to Restrict YouTube Access Based on User Behavior.
To implement this, you need to set up a correlation scenario with two dynamic network objects and a dedicated rule set.
Tip
To define the office hours, the predefined Office hours
schedule is used in this example. You can modify this schedule to your needs under Policy > Schedules.
Create the Correlation Scenario
First, navigate to Policy > Advanced Correlation. Set up a new correlation scenario that will contain the rules and dynamic network objects.
Create the Dynamic Network Objects
In the correlation scenario, open the Dynamic Network Objects tab. Create two dynamic network objects. One stores assets for 5 minutes, the other stores assets for one hour. This way, two lists with assets accessing YouTube are created.
The following table shows the required settings of the dynamic network objects:
Name |
Network |
Size |
Timeout |
---|---|---|---|
|
Internal |
|
|
|
Internal |
|
|
For detailed instructions on how to create a dynamic network object in a correlation scenario, refer to Create a Dynamic Network Object.
Create the Rule Set
Set up a rule set of six rules in the correlation scenario:
Rule 1 allows all traffic except YouTube.
Rule 2 allows YouTube access for assets on the five minutes list during office hours.
Rule 3 rejects YouTube access for assets on the one hour list during office hours.
Rule 4 adds assets to the five minutes list if they started a new YouTube connection and were neither on the five minutes nor on the one hour list.
Rule 5 adds assets generating YouTube traffic to the one hour list.
Rule 6 allows all YouTube traffic. Since it is at the bottom of the rules table, it is processed last. Inside office hours, this rule is only applied to assets that meet the following conditions:
They did not use YouTube in the past hour.
They are new on the 5 minutes list.
They are new on the 1 hour list.
The following table shows the required rule settings:
Rule |
Schedule |
Source |
Destination |
Condition |
Actions |
---|---|---|---|---|---|
|
|
Classification |
Final Action: Allow Traffic and Skip to Next Scenario |
||
Include |
|
|
Classification |
Final Action: Allow Traffic and Skip to Next Scenario |
|
Include |
|
|
Classification |
Final Action: Reject Traffic and Stop Processing |
|
Include |
|
|
Classification |
Dynamic Network Object |
|
Include |
|
|
Classification |
Dynamic Network Object |
|
|
|
Classification |
Final Action: Allow Traffic and Skip to Next Scenario |
For detailed instructions on how to create a rule in a correlation scenario, refer to Create Rules in a Correlation Scenario.
Click the APPLY CHANGES button at the top of the main navigation to activate your configuration changes.
Result
The system processes the specified rule set in a top-down approach.
Inside office hours this means:
The system allows all traffic but YouTube.
For YouTube traffic, the system checks if the requesting asset is in any of the dynamic network objects.
If yes, it carries out the respective action.
If no, it adds the asset to the dynamic network objects and proceeds to the last rule, i.e. allows YouTube access.
Outside office hours this means:
The system allows all traffic but YouTube.
The system allows YouTube traffic (rules 2 to 5 only apply during office hours).