Restricting YouTube Access Based on Asset Behavior

You can set up Threat Defender to restrict access to certain websites for a certain time. This example shows how to use the following concepts:

Objective

Outside office hours, YouTube access is permitted without restrictions. During office hours, however, YouTube access is restricted to 5 minutes. Afterwards, YouTube is blocked for an hour.

In this example, the restriction is implemented by tracking the behavior of assets. This means if a new user logs in on a device that is blocked for Youtube, this new user will also be blocked for YouTube until the blocking period expires. If you want to see how to restrict access for specific users independently of the devices they use, refer to Restricting YouTube Usage Based on Users.

To implement this, you need to set up a correlation scenario with two dynamic network objects and a dedicated rule set.

To define the office hours, the predefined Office hours schedule is used in this example. You can modify this schedule to your needs under Policy > Schedules.

Creating the Correlation Scenario

First, set up the correlation scenario that will contain the rules and dynamic network objects.

  1. Navigate to Policy > Advanced Correlation.
  2. Click ADD.
  3. Enter a Name and an optional Note.
  4. Click SAVE.

Creating the Dynamic Network Objects

Create two dynamic network objects. One stores assets for 5 minutes, the other stores assets for one hour. This way, two lists with assets accessing YouTube are created.

The following table shows the required settings of the dynamic network objects:

Name Network Size Timeout
5 min list Internal 1000 300
1 hour list Internal 1000 3600

For detailed instructions on how to create a dynamic network object in a correlation scenario, refer to Creating a Dynamic Network Object.

Creating the Rule Set

Set up a rule set of six rules in the correlation scenario:

  • Rule 1 allows all traffic except YouTube.
  • Rule 2 allows YouTube access for assets on the five minutes list during office hours.
  • Rule 3 rejects YouTube access for assets on the one hour list during office hours.
  • Rule 4 adds assets to the five minutes list if they started a new YouTube connection and were neither on the five minutes nor on the one hour list.
  • Rule 5 adds assets generating YouTube traffic to the one hour list.
  • Rule 6 allows all YouTube traffic. Since it is at the bottom of the rules table, it is processed last.
    Inside office hours, this rule is only applied to users that meet the following conditions:
    • They did not use YouTube in the past hour.
    • They are new on the 5 minutes list.
    • They are new on the 1 hour list.

The following table shows the required rule settings:

Rule Schedule Source Destination Condition Actions
1. Any Any Classification
Excluded Applications/ Protocols: YouTube
Final Action: Allow Traffic and Skip to Next Scenario
2. Include Office hours 5 min list Any Classification
Included Applications/ Protocols: YouTube
Final Action: Allow Traffic and Skip to Next Scenario
3. Include Office hours 1 hour list Any Classification
Included Applications/ Protocols: YouTube
Final Action: Reject Traffic and Stop Processing
4. Include Office hours Any Any Classification
Included Applications/ Protocols: YouTube
Dynamic Network Object
Operation: Add
Host Identifier: Asset
Who: Client
Target Dynamic Network Object: 5 min list
5. Include Office hours Any Any Classification
Included Applications/ Protocols: YouTube
Dynamic Network Object
Operation: Add
Host Identifier: Asset
Who: Client
Target Dynamic Network Object: 1 hour list
6. Any Any Classification
Included Applications/ Protocols: YouTube
Final Action: Allow Traffic and Skip to Next Scenario

For detailed instructions on how to create a rule in a correlation scenario, refer to Creating Rules in a Correlation Scenario.

Click the APPLY CHANGES button in the header to activate your configuration changes.

Result

The system processes the specified rule set in a top-down approach.

Inside office hours this means:

  1. The system allows all traffic but YouTube.
  2. For YouTube traffic, the system checks if the requesting asset is in any of the dynamic network objects.

    • If yes, it carries out the respective action.
    • If no, it adds the user to the dynamic network objects and proceeds to the last rule, i.e. allows YouTube access.

Outside office hours this means:

  1. The system allows all traffic but YouTube.
  2. The system allows YouTube traffic (rules 2 to 5 only apply during office hours).

results matching ""

    No results matching ""