Restricting YouTube Access Based on User Behavior

You can set up Threat Defender to restrict access to certain websites for a certain time.

This example shows how to use the following concepts:

1. Objective

YouTube access is restricted to 5 minutes. Afterwards, YouTube is blocked for an hour.

In this example, the restriction is based on the behavior of users independently of the devices they use. If you do not track users and want to see how to restrict access based on devices, refer to Restricting YouTube Usage Based on Assets.

To implement this, you need to set up a correlation scenario with two event tracking tables and a dedicated rule set.

2. Creating the Correlation Scenario

First, set up the correlation scenario that will contain the rules and event tracking tables.

  1. Navigate to Policy > Advanced Correlation.
  2. Click ADD.
  3. Enter a Name and an optional Note.
  4. Click SAVE.

3. Creating the Event Tracking Tables

Create two event tracking tables. One stores users for 5 minutes, the other stores users for one hour. This way, two lists with YouTube users are created.

We use event tracking tables to track the users. Since we only want to track the primary attribute, i.e. the User, we select None as secondary attribute. This is important as Threat Defender would compare the attribute pairs if a secondary attribute was selected. In that case, the rules would not match.

The following table shows the required settings of the event tracking tables:

Name Retention Time Primary Attribute Type Max. No. Primary Secondary Attribute Type Max. No. Secondary
per Primary
1 hour users 3600 User 100 None 1
5 min users 300 User 100 None 1

Under Maximum Number of Primary Attributes, make sure that both tables are large enough to fit the number of users in your network.

For detailed instructions on how to create an event tracking table, refer to Creating an Event Tracking Table.

4. Creating the Rule Set

Set up a rule set of five rules in the correlation scenario:

  • Rule 1 allows all traffic except YouTube.
  • Rule 2 allows YouTube access for users on the five minutes list.
  • Rule 3 rejects YouTube access for users on the one hour list.
  • Rule 4 adds users to the five minutes list who started a new YouTube connection.
  • Rule 5 adds users generating YouTube traffic to the one hour list.

The following table shows the required rule settings:

Rule Source Destination Condition Actions
1. Any Any Classification
Excluded Applications/ Protocols: YouTube
Final Action: Allow Traffic and Skip to Next Scenario
2. Any Any Classification
Included Applications/ Protocols: YouTube
Advanced Correlation Condition:
Event in Event Tracking Table
Event Tracking Table: 5 min users
Final Action: Allow Traffic and Skip to Next Scenario
3. Any Any Classification
Included Applications/ Protocols: YouTube
Advanced Correlation Condition:
Event in Event Tracking Table
Event Tracking Table: 1 hour users
Final Action: Reject Traffic and Stop Processing
4. Any Any Classification
Included Applications/ Protocols: YouTube
Add to Event Tracking Table
Event Tracking Table: 5 min users
Primary Attribute: User
Secondary Attribute: None
5. Any Any Classification
Included Applications/ Protocols: YouTube
Add to Event Tracking Table
Event Tracking Table: 1 hour users
Primary Attribute: User
Secondary Attribute: None

For detailed instructions on how to create a rule in a correlation scenario, refer to Creating Rules in a Correlation Scenario.

Click the APPLY CHANGES button in the header to activate your configuration changes.

5. Result

The system processes the specified rule set in a top-down approach:

  1. The system allows all traffic but YouTube.
  2. For YouTube traffic, the system checks if the requesting user is in any of the event tracking tables:

    • If the user is on the 5 min users list, Threat Defender allows YouTube access and skips to the next correlation scenario.
    • If the user is not on the 5 min users list but on the 1 hour users list, Threat Defender rejects YouTube access and skips to the next correlation scenario.
    • If the user is on none of the two lists, Threat Defender adds the user to both event tracking tables.

results matching ""

    No results matching ""