Skip to main content
gmanea
Staff
gmanea
Staff
November 1, 2021

Technical Tip: How to enable access only to internal domains hosted on Google while the web filter category 'Web-based Email' is set to block

  • November 1, 2021
  • 0 replies
  • 11994 views

Description

 

This article describes how to enable access to internal domains hosted on Google while web filter category 'Webmail' is set to block. 
 
Example:
'company.com' is hosted on Gmail and to restrict access only to these accounts any other webmail service (Google or not) should be disabled.  
 
Scope
 
FortiGate.


Solution

 

  • If these options are not visible, check if the proxy-based web filter profile is used, since this feature is only supported in a proxy-based profile.
  • Deep inspection is necessary to restrict a Google account for a specific domain.
 
  1. Create a web filter profile called 'test' using the GUI.
 
kb.png
 
  1. Enable 'URL Filter' under the static filter and create a dummy entry, like 'example.com'. Make sure that under 'FortiGuard Category Based Filter', the 'Web-based Email' under 'General Interest - Personal' is 'Allow'.

  2. Enable 'Restrict Google account for the specific domain' and define the domain that is hosted on Google Mail services. 
 
Stephen_G_0-1732192592684.png
 
  1. Go to the CLI and the following entries and verify if they look like the following:
 
config web-proxy profile
    edit "Auto-web-proxy-profile_ff0ygfu3d"
        config headers
            edit 1
                set name "X-GoogApps-Allowed-Domains"
                set content "company.com"       <----- The company domain is hosted in Google Mail services.
            next
        end
    next
end
 
config webfilter urlfilter .
show
    edit 1
           set name "Auto-webfilter-urlfilter_gkkqnfrif"
               config entries
                   edit 1
                       set url "example.com"
                       set action block
                   next
               end
    next
end
 
Change it with the following entries in the same order.

config webfilter urlfilter

    edit 1
        set name "Auto-webfilter-urlfilter_gkkqnfrif"
            config entries
            delete 1                                <----- This will delete the 'example.com' entry created from GUI.
                edit 1
                    set url "*.google.com"
                    set type wildcard
                    set web-proxy-profile "Auto-web-proxy-profile_ff0ygfu3d"
                next
                edit 2
                    set url "gmail.com"
                next
                edit 3
                    set url "google.com"
                next
            end
    next
end
 
Sometimes the Google suite uses URLs outside the *.google.com wildcard, such as to upload/download and/or send/receive files via email.

 

To allow uploading and downloading files from Gmail without any restrictions, conditioned to the 'Web-based Email' category being blocked, add the URLs in charge of this process in the webfilter urlfilter. In this case, the one known so far is 'mail-attachment.googleusercontent.com', which also belongs to the blocked category.

This URL must be allowed or exempted to allow uploading and downloading files from the email:

    config webfilter urlfilter
        edit 2
            set name "Auto-webfilter-urlfilter_2ge7ltkpd"
                config entries
                    edit 1
                        set url "*mail-attachment.googleusercontent.com*" <---
                        set type wildcard
                    next
                end

    next
end

 

Additional Requirement:


For the configuration to work as expected, it is necessary to block the QUIC protocol (HTTP/3 over UDP/443). If QUIC is not blocked, Gmail traffic may bypass proxy-based inspection and web filter policies, allowing access to personal accounts despite restrictions. This can be achieved by creating or editing an Application Control profile and setting the QUIC protocol action to Block, then applying this profile to the same firewall policy where the Web Filter is enforced.

 

Ensure that the firewall policy using the web filter profile is configured in proxy mode, as domain-based Google account restrictions do not function in flow-based mode.

 

For other options to block QUIC, see this article: Technical Tip: How to block/disable QUIC.

 
Note:
Delete all Exemptions added on the Deep Inspection SSL profile. Preferably, clone the Deep Inspection profile and customize it, deleting all Exemptions (objects) on that SSL/SSH profile.
 
Identify the URL that allows the upload and download of files and configure it in the URL filter in case there are any more through webfilter profile logs.
 
Outcome
  • Access to any email service will be denied (according to the webmail Category).
  • Access to personal Gmail Accounts on any other domain hosted on Gmail will be denied.
  • Access only from addresses containing @Company.com will be allowed. 
  • Access only from addresses containing @Company.com will be allowed. 
  • Access to File uploads and downloads will be allowed from the @Company.com domain even if the 'Web-based Email' category is being blocked.
    Terms & ConditionsAccessibility statement