Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kmohan
Staff
Staff

Created on ‎09-13-2023 02:08 AM Edited on ‎09-29-2025 12:16 PM By Moderator

Article Id 273376

Technical Tip: Allow access for specific domains for email and other email account restrictions

Description

This article describes how to restrict access to a personal Gmail Account and allow access to Specific Domains' Google Email accounts.
Scope FortiGate.
Solution

Requirement:

FortiGate must be in Proxy-based SSL Deep Inspection mode.

A web-proxy profile must be attached to the FortiGate policy where domain restrictions are to be applied.

Without the Web-proxy profile, the X-GoogApps-Allowed-Domains header will not be injected, and personal Gmail accounts will not be blocked.

Google-related domains must not be exempted from SSL/SSH inspection in the Custom Deep Inspection profile.

Explanation:

Exempting Google domains from deep inspection prevents FortiGate from decrypting the traffic.

If traffic is not decrypted, FortiGate cannot inject the header to enforce allowed domains.

 

How it works:

The firewall will inject the HTTP header X-GoogApps-Allowed-Domains.

It is also possible to inject multiple domains via the X-GoogApps-Allowed-Domains header.

 

Firewall Configuration:

Follow the instructions in Technical Tip: Restrict Google account usage to specific domains.

 

Once configured, set up the specific email domains in the Web-Filter.

Configuration on the CLI is injected by the firewall.

 

config web-proxy profile

    edit "Auto-web-proxy-profile_iwd4cg3tf"

        config headers

            edit 1

                set name "X-GoogApps-Allowed-Domains"

                set content "abc.com, xyz.com" <----- The company domain is hosted in Google Mail services.

            next

        end

    next

end


Once created, a Web-proxy profile on the CLI:

Next, it is necessary to add it to the Firewall Policy ID: XXX.


config Firewall Policy
    edit xx
        set web-proxy-profile "added name"   <----- Auto-web-proxy-profile_iwd4cg3tf.
    next

end


From the GUI, go to Security Profile -> SSL/SSH Inspection -> Customs SSL deep inspection or Customs-Deep-inspection.
 

  1. Remove all Google-related accounts under Exempt from SSL Inspection.

             SSL.png

 

  1. Once removed, the Google-related account is removed from SSL/SSH Inspection on Customs-deep-inspection.
    Download the CA certificate, and install it on the Client's PC under the trusted root certificate
  2. Now, try to access Personal Gmail, it will restrict access, and only a Specific Domain account will have access.


Note: Specific domains Email for Zoho mail is not supported in FortiGate.


Related document

Restricted SaaS access
4711
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.