A company may wish to only allow certain users to access ChatGPT and block other users.

ChatGPT (FQDN 'chat.openai.com') is under the web filter category 'General Interest – Business' and the sub-category 'Information Technology. When firewall administrator sets the action 'Authentication' for the sub-category 'Information Technology', all websites included in this sub-category will need user authentication before the user is allowed to these websites. This article explains how to only force user authentication for ChatGPT, but not other websites.

This article explains how to allow only an authenticated user group to access ChatGPT. The configuration will not affect the other websites.

Both the Webfilter profile and firewall policy should be in proxy-based inspection mode.

1. Create a local custom category. In this example, it will be named 'Custom-ChatGPT'.
   Follow the steps in the administration guide.
   
   
2. Create a Web Filter override for the FQDN 'chat.openai.com' to the sub-category 'Custom-ChatGPT'.
   Navigate to the FortiGate GUI -> Security Profile -> Web Rating Overrides -> Create New -> Enter 'chat.openai.com' -> Lookup rating -> under 'Override to', choose 'Custom Categories' as the category, and choose 'Custom-ChatGPT' as the sub-category.
   
   
3. Set the 'authenticate' action in the sub-category 'Custom-ChatGPT' in the Web Filter profile.
   Navigate to the FortiGate GUI -> Security Profile -> Web Filter -> edit the profile -> under 'FortiGuard Category Based Filter', find 'Local categories'. Select 'Custom-ChatGPT' in the sub-category and right-click on it, then choose 'Authenticate'. A popup window will appear for authentication period and user group. Fill in the form and select the user group, then select OK. The sub-category status will change to 'Authenticate'.
   
   
4. The user group can be a firewall local user group or an LDAP user group.
   
   
5. Enable the Web filter profile in the firewall policy.

Related article:
Web rating override - FortiGate administration guide.