Description
This article describes how to block Facebook while allowing Messenger, to use an application control profile in Firewall FortiGate.
Scope
Application control.
Solution
1. On PC:
Step 1: create a new application control profile in FortiGate -> Security Profile -> Application Control.
Step 2: add application and filter overrides to allow Messenger and Facebook_Chat, and block all other Facebook signatures.
Step 3: apply the application profile in the Firewall policy, and remember to choose Deep inspection.
Step 4: download and import FortiGate's certificate into the client's PC, following this article:
Importing the certificate into web browsers - FortiGate cookbook.
On the client PC:
- Disable QUIC in Chrome: chrome://flags -> QUIC -> disable.
- Disable QUIC in Firefox: about:config -> network.http.http3.enabled -> false.
- An alternative option is to block QUIC under application control in the FortiGate. This method will force the connection to be over TCP/UDP.
2. On Mobile devices.
FortiGate is unable to inspect the SSL traffic of Facebook and Facebook Messenger applications due to certificate pinning, it is impossible to differentiate the traffic between the two. Without inspecting the SSL traffic, it is impossible to block the Facebook app while allowing the Messenger app on mobile devices.
