FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tino_p
Staff
Staff
Article Id 247606
Description

 

This article describes how to block Facebook while allowing Messenger, to use an application control profile in Firewall FortiGate.

 

Scope

 

Application control.

 

Solution

 

1. On PC:

 

Step 1: create a new application control profile in FortiGate -> Security Profile -> Application Control.

 

tino_p_0-1677655835246.png

 

Step 2: add application and filter overrides to allow Messenger and Facebook_Chat, and block all other Facebook signatures.

 

tino_p_1-1677655916342.png

 

Step 3: apply the application profile in the Firewall policy, and remember to choose Deep inspection.

 

tino_p_2-1677656050590.png

 

Step 4: download and import FortiGate's certificate into the client's PC, following this article:

Importing the certificate into web browsers - FortiGate cookbook.

 

tino_p_3-1677656166959.png

 

On the client PC:

  • Disable QUIC in Chrome: chrome://flags -> QUIC -> disable.
  • Disable QUIC in Firefox: about:config -> network.http.http3.enabled -> false.
  • An alternative option is to block QUIC under application control in the FortiGate. This method will force the connection to be over TCP/UDP.

 

2. On Mobile devices.

 

FortiGate is unable to inspect the SSL traffic of Facebook and Facebook Messenger applications due to certificate pinning, it is impossible to differentiate the traffic between the two. Without inspecting the SSL traffic, it is impossible to block the Facebook app while allowing the Messenger app on mobile devices.