Technical Tip: Block a Device from Accessing All Websites Except Specific Allowed Websites While Allowing Rest of the Devices on the Same Subnet Unrestricted Access

Topology:

• In this topology, HQ-PC1 (IP address: 10.0.1.1) has full, unrestricted access to all websites and services.

  • This is demonstrated in the screenshot where HQ-PC1 successfully pings icloud.com without any restrictions.

• HQ-PC2 (IP address: 10.0.1.2), on the same subnet, has restricted access.

  • As seen in the screenshot, HQ-PC2 can successfully ping fortinet.com (allowed website).
  • However, HQ-PC2 is unable to ping google.com, showing that access to other websites is blocked.

• This configuration is achieved by:

  • Using MAC-based address objects to specifically target HQ-PC2 (10.0.1.2).
  • Applying tailored firewall policies to allow access to specific websites (like fortinet.com) while blocking others.

• The setup ensures:

  • HQ-PC2's traffic is filtered according to the specified rules, despite being on the same subnet as HQ-PC1.
  • HQ-PC1 and other devices on the subnet (10.0.1.0/24) retain full access to all websites and services without any restrictions.

1. Identify the MAC address of the device that requires restricted access to ensure precise targeting for the policies.

2. Navigate to Policy & Objects -> Addresses -> Create New and define a new address object using the device's MAC address. Assign a descriptive name for easy identification.
3. For each website to be allowed, navigate to Policy & Objects -> Addresses -> Create New and create FQDN-based address objects. Use the fully qualified domain name (FQDN) of the website as the destination. Additionally, include public DNS servers (if not using local DNS servers) like Google DNS or Cloudflare DNS in these objects to ensure proper domain name resolution for the allowed websites.
4. Navigate to Policy & Objects -> Firewall Policy -> Create New to configure the first firewall policy. This policy will allow access to specific websites. Set the LAN interface as the incoming interface and the WAN interface as the outgoing interface. Use the MAC-based address object as the source and the FQDN objects for allowed websites as the destination. Set the action to Accept, enable NAT, set the schedule to Always, and set the service to ALL. Refer to MAC address-based policies for detailed steps.
5. Create the second firewall policy by navigating to Policy & Objects -> Firewall Policy -> Create New. This policy will block access to all other websites. Use the same LAN and WAN interfaces, set the MAC-based address object as the source, and set the destination to ALL. Configure the action as Deny, the schedule as Always, and the service as ALL.

Policy to Allow traffic to a specific website fortinet.com' in addition to the desired DNS servers.

Policy to Block the device or devices in question from accessing all websites.

A general policy to allow unrestricted access to all websites for all other devices.

6. Adjust the order of the firewall policies so that the allow policy is placed above the block policy in the policy list. Ensure a general allow policy for other devices in the network is positioned below these two MAC-based policies to allow unrestricted access for the remaining devices.
7. Test the setup to confirm that the restricted device can access only the specified allowed websites while all other websites are blocked. Verify that other devices on the same subnet continue to have unrestricted internet access.