Technical Tip: Block domain access while allowing sub-directories access

In order to make this solution work, it is needed to enable Deep Packet Inspection, otherwise, the FortiGate will not be able to look beyond the certificate of the domain being used and will block access. This should not be confused with sub-domain filtering which is different and does not need DPI.

For this example, the domain 'www.fortinet.com' and the sub-directory 'http://www.fortinet.com/products/next-generation-firewall' will be used.

Step 1:
Configure the Web Filter Profile's Static URL Filters:

Step 2:
Configure the SSL/SSH Inspection Profile as 'Full SSL Inspection':

Note: be sure that the domain is not exempting (by default Fortinet domain is exempted so it is necessary to remove it in this example):

Step 3:
Create the Firewall Policy using both profiles created in the previous steps:

Step 4:

Download and install the CA certificate to allow the FortiGate to be able to perform Deep Inspection:

1)

2)

3)

4)

5)

Confirm that the newly installed certificate is visible in the Computer Certificates and in the correct folder:

Step 5:

Test the access to 'www.fortinet.com' - This should fail: 

Test the access to 'www.fortinet.com/products/next-generation-firewall' - This should work: