FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
js2
Staff
Staff
Article Id 367371
Description This article describes configuration steps to block a personal Outlook account.
Scope FortiGate.
Solution

Prerequisites:

  • The domain must be allowed <domain.com>
  • Directory ID. The directory ID can be fetched using the Azure portal, or by using the open tool 'whatismytenantid.com'.

 

Configuration:

 

Step 1: Create an FQDN for login.live.com. The other Microsoft sites 'login.microsoftonline.com', 'login.microsoft.com' and 'login.windows.net', should be available by default in FortiGate.

 

config firewall address
    edit "live"
        set type fqdn
        set fqdn "login.live.com"
    next
end

 

Step 2: Create a deep inspection profile. Remove the Microsoft websites in the exempt list from the deep inspection profile.

 

Step 3: Create a URL filter for Microsoft sites.

 

config webfilter urlfilter
    edit 1
        set name "Microsoft"
            config entries
                edit 1
                    set url "login.microsoftonline.com"
                    set action allow
                next
                edit 2
                    set url "login.microsoft.com"
                    set action allow
                next
                edit 3
                    set url "login.windows.net"
                    set action allow
                next
                edit 4
                    set url "login.live.com"
                    set action allow
                next
            end
        next
    end

 

Step 4: Create a webfilter profile.

 

    config webfilter profile
        edit "Microsoft"
            set feature-set proxy
                config web
                    set urlfilter-table 1
                end
            next
        end

 

Step 5: Create a webproxy profile for Microsoft restriction.

 

config web-proxy profile
    edit "Microsoft-Restriction"
        set header-client-ip pass
        set header-via-request pass
        set header-via-response pass
        set header-x-forwarded-for pass
        set header-x-forwarded-client-cert pass
        set header-front-end-https pass
        set header-x-authenticated-user pass
        set header-x-authenticated-groups pass
        set strip-encoding disable
        set log-header-change disable
            config headers
                edit 1
                    set name "Restrict-Access"
                    set dstaddr "login.microsoft.com" "login.microsoftonline.com" "login.windows.net"
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content <domain>
                next
                edit 2
                    set name "Restrict-Access-Context"
                    set dstaddr "login.microsoftonline.com" "login.microsoft.com" "login.windows.net"
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content <directory_ID>
                next
                edit 3
                    set name "Restrict-Access-Policy"
                    set dstaddr "login.live.com"
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "restrict-msa"
                next
            end
        next
    end

 

Step 6: Create a firewall policy:

 

config firewall policy
    edit 1
        set name "New"
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "LAN"
        set dstaddr "login.microsoft.com" "login.microsoftonline.com" "login.windows.net" "login.live.com"
        set service "HTTP" "HTTPS"
        set utm-status enable
        set inspection-mode proxy
        set webproxy-profile "Microsoft-Restriction"
        set ssl-ssh-profile "clone of Deep-inspection"
        set webfilter-profile "Microsoft"
        set logtraffic all
        set nat enable
    next
end


Initiate a test connection to login.microsoftonline.com using a personal outlook account. An error similar to the following will be observed:

 

Outlook error for personal account.PNG

 

Contributors