FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to block personal Microsoft 365 accounts by Inline-CASB microsoft-tenant-control.
Scope
FortiGate v7.4.0 and above.
Solution
FortiGate supports Inline-CASB but only for Enterprise domains and not personal accounts.
Set up the following CASB config to block personal Microsoft 365 accounts:
Configure the CASB user activity:
config casb user-activity edit "microsoft-block_personal_account" set application "microsoft" set category other config match edit 1 config rules edit 1 set type domains set domains "login.live.com" next end next end config control-options edit "block_personal" config operations edit "block_personal" set action new set header-name "sec-Restrict-Tenant-Access-Policy" set values "restrict-msa" next end next end next end
Configure the inline CASB profile:
config casb profile edit "casb" config saas-application edit "microsoft" set tenant-control enable set tenant-control-tenants "fortinet-us.com" config custom-control edit "microsoft-block_personal_account" config option edit "block_personal" next end next end next end next end
Configure the firewall policy:
config firewall policy edit 0 set name "casb_test" set srcintf "port1" set dstintf "port3" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy <--- Proxy Inspection is required. set ssl-ssh-profile "deep-inspection" <--- SSL Deep Inspection is required. set casb-profile "casb" set nat enable next
