Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎11-01-2021 08:01 AM Edited on ‎03-11-2025 11:08 PM By Community Manager

Article Id 196688

Technical Tip: How to enable access only to internal domains hosted on Google while the web filter category 'Web-based Email' is set to block

Description

 

This article describes how to enable access to internal domains hosted on Google while web filter category 'Webmail' is set to block. 
 
Example.
'company.com' is hosted on Gmail and to restrict access only to these accounts any other webmail service (Google or not) should be disabled.  
 
Scope
 
FortiGate.


Solution

 

  • If these options are not visible, check if the proxy-based web filter profile is used since this feature is only supported in a proxy-based profile.
  • Deep inspection is necessary to restrict a Google account for a specific domain.
 
  1. Create a web filter profile called 'test' using the GUI.
 
kb.png
 
  1. Enable 'URL Filter' under the static filter and create a dummy entry, like 'example.com'. Make sure that under 'Fortiguard Category Based Filter', the 'Web-based Email' under 'General Interest - Personal' is 'Allow'.

  2. Enable 'Restrict Google account for the specific domain' and define the domain that is hosted on Google Mail services. 
 
Stephen_G_0-1732192592684.png
 
  1. Go to the CLI and the following entries and verify if they look like the following:
 
config web-proxy profile
    edit "Auto-web-proxy-profile_ff0ygfu3d"
        config headers
            edit 1
                set name "X-GoogApps-Allowed-Domains"
                set content "company.com"       <----- The company domain hosted in Google mail services.
            next
        end
    next
end
 
show config webfilter urlfilter .                         
    edit 1
        set name "Auto-webfilter-urlfilter_gkkqnfrif"
        # config entries
            edit 1
                set url "example.com"
                set action block
            next
        end
    next
end
 
Change it with the following entries in the same order.

config webfilter urlfilter

    edit 1
        set name "Auto-webfilter-urlfilter_gkkqnfrif"
        config entries
            delete 1                                <----- This will delete the 'example.com' entry created from GUI.
            edit 1
                set url "*.google.com"
                set type wildcard
                set web-proxy-profile "Auto-web-proxy-profile_ff0ygfu3d"
            next
            edit 2
                set url "gmail.com"
            next
            edit 3
                set url "google.com"
            next
        end
    next
end
 
Sometimes the Google suite uses URLs outside the *.google.com wildcard, such as to upload/download and/or send/receive files via email.

 

To allow uploading and downloading files from Gmail without any restrictions conditioned to the 'Web-based Email' category being blocked, add the URLs in charge of this process in webfilter urlfilter. In this case, the one known so far is 'mail-attachment.googleusercontent.com' which also belongs to the blocked category.

This URL must be allowed or exempted to allow uploading and downloading files from the email:

    config webfilter urlfilter
        edit 2
            set name "Auto-webfilter-urlfilter_2ge7ltkpd"
            config entries
                edit 1
                    set url "*mail-attachment.googleusercontent.com*" <---
                    set type wildcard
                next
            end
        next
     end

 
Identify the URL that allows the upload and download of files to configure it in the URL filter in case there are any more through webfilter profile logs.
 
Outcome: 
  • Access to any email service will be denied (according to the webmail Category)
  • Access to personal Gmail Accounts on any other domain hosted on Gmail will be denied.
  • Access only from addresses containing @company.com will be allowed. 
  • Access only from addresses containing @company.com will be allowed. 
  • Access to File uploads and downloads will be allowed from the @company.com domain even if the 'Web-based Email' category is being blocked.
Labels:
8801
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.