Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎11-01-2021 08:01 AM Edited on ‎11-21-2024 04:39 AM By Moderator

Article Id 196688

Technical Tip: How to enable access only to internal domains hosted on Google while the web filter category 'Web-based Email' is set to block

Description

This article describes how to enable access to internal domains hosted on Google while webfilter category 'Webmail' is set to block. 
 
Example.
'company.com' is hosted on Gmail and to restrict access only to these accounts any other web mail service (Google or not) should be disabled.  


Solution

  • If these options are not visible, check if the proxy-based web filter profile is used since this feature is only supported in a proxy-based profile.
  • Deep inspection is necessary to restrict a Google account for a specific domain.
 
  1. Create a web filter profile called 'test' using the GUI.
 
kb.png
 
  1. Enable 'URL Filter' under the static filter and create a dummy entry, like 'example.com'. Make sure that under 'Fortiguard Category Based Filter', the 'Web-based Email' under 'General Interest - Personal' is 'Allow'.

  2. Enable 'Restrict Google account for specific domain' and define the domain that is hosted on Google mail services. 
 
Stephen_G_0-1732192592684.png
 
  1. Go to the CLI and the following entries and verify if they look like the following:
 
config web-proxy profile
    edit "Auto-web-proxy-profile_ff0ygfu3d"
        config headers
            edit 1
                set name "X-GoogApps-Allowed-Domains"
                set content "company.com"       <----- The company domain hosted in Google mail services.
            next
        end
    next
end
 
show config webfilter urlfilter .                         
    edit 1
        set name "Auto-webfilter-urlfilter_gkkqnfrif"
        # config entries
            edit 1
                set url "example.com"
                set action block
            next
        end
    next
end
 
Change it with the following entries in the exact same order.
 
 
# config webfilter urlfilter
    edit 1
        set name "Auto-webfilter-urlfilter_gkkqnfrif"
        # config entries
            delete 1                                <----- This will delete the 'example.com' entry created from GUI.
            edit 1
                set url "*.google.com"
                set type wildcard
                set web-proxy-profile "Auto-web-proxy-profile_ff0ygfu3d"
            next
            edit 2
                set url "gmail.com"
            next
            edit 3
                set url "google.com"
            next
        end
    next
end
 
Outcome: 
  • Access to any email service will be denied (according to the web mail Category)
  • Access to personal Gmail Accounts on any other domain hosted on Gmail will be denied.
  • Access only form addresses containing @company.com will be allowed. 
Labels:
7853
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.