Description
This article describes how to enable access to internal domains hosted on Google while web filter category 'Webmail' is set to block.
Example:
'company.com' is hosted on Gmail and to restrict access only to these accounts any other webmail service (Google or not) should be disabled.
Scope
FortiGate.
Solution
- If these options are not visible, check if the proxy-based web filter profile is used since this feature is only supported in a proxy-based profile.
- Deep inspection is necessary to restrict a Google account for a specific domain.
- Create a web filter profile called 'test' using the GUI.
- Enable 'URL Filter' under the static filter and create a dummy entry, like 'example.com'. Make sure that under 'Fortiguard Category Based Filter', the 'Web-based Email' under 'General Interest - Personal' is 'Allow'.
- Enable 'Restrict Google account for the specific domain' and define the domain that is hosted on Google Mail services.
- Go to the CLI and the following entries and verify if they look like the following:
config web-proxy profile
edit "Auto-web-proxy-profile_ff0ygfu3d"
config headers
edit 1
set name "X-GoogApps-Allowed-Domains"
set content "company.com" <----- The company domain is hosted in Google Mail services.
next
end
next
end
config webfilter urlfilter .show
edit 1set name "Auto-webfilter-urlfilter_gkkqnfrif"# config entriesedit 1set url "example.com"set action blocknextendnextend
Change it with the following entries in the same order.
config webfilter urlfilter
edit 1
set name "Auto-webfilter-urlfilter_gkkqnfrif"
config entries
delete 1 <----- This will delete the 'example.com' entry created from GUI.
edit 1
set url "*.google.com"
set type wildcard
set web-proxy-profile "Auto-web-proxy-profile_ff0ygfu3d"
next
edit 2
set url "gmail.com"
next
edit 3
set url "google.com"
next
end
next
end
Sometimes the Google suite uses URLs outside the *.google.com wildcard, such as to upload/download and/or send/receive files via email.
To allow uploading and downloading files from Gmail without any restrictions, conditioned to the 'Web-based Email' category being blocked, add the URLs in charge of this process in webfilter urlfilter. In this case, the one known so far is 'mail-attachment.googleusercontent.com', which also belongs to the blocked category.
This URL must be allowed or exempted to allow uploading and downloading files from the email:
config webfilter urlfilter
edit 2
set name "Auto-webfilter-urlfilter_2ge7ltkpd"
config entries
edit 1
set url "*mail-attachment.googleusercontent.com*" <---
set type wildcard
next
end
next
end
Note:
Delete all Exemptions added on the Deep Inspection SSL profile. Preferably, clone the Deep Inspection profile and customize it, deleting all Exemptions (objects) on that SSL/SSH profile.
Identify the URL that allows the upload and download of files to configure it in the URL filter in case there are any more through webfilter profile logs.
Outcome:
- Access to any email service will be denied (according to the webmail Category).
- Access to personal Gmail Accounts on any other domain hosted on Gmail will be denied.
- Access only from addresses containing @Company.com will be allowed.
- Access only from addresses containing @Company.com will be allowed.
- Access to File uploads and downloads will be allowed from the @Company.com domain even if the 'Web-based Email' category is being blocked.
