FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rahulkaushik-22
Article Id 335961
Description This article describes how to restrict access to specific websites using the FQDN address object.
Scope All.
Solution

Create a FQDN address object/s for the restricted websites.

 

In this case, the restricted website is 'example.com':

 

config firewall address

    edit "Restricted_website"

        set type fqdn

        set fqdn "example.com"

    next

end

 

Firewall policies are configured to allow access to restricted websites and block the rest of the traffic.

 

config firewall policy

    edit 20

        set name "Allow_Restricted_website"

        set srcintf "LAN"

        set dstintf "wan1"

        set action accept

        set srcaddr "LAN"

        set dstaddr " Restricted_website " <---------- FQDN address object.

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

    next

 

    edit 21

        set name "Deny"

        set srcintf "LAN"

        set dstintf "wan1"

        set action deny

        set srcaddr "LAN"

        set dstaddr "all" 

        set schedule "always"

        set service "ALL"

    next

end

Still, websites are not loading for the clients as DNS queries are failing because there is no policy to allow DNS traffic.

 

Once DNS servers are added to the policy, websites start working.

 

Example of policy below:

 

config firewall policy

    edit 20

        set name "Allow_Restricted_website"

        set srcintf "LAN"

        set dstintf "wan1"

        set action accept

        set srcaddr "LAN"

        set dstaddr " Restricted_website "  “DNS_Server”

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

    next

end