| Description | This article describes that when using the proxy option 'Restrict Google account usage to specific domains', it is working as expected, as only the specified domains are allowed while all other domains are rejected. But there is no blocked traffic in the logs, all traffic is showing as accepted. |
| Scope | FortiGate. |
| Solution |
This is the expected behavior, traffic is not getting blocked by FortiGate. Google makes this restriction possible by inspecting the 'X-GoogApps-Allowed-Domains' header in HTTP. When this header is used in conjunction with a list of domains, Google can determine which domains are allowed and then block all others. Acting as a web proxy, Fortigate can intercept the HTTP requests, and add this header with the allowed domain list. This is why FortiGate does not block any domains. Instead, it simply inserts the 'X-GoogApps-Allowed-Domains' header and passes the packets to Google who will then take action to allow or reject the requests.
Example: In the Web Filter profile, only 'fortinet.com' is the allowed domain:
This is blocking other domains as per the test result on the client machine trying to log to Gmail using a personal Gmail account:
In the logs, the traffic is accepted, and there is no block happening on the firewall:
In the packet capture, the 'X-GoogApps-Allowed-Domains' header is inserted with the permitted domain 'fortinet.com':
Related documents: |
