Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
candawi
Staff
Staff

Created on ‎01-22-2024 09:44 PM Edited on ‎01-22-2024 09:52 PM By Community Manager

Article Id 295503

Technical Tip: Use web filter to block all sites except Gmail

Description

 

This article describes how to use web filters to block most of the sites and allow Gmail access only. When tested, the browser is still able to show browser results such as images.See samples below:

 

ex2.jpg

  ex1.jpg

 

Scope

 

FortiGate.

 

Solution

 

  1. Create a new Web Filter in Security Profiles. Name the new Web Filter.

 

1.jpg

 

  • Enable the Static URL Filter.

 

2.jpg

 

  • Create a new URL Filter. YouTube might still be accessible but videos will not load on this configuration.


3.jpg

 

URL: *youtube.com/*
Type: Wildcard
Action: Block

URL: *.google.com/gmail/*
Type: Wildcard
Action: Exempt

URL: *gmail.com/*
Type: Wildcard
Action: Exempt

URL: *mail.google.com/*
Type: Wildcard
Action: Exempt

URL: *.google.com/*
Type: Wildcard
Action: Exempt

URL: *accounts.google.com/*
Type: Wildcard
Action: Exempt

URL: *gstatic.*
Type: Wildcard
Action: Exempt

URL: *googleapis*
Type: Wildcard
Action: Exempt

URL: *google.*
Type: Wildcard
Action: Exempt

 

URL: *mail-attachment.googleusercontent*
Type: Wildcard
Action: Exempt

URL: *
Type: Wildcard
Action: Block

 

  • Keep the rules in that order. The * with block rule must be the bottom and *youtube.com/* must be the top. Once done, save the Web Filter.

 

4.jpg

 

  • Select 'Apply'.

 

  1. Apply this created web filter and device to the IPv4 policy under Policy & Objects.
  • Create a New IPv4 policy
  • For Source, set the Address to 'all' or a specific address to apply this policy to.
  •  For Destination, set Address to 'all'.
  • Set Inspection Mode to Proxy-Based.
  • Enable the Web Filter in the Security Profiles.
  • Set it to the Web Filter profile created in Step 1.
  • Enable the SSL Inspection.
  • Set it to deep-inspection.

 

5.jpg

 

Make sure that the policy customized in step 2 is higher than a policy that is allowed to access the Internet if there is such a policy. The first IPv4 policy that matches the parameters of the IPv4 policy be followed. Reference: Firewall policies

 

  1. If there will be certificate errors, refer to these guides:

Preventing certificate warnings (default certificate)

Deep inspection 

Install the default deep inspection certificate on the machine. 

 

  1. Test if Gmail is accessible by opening an incognito window. Try to clear the sessions of the FortiGate and clear the cache of the browser if other sites are still working.

 

Refer to the links below for further reading:
Changing inspection mode: Technical Tip: Changing the inspection mode of the firewall
Effects of changing the inspection mode: Technical Tip: Effects of changing the inspection mode Creating security policies for different users: Creating the Admin user, device, and policy
Guide for static URL filter: URL filter
Why SSL Inspection: Why you should use SSL inspection
Explanation of certificate warnings when using web filtering: Technical Tip: Web Filtering certificate warning

525
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.