Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
candawi
Staff
Staff

Created on ‎01-22-2024 09:44 PM Edited on ‎10-03-2025 06:51 AM By Moderator

Article Id 295503

Technical Tip: Use web filter to block all sites except Gmail

Description

 

This article describes how to use web filters to block most sites and allow Gmail access only. When tested, the browser is still able to show browser results such as images. See samples below:

 

ex2.jpg

  ex1.jpg

 

Scope

 

FortiGate.

 

Solution

 

  1. Create a new Web Filter in Security Profiles. Name the new Web Filter.

 

1.jpg

 

  • Enable the Static URL Filter.

 

2.jpg

 

  • Create a new URL Filter. YouTube might still be accessible, but videos will not load on this configuration.


3.jpg

 

URL: *youtube.com/*
Type: Wildcard
Action: Block

URL: *.google.com/gmail/*
Type: Wildcard
Action: Exempt

URL: *gmail.com/*
Type: Wildcard
Action: Exempt

URL: *mail.google.com/*
Type: Wildcard
Action: Exempt

URL: *.google.com/*
Type: Wildcard
Action: Exempt

URL: *accounts.google.com/*
Type: Wildcard
Action: Exempt

URL: *gstatic.*
Type: Wildcard
Action: Exempt

URL: *googleapis*
Type: Wildcard
Action: Exempt

URL: *google.*
Type: Wildcard
Action: Exempt

 

URL: *mail-attachment.googleusercontent*
Type: Wildcard
Action: Exempt

URL: *
Type: Wildcard
Action: Block

 

  • Keep the rules in that order. The * with block rule must be the bottom, and *youtube.com/* must be the top. Once done, save the Web Filter.

 

4.jpg

 

  • Select 'Apply'.

 

  1. Apply this created web filter and device to the IPv4 policy under Policy & Objects.
  • Create a New IPv4 policy
  • For Source, set the Address to 'all' or a specific address to apply this policy to.
  • For Destination, set Address to 'all'.
  • Set Inspection Mode to Proxy-Based.
  • Enable the Web Filter in the Security Profiles.
  • Set it to the Web Filter profile created in Step 1.
  • Enable the SSL Inspection.
  • Set it to deep-inspection.

 

5.jpg

 

Make sure that the policy customized in step 2 is higher than a policy that is allowed to access the Internet, if there is such a policy. The first IPv4 policy that matches the parameters of the IPv4 policy should be followed. Reference: Firewall policies.

 

  1. If there are certificate errors, refer to these guides:

Preventing certificate warnings (default certificate)

Deep inspection 

Install the default deep inspection certificate on the machine. 

 

  1. Test if Gmail is accessible by opening an incognito window. Try to clear the sessions of the FortiGate and clear the cache of the browser if other sites are still working.

Refer to the links below for further reading:
Changing inspection mode: Technical Tip: Changing the inspection mode of the firewall
Effects of changing the inspection mode: Technical Tip: Effects of changing the inspection mode. Creating security policies for different users: Creating the Admin user, device, and policy.
Guide for static URL filter: URL filter.
Why SSL Inspection: Why you should use SSL inspection.
Explanation of certificate warnings when using web filtering: Technical Tip: Web Filtering certificate warning.

 

Note:
In the latest firmware versions (above v7.0), the option for IPv4 policy is replaced with Firewall policy under Policy & Objects.

6625
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.