Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
imathew
Staff
Staff

Created on ‎06-28-2022 11:05 PM Edited on ‎06-28-2022 11:06 PM By Community Manager

Article Id 216203

Troubleshooting Tip: Gmail Consumer Account Restriction – How firewall works

Description This article describes what a firewall does when customers configure 'Restrict Google account usage to specific domains'.
Scope

FortiOS.
Solution

Requirement:

 

The firewall/policy has to be in Proxy-based inspection mode.

 

How it works:

 

The firewall will inject the HTTP header X-GoogApps-Allowed-Domains.

It is also possible to inject multiple domains via the X-GoogApps-Allowed-Domains header.

 

Firewall configuration:

 

From GUI, under the Web filter, it is necessary to add the domains allow access to.

This will create corresponding CLI changes on the firewall.

 

imathew_0-1656481888457.png

 

Configuration on CLI injected by firewall.

 

# config web-proxy profile

    edit "Auto-web-proxy-profile_iwd4cg3tf"

        config headers

            edit 1

                set name "X-GoogApps-Allowed-Domains"

                set content "abc.com, xyz.com"

            next

        end

    next

end

 

WAD debug logs

 

[0x7f296af37af0] Received request from client: 192.168.100.182:63049

GET /ServiceLogin?service=accountsettings&continue=https://myaccount.google.com%3Futm_source%3Daccount-marketing-page%26utm_medium%3Dgo-to-account-butt... HTTP/1.1

Host: accounts.google.com

Connection: keep-alive

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"

sec-ch-ua-mobile: ?0

sec-ch-ua-platform: "Windows"

Upgrade-Insecure-Requests: 1

Sec-Fetch-Site: same-site

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

 

 

[0x7f296af37af0] Forward request to server:
GET /ServiceLogin?service=accountsettings&continue=https://myaccount.google.com%3Futm_source%3Daccount-marketing-page%26utm_medium%3Dgo-to-account-button HTTP/1.1

Host: accounts.google.com

Connection: keep-alive

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"

sec-ch-ua-mobile: ?0

sec-ch-ua-platform: "Windows"

Upgrade-Insecure-Requests: 1

Sec-Fetch-Site: same-site

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

X-GoogApps-Allowed-Domains: www.abc.com, www.xyz.com 

 

Note.

Microsoft/outlook domains will not work unless necessary configuration was made on google admin console.

Labels:
1502
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.