FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
imathew
Staff
Staff
Description This article describes what a firewall does when customers configure 'Restrict Google account usage to specific domains'.
Scope

FortiOS.

Solution

Requirement:

 

The firewall/policy has to be in Proxy-based inspection mode.

 

How it works:

 

The firewall will inject the HTTP header X-GoogApps-Allowed-Domains.

It is also possible to inject multiple domains via the X-GoogApps-Allowed-Domains header.

 

Firewall configuration:

 

From GUI, under the Web filter, it is necessary to add the domains allow access to.

This will create corresponding CLI changes on the firewall.

 

imathew_0-1656481888457.png

 

Configuration on CLI injected by firewall.

 

# config web-proxy profile

    edit "Auto-web-proxy-profile_iwd4cg3tf"

        config headers

            edit 1

                set name "X-GoogApps-Allowed-Domains"

                set content "abc.com, xyz.com"

            next

        end

    next

end

 

WAD debug logs

 

[0x7f296af37af0] Received request from client: 192.168.100.182:63049

GET /ServiceLogin?service=accountsettings&continue=https://myaccount.google.com%3Futm_source%3Daccount-marketing-page%26utm_medium%3Dgo-to-account-butt... HTTP/1.1

Host: accounts.google.com

Connection: keep-alive

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"

sec-ch-ua-mobile: ?0

sec-ch-ua-platform: "Windows"

Upgrade-Insecure-Requests: 1

Sec-Fetch-Site: same-site

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

 

 

[0x7f296af37af0] Forward request to server:
GET /ServiceLogin?service=accountsettings&continue=https://myaccount.google.com%3Futm_source%3Daccount-marketing-page%26utm_medium%3Dgo-to-account-button HTTP/1.1

Host: accounts.google.com

Connection: keep-alive

sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"

sec-ch-ua-mobile: ?0

sec-ch-ua-platform: "Windows"

Upgrade-Insecure-Requests: 1

Sec-Fetch-Site: same-site

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

X-GoogApps-Allowed-Domains: www.abc.com, www.xyz.com 

 

Note.

Microsoft/outlook domains will not work unless necessary configuration was made on google admin console.

Contributors