In this scenario the use of firewall policies based on FQDN destination will be illustrated:

• The following is the setup to allow access to nhl.com using this url FQDN only as the destination as well as the DNS traffic to FortiGuard DNS servers to allow name resolution to work:

config firewall policy
    edit 1
        set name "int"
        set srcintf "lan"
        set dstintf "wan"
        set action accept
        set srcaddr "all"
        set dstaddr "NHL"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
    edit 2
        set name "int2"
        set srcintf "lan"
        set dstintf "wan"
        set action accept
        set srcaddr "all"
        set dstaddr "96.45.45.45"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
    config firewall address
        edit "NHL"
            set type fqdn
            set fqdn "nhl.com"
        next
    end

• Here is the traffic log showing nhl.com traffic was allowed:
  
  

• The problem is even though the url page loaded, some of the contents on that page did not fully load or were broken:

• The reason for this result is this website requires allowing traffic to IP addresses that do not resolve to nhl.com while these destinations are being denied.
  
  

Solution:

• Create additional address objects for the denied destinations:

config firewall address
    edit "cookielaw"
        set type fqdn
        set fqdn "*.cookielaw.org"
    next
    edit "doubleclick.net"
        set type fqdn
        set fqdn "*.doubleclick.net"
    next
    edit "NHLE"
        set type fqdn
        set fqdn "nhle.com"
    next
    edit "googleapis"
        set type fqdn
        set fqdn "*.googleapis.com"
    next
    edit "cookielaw"
        set type fqdn
        set fqdn "*.cookielaw.org"
    next
    edit "clientwnswindows"
    next
    edit "googletagmanager"
        set type fqdn
        set fqdn "*.googletagmanager.com"
    next
    edit "172.217.1.98"
        set subnet 172.217.1.98 255.255.255.255
    next
    edit "142.250"
        set subnet 142.250.0.0 255.255.0.0
    next
end

• Add the additional destinations required to load the missing or broken contents on the that website:

config firewall policy
    edit 1
        set name "int"
        set srcintf "lan"
        set dstintf "wan"
        set action accept
        set srcaddr "all"
        set dstaddr "NHL" "NHLE" "googleapis" "doubleclick.net" "cookielaw" "clientwnswindows" "googletagmanager" "gstatic" "172.217.1.98" "142.250"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

• The result is the website loads all the missing contents as shown on the screen shots below:

Note: This type of configuration is not scalable when it comes to trying to limit allowed traffic due to the fact that the majority of web service providers heavily rely on Content Delivery Networks (CDNs). An alternative to building firewall policies and add manually FQDNs is the use of Web filtering security profiles that control access to destinations based on Web filter Categories rather than just the FQDN of the website.  Information about the use of Web filtering profiles can be found on Fortinet Docs website: Web filter.