Or as Plan B, you can try to configure a custom application signature for this LIME and to use it to enable/block access only for this app. e.g. F-SBID( --name " mahnoks_naver.line_signature" ; --pattern " naver.jp" ; --service HTTP; --no_case; --flow from_client; --context host; ) You can then build a policy with " mahnoks_naver.line_signature" application signature to enable traffic to the destination, but block everything else. This will only work though if you do SSL offload at the FW and so it can look into the encrypted communication. My first suggestion for this reason would be easier to implement.

You can go any father and kill the dns response if your goal is to block line fully just place a ips sensor for " gm.line.naver.jp" and with allow. Than block all other dns request. config ips custom edit " naver.jp" set signature " F-SBID( --name " NaverDnsBlk" ; --rev 1; --protocol udp; --service DNS; --flow from_client; --byte_test 1,<,128,2; --pattern " naver.jp" ; --context host; --no_case)" naver.jp\" ; )" end Apply a rule for your dns traffic and a security policy. This with the above HTTP traffic sign should squash all other traffic. Just monitor for a few days/weeks . It would be nice if fortigate had some response forging or spoof' ing so you could redirect them to page that explain your company policy or AUP.