Hi, I am after some guidance on anyone who has setup a DMZ Server to utilise Google re-CAPTCHA.   The DMZ area is restricted for outbound Internet access and any server that requires a service is locked down to only what it needs.

What is the best action to allow a DMZ server to Google re-CAPTCHA on a Fortigate 600F Firewall?

Info.  Google apparently uses 

https://www.google.com/recaptcha/api/siteverify   &  https://www.google.com/recaptcha/api.js 

DNS to resolve to google.com

The odd guide recommends allowing access to the following subnets but this equates to around 212,992 IP Addresses.

The reCAPTCHA servers can be located on any IP address owned by Google. While we can not provide official support for IP Address-based ACLs, Google's public IP space can be found by issuing the following command from a Linux/Unix box:

dig -t TXT _netblocks.google.com

The result right now is:

ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16

 The Fortigate doesn't have a predefined Internet Service for Google re-CAPTCHA so is there a way of restricting this any further or will it need allowing the vast IP range?

Is there a way to allow the full URL's for the Captcha as the entire url is not a FQDN?

Thoughts & Help would be appreciated.