Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexandreAguirre
New Contributor

How to access only company domain emails

Hey guys !

I'm new to using Fortigate, I have it deployed here at the company, and everything is working very well. However, a need arose in which we need employees to have access only to the emails of the company's domain, eg: @xxxxx.com.br (google) and @xxxxx.net.br (locaweb), could someone help me on how is it possible to configure this rule?

Thank you all in advance!

2 REPLIES 2
mle2802
Staff
Staff

Hi there,

You can create FQDN address object and create a policy using this as destination. Please refer to this document for more detail "https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/707266/fqdn-addresses"

Regards,
Minh

xsilver_FTNT
Staff
Staff

Hi @AlexandreAguirre ,

it depends on what do you consider "access" is. And if you want to allow access to corporate, or also prohibit all other email services.

 

As they could access other email services like GMail via web broweser.
And so it might be helpful to make firewall policy with WebFilter and/or DNS Filter to prevent that.
SSL Deep Inspection would be needed, so https://gmail.com would not be problem and clients can not hide inside encrypted tunnel. However that also depends on your local law and legal regulations as some services (typically bank access, not exclusively only this) could be by law mandated to be accessible via uninterrupted tunnel. And as deep inspection is basically MitM (Man in the Middle - decrypting and re-encrypting tunnel), then it might be against the law to do so on some services or even completely against the law.
One drawback is that all the clients/workstations/devices must trust to CA certificate you'll use in deep inspection. Otherwise browsers will pop-up warning that traffic is interrupted and possibly inspected. Which could be intentionally used as warning sign, or suppressed by use of trusted CA cert for inspection.
Some services do use bidirectional certificate validation and those will usually fail once they detect MitM actor. As they know well what cert they expect from the opposite party and if that does not match completely they'll drop connection.

 

Another way to access other emails is from mail clients, so POP3 or IMAP used for email downloads (and management in case IMAP is used), and SMTP for email sending.
Note that there are base ports, but also TLS encrypted ports and so services .. SMTP + SMTPS etc.
Therefore respective "Service" part of firewall policy/policies have to be set.

Either to list respective services, or you can create your own service group for all email related stuff, or use built-in group "Email Access".

 

email-services.jpg

Hope that helped a bit.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors