Blocking Facebook

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This recipe explains how to block access to Facebook on your network with a Web Filter security profile and an Application Control security profile. This recipe works on FortiGates operating in flow-based profile inspection mode or proxy-based inspection mode.

You will need a WiFi network configured on your FortiGate. See Setting up WiFi with a FortiAP or Setting up a WiFi Bridge with a FortiAP.

Find this recipe for other FortiOS versions:
5.2 | 5.4 | 5.6

1. Enable Web Filtering and Application Control

Go to System > Feature Visibility to enable the Web Filter and Application Control features.

2. Edit the default Web Filter profile

Go to Security Profiles > Web Filter and edit the default profile.

To block Facebook, go to Static URL filter, enable URL Filter, and then click + Create.

Set URL to *facebook.com. Set Type to Wildcard, set Action to Block, and set Status to Enable.

3. Edit the default Application Control profile

Go to Security Profiles > Application Control and edit the default profile.

To block Facebook, go to Application Overrides and click on + Add Signatures.

 
Click  Add Filter. Select Name and enter Facebook to reveal a list of all the signatures for Facebook applications. Select all the signatures and click Use Selected Signatures.  
Confirm that the Action is set to Block for each of the Facebook application signatures and select Apply.

4. Create the security policy

Go to Policy & Objects > IPv4 Policy, and click + Create New. Give the policy an identifying name. In this example, blocking-facebook.

Set Incoming Interface to the internal network and set Outgoing Interface to the Internet-facing interface.

Enable NAT.

Under Security Profiles, enable Web Filter and Application Control. Select the default web filter and application control profiles.

Once you select those profiles, SSL/SSH Inspection is enabled by default. If you are using proxy-based inspection mode, then Proxy Options will also be enabled by default.

To inspect all traffic, SSL/SSH inspection must be set to deep-inspection profile.

 

The new policy must be first on the list in order to be applied to Internet traffic. Confirm this by viewing policies By Sequence.

To move a policy up or down, click and drag the far-left column of the policy.

If your FortiAP is configured in tunnel mode, you will need to edit the wireless policy and apply the web filter and application control security profiles to that policy.

5. Results

Visit facebook.com.

HTTPS is automatically applied to facebook.com, even if it is not entered in the address bar. A Web Page Blocked! message appears. 

A FortiGuard warning message will appear, stating that the application was blocked.

 

Visit a subdomain of Facebook, for example, attachments.facebook.com.

A Web Page Blocked! message appears, blocking the subdomain.  

 

Using a mobile device, or any device that has the Facebook app installed, ensure that you are connected to the Internet. Open the Facebook app and login. You should not be able to connect.

 

Go to Log & Report > Web Filter. You will see that facebook.com and attachments.facebook.com are blocked by the FortiGate.

 
Go to Log & Report > Application Control. You will see that the Facebook application is blocked by the FortiGate.   

For further reading, check out Static URL Filter and Application Control in the FortiOS 5.6 Handbook.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2014. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney

Latest posts by Judith Haney (see all)

  • Was this helpful?
  • Yes   No
Using the deep-inspection profile may cause certificate errors. See Preventing certificate warnings for more information.
Application Control uses flow-based inspection; if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the warning message. However, Application Control will still function.