Blocking Google access for consumer accounts

In this recipe, you will block access to Google services for consumer accounts, while allowing access for corporate accounts.

If your organization has set up a Google corporate account to be able to use Google services, such as Gmail and Google Docs, this recipe can be used to block users from accessing those services with their own personal accounts. In this example, a corporate account has been created that uses the domain fortidocs.com.

1. Editing the default web filter profile to restrict Google access

Go to Security Profiles > Web Filter and edit the default profile.

Make sure that Inspection Mode is set to Proxy. Under Proxy Options, select Restrict Google Account Usage to Specific Domains.

Select Create New in the list that appears and add an entry for the domains for your Corporate Google accounts (in the example, fortidocs.com).

 

Due to a known issue, if you are running FortiOS 5.2.2, this feature can only be configured using the CLI.

The commands shown on the right will duplicate the web filter profile created in the above GUI steps.

See the Security Profiles handbook for FortiOS 5.2 for more details about this feature.

config web-proxy profile
   edit restrict-google-accounts-1
     config headers
       edit 1
         set name X-GoogApps-Allowed-Domains
         set content fortidocs.com
       end
     end
   end
end

config webfilter urlfilter
   edit 1
     set name default
     config entries
       edit 1
         set url *.google.com
         set type wildcard
         set action allow
         set web-proxy-profile restrict-google-accounts-1
       end
     end
   end
end

config webfilter profile
   edit default
     config web
       set urlfilter-table 1
     end
   end
end

2. Adding the profile to your Internet-access policy

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet.

Enable Web Filter and set it to use the default profile. Doing this will automatically enable SSL/SSH Inspection. Set this to use the deep-inspection profile.

 

3. Results

Log in to Google using a personal account. After you are authenticated, attempt to access a Google service, such as Gmail or Google Drive.

A message appears from Google stating that the service is not available.

 

Sign out of the personal account and instead use your corporate account (in the example, test@fortidocs.com).

You can now access the Google service.

 

For further reading, check out Web filter in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin
Using the deep-inspection profile may cause certificate errors. For information about avoiding this, see Preventing certificate warnings.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Tom T

    Dear Victoria, I am Tom from Malaysia Education sector. I am currently using FortiGate 300c with firmware v5.2.3. I currently having trouble controlling user (Android) from access Google Play Store during office our. Is there any guideline helping me to controlling access to Google Play Store? Hope to hear from you soon. Thanks.

    • Victoria Martin

      Hi Tom,

      If you want to block access to Google Play, I would recommend using Application Control, which has a signature for Google Play. The process would be similar to an existing recipe about blocking the App store for Mac and iOS devices, which you can find here: http://cookbook.fortinet.com/controlling-access-to-app-store/