Restrict Google Access to Corporate Accounts
A new option has to web filtering to restrict Google access to specific domains. This allows you to block access to some Google accounts and services while allowing access to corporate Google accounts.
To use this option, go to Security Profiles > Web Filter and select Restrict Google Account Usage to Specific Domains under Proxy Options. You can then add the appropriate Google domains that will be allowed.
After the web filter profile has been created, this feature is applied differently in the case of transparent proxy vs. explicit proxy. For transparent proxy, the web filter profile is added to a security policy. For explicit proxy, the web filter profile must be added to an explicit proxy profile.
This feature can also be configured using the CLI, where use of the Modifying HTTP Request Headers feature (see above) is required. In the following example, access to Personal Gmail accounts is blocked while access to Google Business Mail is allowed.
Syntax
1. The web-proxy profile is configured to with a modified header:
config web-proxy profile
edit "restrict-google-accounts-1"
config headers
edit 1
set name "X-GoogApps-Allowed-Domains"
set content "example.com"
end
end
end
end
2. A URL filter is configured to use the web-proxy profile:
config webfilter urlfilter
edit 1
set name "GMAIL_TEST"
config entries
edit 1
set url "*.google.com"
set type wildcard
set action allow
set web-proxy-profile "restrict-google-accounts-1"
end
end
end
end
3. A webfilter profile is configured that uses the URL filter:
config webfilter profile
edit "GMAIL_TEST"
......
config web
set urlfilter-table 1
end
config ftgd-wf
......
end
end
end
4. Transparent proxy - the webfilter profile is applied to a security policy:
config firewall policy
edit 1
set srcintf "LAN"
set dstintf "WAN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set webfilter-profile "GMAIL_TEST"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
set nat enable
end
end
5. Explicit proxy - the web-proxy policy and the web filer profile are applied to an explicit proxy policy:
config firewall explicit-proxy-policy
edit 1
set proxy web
set dstintf "WAN"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set webproxy-profile "restrict-google-accounts-1"
set utm-status enable
set webfilter-profile "GMAIL_TEST"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
end
end