Restricted SaaS Access (0365, G-Suite, Dropbox)
This feature extends the web-proxy profile to allow for specifying access permissions for Microsoft Office 365, Google G Suite, and Dropbox. It works by inserting vendor defined headers that restrict access to the specific accounts. Custom headers for any destination can also be inserted.
The web-proxy profile can be configured with the required headers for the specific destinations, and then applied directly into a policy to control the header's insertion.
To implement Office 365 tenant restriction, Dropbox network access control, and Google G Suite account access control on FortiGate, you need to:
- Configure a web-proxy profile according to the vendors' specifications:
- Define the traffic destination (service provider).
- Define the header name, defined by the service provider.
- Define the value that will be inserted into the traffic, defined by your settings.
- Apply the web-proxy profile to a policy.
The following example creates a web-proxy profile for Office 365, G Suite, and Dropbox access control. Note that, due to vendors' changing requirements, this example may no longer be in compliance with the vendors' official guidelines.
- Configure the web-proxy profile:
config web-proxy profile edit "SaaS-Tenant-Restriction" set header-client-ip pass set header-via-request pass set header-via-response pass set header-x-forwarded-for pass set header-front-end-https pass set header-x-authenticated-user pass set header-x-authenticated-groups pass set strip-encoding disable set log-header-change disable config headers edit 1 set name "Restrict-Access-To-Tenants" <---header name defined by Office365 spec. input EXACTLY as it is set dstaddr "Microsoft Office 365" <----built-in destination address for Office365 set action add-to-request set base64-encoding disable set add-option new set protocol https http set content "contoso.onmicrosoft.com,fabrikam.onmicrosoft.com" <----your tenants restriction configuration next edit 2 set name "Restrict-Access-Context" <----header name defined by Office365 spec. input EXACTLY as it is set dstaddr "Microsoft Office 365" <----build-in destination address for Office365 set action add-to-request set base64-encoding disable set add-option new set protocol https http set content "456ff232-35l2-5h23-b3b3-3236w0826f3d" <----your directory ID can find in Azure portal next edit 3 set name "X-GooGApps-Allowed-Domains" <----header name defined by Google G suite. set dstaddr "G Suite" <---- built-in G Suite destination address set action add-to-request set base64-encoding disable set add-option new set protocol https http set content "abcd.com" <----your domain restriction when you create G Suite account next edit 4 set name "X-Dropbox-allowed-Team-Ids" <----header defined by Dropbox set dstaddr "wildcard.dropbox.com" <----build-in destination address for Dropbox set action add-to-request set base64-encoding disable set add-option new set protocol https http set content "dbmid:FDFSVF-DFSDF" <----your team-Id in Dropbox next end next end - Apply the web-proxy profile to a firewall policy:
config firewall policy edit 1 set name "WF" set uuid 09928b08-ce46-51e7-bd95-422d8fe4f200 set srcintf "port10" "wifi" set dstintf "port9" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set webproxy-profile "SaaS-Tenant-Restriction" set utm-status enable set utm-inspection-mode proxy set logtraffic all set webfilter-profile "blocktest2" set application-list "g-default" set profile-protocol-options "protocol" set ssl-ssh-profile "protocols" set nat enable next end