Fortinet Document Library

Version:


Table of Contents

More Links

Use Tenant Restrictions to manage access to SaaS cloud applications
Block access to consumer accounts
Network Control

New Features

6.2.0
Download PDF
Copy Link

Restricted SaaS Access (0365, G-Suite, Dropbox)

This feature extends the web-proxy profile to allow for specifying access permissions for Microsoft Office 365, Google G Suite, and Dropbox. It works by inserting vendor defined headers that restrict access to the specific accounts. Custom headers for any destination can also be inserted.

The web-proxy profile can be configured with the required headers for the specific destinations, and then applied directly into a policy to control the header's insertion.

To implement Office 365 tenant restriction, Dropbox network access control, and Google G Suite account access control on FortiGate, you need to:

  1. Configure a web-proxy profile according to the vendors' specifications:
    1. Define the traffic destination (service provider).
    2. Define the header name, defined by the service provider.
    3. Define the value that will be inserted into the traffic, defined by your settings.
  2. Apply the web-proxy profile to a policy.

The following example creates a web-proxy profile for Office 365, G Suite, and Dropbox access control. Note that, due to vendors' changing requirements, this example may no longer be in compliance with the vendors' official guidelines.

  1. Configure the web-proxy profile:
    config web-proxy profile
       edit "SaaS-Tenant-Restriction"
            set header-client-ip pass
            set header-via-request pass
            set header-via-response pass
            set header-x-forwarded-for pass
            set header-front-end-https pass
            set header-x-authenticated-user pass
            set header-x-authenticated-groups pass
            set strip-encoding disable
            set log-header-change disable
            config headers
                edit 1
                    set name "Restrict-Access-To-Tenants"  <---header name defined by Office365 spec. input EXACTLY as it is
                    set dstaddr "Microsoft Office 365" <----built-in destination address for Office365
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "contoso.onmicrosoft.com,fabrikam.onmicrosoft.com"  <----your tenants restriction configuration
                next
                edit 2
                    set name "Restrict-Access-Context"  <----header name defined by Office365 spec. input EXACTLY as it is
                    set dstaddr "Microsoft Office 365"  <----build-in destination address for Office365
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "456ff232-35l2-5h23-b3b3-3236w0826f3d" <----your directory ID can find in Azure portal
                next
                edit 3
                    set name "X-GooGApps-Allowed-Domains"  <----header name defined by Google G suite.
                    set dstaddr "G Suite"  <---- built-in G Suite destination address
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "abcd.com"    <----your domain restriction when you create G Suite account
                next
    
                edit 4
                    set name "X-Dropbox-allowed-Team-Ids" <----header defined by Dropbox
                    set dstaddr "wildcard.dropbox.com"  <----build-in destination address for Dropbox
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "dbmid:FDFSVF-DFSDF"  <----your team-Id in Dropbox 
                next
            end
        next
    end
  2. Apply the web-proxy profile to a firewall policy:
    config firewall policy
         edit 1
    		set name "WF"
    		set uuid 09928b08-ce46-51e7-bd95-422d8fe4f200
    		set srcintf "port10" "wifi"
    		set dstintf "port9"
    		set srcaddr "all"
    		set dstaddr "all"
    		set action accept
    		set schedule "always"
    		set service "ALL"
    		set webproxy-profile "SaaS-Tenant-Restriction"
    		set utm-status enable
    		set utm-inspection-mode proxy
    		set logtraffic all
    		set webfilter-profile "blocktest2" 
            set application-list "g-default"
    		set profile-protocol-options "protocol"
    		set ssl-ssh-profile "protocols"
    		set nat enable
    	next
    end

More Links

Restricted SaaS Access (0365, G-Suite, Dropbox)

This feature extends the web-proxy profile to allow for specifying access permissions for Microsoft Office 365, Google G Suite, and Dropbox. It works by inserting vendor defined headers that restrict access to the specific accounts. Custom headers for any destination can also be inserted.

The web-proxy profile can be configured with the required headers for the specific destinations, and then applied directly into a policy to control the header's insertion.

To implement Office 365 tenant restriction, Dropbox network access control, and Google G Suite account access control on FortiGate, you need to:

  1. Configure a web-proxy profile according to the vendors' specifications:
    1. Define the traffic destination (service provider).
    2. Define the header name, defined by the service provider.
    3. Define the value that will be inserted into the traffic, defined by your settings.
  2. Apply the web-proxy profile to a policy.

The following example creates a web-proxy profile for Office 365, G Suite, and Dropbox access control. Note that, due to vendors' changing requirements, this example may no longer be in compliance with the vendors' official guidelines.

  1. Configure the web-proxy profile:
    config web-proxy profile
       edit "SaaS-Tenant-Restriction"
            set header-client-ip pass
            set header-via-request pass
            set header-via-response pass
            set header-x-forwarded-for pass
            set header-front-end-https pass
            set header-x-authenticated-user pass
            set header-x-authenticated-groups pass
            set strip-encoding disable
            set log-header-change disable
            config headers
                edit 1
                    set name "Restrict-Access-To-Tenants"  <---header name defined by Office365 spec. input EXACTLY as it is
                    set dstaddr "Microsoft Office 365" <----built-in destination address for Office365
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "contoso.onmicrosoft.com,fabrikam.onmicrosoft.com"  <----your tenants restriction configuration
                next
                edit 2
                    set name "Restrict-Access-Context"  <----header name defined by Office365 spec. input EXACTLY as it is
                    set dstaddr "Microsoft Office 365"  <----build-in destination address for Office365
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "456ff232-35l2-5h23-b3b3-3236w0826f3d" <----your directory ID can find in Azure portal
                next
                edit 3
                    set name "X-GooGApps-Allowed-Domains"  <----header name defined by Google G suite.
                    set dstaddr "G Suite"  <---- built-in G Suite destination address
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "abcd.com"    <----your domain restriction when you create G Suite account
                next
    
                edit 4
                    set name "X-Dropbox-allowed-Team-Ids" <----header defined by Dropbox
                    set dstaddr "wildcard.dropbox.com"  <----build-in destination address for Dropbox
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "dbmid:FDFSVF-DFSDF"  <----your team-Id in Dropbox 
                next
            end
        next
    end
  2. Apply the web-proxy profile to a firewall policy:
    config firewall policy
         edit 1
    		set name "WF"
    		set uuid 09928b08-ce46-51e7-bd95-422d8fe4f200
    		set srcintf "port10" "wifi"
    		set dstintf "port9"
    		set srcaddr "all"
    		set dstaddr "all"
    		set action accept
    		set schedule "always"
    		set service "ALL"
    		set webproxy-profile "SaaS-Tenant-Restriction"
    		set utm-status enable
    		set utm-inspection-mode proxy
    		set logtraffic all
    		set webfilter-profile "blocktest2" 
            set application-list "g-default"
    		set profile-protocol-options "protocol"
    		set ssl-ssh-profile "protocols"
    		set nat enable
    	next
    end