Restricted SaaS access (Office 365, G Suite, Dropbox)
With the web proxy profile, you can specify access permissions for Microsoft Office 365, Google G Suite, and Dropbox. You can insert vendor-defined headers that restrict access to the specific accounts. You can also insert custom headers for any destination.
You can configure the web proxy profile with the required headers for the specific destinations, and then directly apply it to a policy to control the header's insertion.
To implement Office 365 tenant restriction, G Suite account access control, and Dropbox network access control:
- Configure a web proxy profile according to the vendors' specifications:
- Define the traffic destination (service provider).
- Define the header name, defined by the service provider.
- Define the value that will be inserted into the traffic, defined by your settings.
- Apply the web proxy profile to a policy.
The following example creates a web proxy profile for Office 365, G Suite, and Dropbox access control.
Due to vendors' changing requirements, this example may no longer comply with the vendors' official guidelines. |
To create a web proxy profile for access control using the CLI:
- Configure the web proxy profile:
config web-proxy profile edit "SaaS-Tenant-Restriction" set header-client-ip pass set header-via-request pass set header-via-response pass set header-x-forwarded-for pass set header-front-end-https pass set header-x-authenticated-user pass set header-x-authenticated-groups pass set strip-encoding disable set log-header-change disable config headers edit 1 set name "Restrict-Access-To-Tenants" <---header name defined by Office365 spec. input EXACTLY as it is set dstaddr "Microsoft Office 365" <----built-in destination address for Office365 set action add-to-request set base64-encoding disable set add-option new set protocol https http set content "contoso.onmicrosoft.com,fabrikam.onmicrosoft.com" <----your tenants restriction configuration next edit 2 set name "Restrict-Access-Context" <----header name defined by Office365 spec. input EXACTLY as it is set dstaddr "Microsoft Office 365" <----build-in destination address for Office365 set action add-to-request set base64-encoding disable set add-option new set protocol https http set content "456ff232-35l2-5h23-b3b3-3236w0826f3d" <----your directory ID can find in Azure portal next edit 3 set name "X-GooGApps-Allowed-Domains" <----header name defined by Google G suite. set dstaddr "G Suite" <---- built-in G Suite destination address set action add-to-request set base64-encoding disable set add-option new set protocol https http set content "abcd.com" <----your domain restriction when you create G Suite account next edit 4 set name "X-Dropbox-allowed-Team-Ids" <----header defined by Dropbox set dstaddr "wildcard.dropbox.com" <----build-in destination address for Dropbox set action add-to-request set base64-encoding disable set add-option new set protocol https http set content "dbmid:FDFSVF-DFSDF" <----your team-Id in Dropbox next end next end
- Apply the web proxy profile to a firewall policy:
config firewall policy edit 1 set name "WF" set srcintf "port10" "wifi" set dstintf "port9" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set webproxy-profile "SaaS-Tenant-Restriction" set utm-status enable set utm-inspection-mode proxy set logtraffic all set webfilter-profile "blocktest2" set application-list "g-default" set profile-protocol-options "protocol" set ssl-ssh-profile "protocols" set nat enable next end