Restricted SaaS access

With the web proxy profile, you can specify access permissions for Microsoft Office 365, Google G Suite, and Dropbox. You can insert vendor-defined headers that restrict access to the specific accounts. You can also insert custom headers for any destination.

You can configure the web proxy profile with the required headers for the specific destinations, and then directly apply it to a policy to control the header's insertion.

To implement Office 365 tenant restriction, G Suite account access control, and Dropbox network access control:
  1. Configure a web proxy profile according to the vendors' specifications:

    1. Define the traffic destination (service provider).

    2. Define the header name, defined by the service provider.

    3. Define the value that will be inserted into the traffic, defined by your settings.

  2. Apply the web proxy profile to a policy.

The following example creates a web proxy profile for Office 365, G Suite, and Dropbox access control.


Due to vendors' changing requirements, this example may no longer comply with the vendors' official guidelines.

To create a web proxy profile for access control using the CLI:
  1. Configure the web proxy profile:

    config web-proxy profile
       edit "SaaS-Tenant-Restriction"
            set header-client-ip pass
            set header-via-request pass
            set header-via-response pass
            set header-x-forwarded-for pass
            set header-fro