Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • GCP Administration Guide

    Home FortiGate Public Cloud 7.4.0 GCP Administration Guide
    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Organization restrictions

    Organization restrictions

    FortiGate-VM on GCP supports the organization restrictions feature. This guide is a walkthrough of how to configure FortiGate as a proxy and create the header insertion to use this GCP feature.

    This guide assumes that your GCP environment has existing networks and resources.

    The following provides an overview of using this feature with FortiGate-VM:

    • Customer GCP organization ID is required. For information about finding your organization ID from a project ID, see gcloud projects get-ancestors.

    • You must set the FortiGate public IP address as the proxy server on the client web browser.

    • The FortiGate-VM on GCP (proxy and header insertion) receives and processes the HTTP request.

    • The FortiGate proxy firewall policy allows or denies GCP resource access based on header X-Goog-Allowed-Resources content of your organization ID in Base64 encoding.

    For information about GCP organization restriction, see Introduction to organization restrictions.

    To configure the FortiGate-VM with organization restrictions:
    1. On the FortiGate, enable web proxy:
      1. Go to Network > Explicit Proxy.
      2. Enable Explicit Web Proxy.
      3. Configure the proxy HTTP and HTTPS ports as desired. This example sets them to 8080.

      4. Create address objects specifying allowed GCP endpoints. You will use the address objects in the web proxy profile header and the proxy policy configuration:

        config firewall address

        edit allow_gcp_api_addr_obj

        set type fqdn

        set fqdn *.googleapis.com

        next

        end

        config firewall address

        edit allow_gcp_com_addr_obj

        set type fqdn

        set fqdn *.google.com

        next

        end

        config firewall address

        edit allow_gstatic_addr_obj

        set type fqdn

        set fqdn www.gstatic.com

        next

        end

        Note

        You may need more address objects for other Google services. You must add these address objects to the proxy header configuration and the proxy policy as destination addresses:

        • *.gcr.io
        • *.pkg.dev
        • *.cloudfunctions.net
        • *.run.app
        • *.tunnel.cloudproxy.app
        • *.datafusion.googleusercontent.com
    2. Configure the web proxy profile:

      config web-proxy profile

      edit gcp-org-restrict-profile

      config headers

      edit 1

      set name X-Goog-Allowed-Resources

      set dstaddr allow_gcp_api_addr_obj allow_gcp_com_addr_obj allow_gstatic_addr_obj

      set action add-to-request

      set content "{"resources": ["organizations/<Customer Org ID>"],"options": "strict"}"

      set base64-encoding enable

      set add-option new

      set protocol http https

      end

      end

    3. Configure the proxy policy:
      Caution

      This is an example policy. Do not use it in a production environment.

      config firewall proxy-policy
    edit 1
        set name "gcp_restriction_policy"
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "allow_gcp_api_addr_obj" "allow_gcp_com_addr_obj" “allow_gstatic_addr_obj”
        set service "webproxy"
        set srcaddr-negate disable
        set dstaddr-negate disable
        set service-negate disable
        set action accept
        set status enable
        set schedule "always"
        set logtraffic utm
        set webproxy-forward-server ''
        set webproxy-profile gcp-org-restrict-profile 
        set transparent disable
        set disclaimer disable
        set utm-status disable
        set profile-protocol-options "default"
        set ssl-ssh-profile "no-inspection"
        set replacemsg-override-group ''
        set logtraffic-start disable
        set comments ''
    next
end

      While a workstation is configured to use the FortiGate as a proxy, the web browser is allowed access to resources in the organization:

      The policy on the FortiGate proxy stops access to any other resources outside of the GCP organization:

    Previous
    Next

    Organization restrictions

    Organization restrictions

    FortiGate-VM on GCP supports the organization restrictions feature. This guide is a walkthrough of how to configure FortiGate as a proxy and create the header insertion to use this GCP feature.

    This guide assumes that your GCP environment has existing networks and resources.

    The following provides an overview of using this feature with FortiGate-VM:

    • Customer GCP organization ID is required. For information about finding your organization ID from a project ID, see gcloud projects get-ancestors.

    • You must set the FortiGate public IP address as the proxy server on the client web browser.

    • The FortiGate-VM on GCP (proxy and header insertion) receives and processes the HTTP request.

    • The FortiGate proxy firewall policy allows or denies GCP resource access based on header X-Goog-Allowed-Resources content of your organization ID in Base64 encoding.

    For information about GCP organization restriction, see Introduction to organization restrictions.

    To configure the FortiGate-VM with organization restrictions:
    1. On the FortiGate, enable web proxy:
      1. Go to Network > Explicit Proxy.
      2. Enable Explicit Web Proxy.
      3. Configure the proxy HTTP and HTTPS ports as desired. This example sets them to 8080.

      4. Create address objects specifying allowed GCP endpoints. You will use the address objects in the web proxy profile header and the proxy policy configuration:

        config firewall address

        edit allow_gcp_api_addr_obj

        set type fqdn

        set fqdn *.googleapis.com

        next

        end

        config firewall address

        edit allow_gcp_com_addr_obj

        set type fqdn

        set fqdn *.google.com

        next

        end

        config firewall address

        edit allow_gstatic_addr_obj

        set type fqdn

        set fqdn www.gstatic.com

        next

        end

        Note

        You may need more address objects for other Google services. You must add these address objects to the proxy header configuration and the proxy policy as destination addresses:

        • *.gcr.io
        • *.pkg.dev
        • *.cloudfunctions.net
        • *.run.app
        • *.tunnel.cloudproxy.app
        • *.datafusion.googleusercontent.com
    2. Configure the web proxy profile:

      config web-proxy profile

      edit gcp-org-restrict-profile

      config headers

      edit 1

      set name X-Goog-Allowed-Resources

      set dstaddr allow_gcp_api_addr_obj allow_gcp_com_addr_obj allow_gstatic_addr_obj

      set action add-to-request

      set content "{"resources": ["organizations/<Customer Org ID>"],"options": "strict"}"

      set base64-encoding enable

      set add-option new

      set protocol http https

      end

      end

    3. Configure the proxy policy:
      Caution

      This is an example policy. Do not use it in a production environment.

      config firewall proxy-policy
    edit 1
        set name "gcp_restriction_policy"
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "allow_gcp_api_addr_obj" "allow_gcp_com_addr_obj" “allow_gstatic_addr_obj”
        set service "webproxy"
        set srcaddr-negate disable
        set dstaddr-negate disable
        set service-negate disable
        set action accept
        set status enable
        set schedule "always"
        set logtraffic utm
        set webproxy-forward-server ''
        set webproxy-profile gcp-org-restrict-profile 
        set transparent disable
        set disclaimer disable
        set utm-status disable
        set profile-protocol-options "default"
        set ssl-ssh-profile "no-inspection"
        set replacemsg-override-group ''
        set logtraffic-start disable
        set comments ''
    next
end

      While a workstation is configured to use the FortiGate as a proxy, the web browser is allowed access to resources in the organization:

      The policy on the FortiGate proxy stops access to any other resources outside of the GCP organization:

    Previous
    Next