Configuring the FortiGate to allow access to Facebook
- On the FortiGate, configure firewall addresses to allow users to access the Facebook login page.
- Then go to Policy & Objects > IPv4 Policy and create a policy for Facebook authentication traffic.
- Then open the CLI Console. Using the policy's ID, enter the following command to exempt the Facebook authentication traffic policy from the captive portal:
config firewall policy
edit <policy_id>
set captive-portal-exempt enable
next
end
The following step can be performed in the GUI, but may take considerably longer than using the CLI. You can copy and paste the commands below.
Open the CLI Console and enter the following, which creates the firewall addresses and adds them to a firewall address group called Facebook_Auth.
config firewall address
edit "FB0"
set subnet 5.178.32.0 255.255.240.0
next
edit "FB1"
set subnet 195.27.154.0 255.255.255.0
next
edit "FB2"
set subnet 80.150.154.0 255.255.255.0
next
edit "FB3"
set subnet 77.67.96.0 255.255.252.0
next
edit "FB4"
set subnet 212.119.27.0 255.255.255.128
next
edit "FB5"
set subnet 2.16.0.0 255.248.0.0
next
edit "FB6"
set subnet 66.171.231.0 255.255.255.0
next
edit "FB7"
set subnet 31.13.24.0 255.255.248.0
next
edit "FB8"
set subnet 31.13.64.0 255.255.192.0
next
edit "FB9"
set subnet 23.67.246.0 255.255.255.0
next
edit "akamai-subnet-23.74.8"
set subnet 23.74.8.0 255.255.255.0
next
edit "akamai-subnet-23.74.9"
set subnet 23.74.9.0 255.255.255.0
next
edit "external.fcgrl-1.fna.fbcdn.net"
set type fqdn
set fqdn "external.fcgrl-1.fna.fbcdn.net"
next
edit "scontent.xx.fbcdn.net"
set type fqdn
set fqdn "scontent.xx.fbcdn.net
next
edit "akamaihd.net"
set type fqdn
set fqdn "akamaihd.net
next
edit "channel-proxy-06-frcl.facebook.com"
set type fqdn
set fqdn channel-proxy-06-frcl.facebook.com
next
edit "code.jquery.com"
set type fqdn
set fqdn "code.jquery.com"
next
edit "connect.facebook.com"
set type fqdn
set fqdn "connect.facebook.com"
next
edit "fbcdn-photos-c-a.akamaihd.net"
set type fqdn
set fqdn "fbcdn-photos-c-a.akamaihd.net"
next
edit "fbcdn-profile-a.akamaihd.net"
set type fqdn
set fqdn "fbcdn-profile-a.akamaihd.net"
next
edit "fbexternal-a.akamaihd.net"
set type fqdn
set fqdn "fbexternal-a.akamaihd.net"
next
edit "fbstatic-a.akamaihd.net"
set type fqdn
set fqdn "fbstatic-a.akamaihd.net"
next
edit "m.facebook.com"
set type fqdn
set fqdn "m.facebook.com"
next
edit "ogp.me"
set type fqdn
set fqdn "ogp.me"
next
edit "s-static.ak.facebook.com"
set type fqdn
set fqdn "s-static.ak.facebook.com"
next
edit "static.ak.facebook.com"
set type fqdn
set fqdn "static.ak.facebook.com"
next
edit "static.ak.fbcdn.com"
set type fqdn
set fqdn "static.ak.fbcdn.com"
next
edit "web_ext_addr_SocialWiFi"
set type fqdn
set fqdn "web_ext_addr_SocialWiFi"
next
edit "www.facebook.com"
set type fqdn
set fqdn "www.facebook.com"
next
end
config firewall addgrp
edit "Facebook_Auth"
set member set member "FB0" "FBl" "FB2" "FB3" "FB4" "FBS" "FB6" "FB7" "FB8" "FB9" "akamaisubnet-23.74.8" "akamai-subnet-23.74.9" "external.fcgrl-1.fna.fbcdn.net" "scontent.xx.fbcdn.net" "akamaihd.net" "channel-proxy-06-rcl.facebook.com" "code.jquery.com" "connect.facebook.com" "fbcdn-photos-a-akaihd.net" "fbcdn-profile-a.akamaihd.net" "fbexternal-a.akamaihd.net" "fbstatic-a.akamaihd.net" "m.facebook.com" "ogp.me" "s-static.ak.facebook.com" "static.ak.facebook.com" "static.ak.fbcdn.com" "web_ext_addr_SocialWiFi" "www.facebook.com" "FortiAuthenticator"
next
end
Set Incoming Interface to the WiFi SSID interface and set Source Address to all.
Set Outgoing Interface to the Internet-facing interface and set Destination Address to Facebook_Auth.
Set Service to ALL and enable NAT. Configure Security Profiles accordingly.
Once created, note the policy's ID using the ID column.
This command allows access to the external captive portal.