Fortinet white logo
Fortinet white logo

Cookbook

Restricted SaaS access (Office 365, G Suite, Dropbox)

Restricted SaaS access (Office 365, G Suite, Dropbox)

With the web proxy profile, you can specify access permissions for Microsoft Office 365, Google G Suite, and Dropbox. You can insert vendor-defined headers that restrict access to the specific accounts. You can also insert custom headers for any destination.

You can configure the web proxy profile with the required headers for the specific destinations, and then directly apply it to a policy to control the header's insertion.

To implement Office 365 tenant restriction, G Suite account access control, and Dropbox network access control:
  1. Configure a web proxy profile according to the vendors' specifications:
    1. Define the traffic destination (service provider).
    2. Define the header name, defined by the service provider.
    3. Define the value that will be inserted into the traffic, defined by your settings.
  2. Apply the web proxy profile to a policy.

The following example creates a web proxy profile for Office 365, G Suite, and Dropbox access control.

Note

Due to vendors' changing requirements, this example may no longer comply with the vendors' official guidelines.

To create a web proxy profile for access control using the CLI:
  1. Configure the web proxy profile:
    config web-proxy profile
       edit "SaaS-Tenant-Restriction"
            set header-client-ip pass
            set header-via-request pass
            set header-via-response pass
            set header-x-forwarded-for pass
            set header-front-end-https pass
            set header-x-authenticated-user pass
            set header-x-authenticated-groups pass
            set strip-encoding disable
            set log-header-change disable
            config headers
                edit 1
                    set name "Restrict-Access-To-Tenants"  <---header name defined by Office365 spec. input EXACTLY as it is
                    set dstaddr "Microsoft Office 365" <----built-in destination address for Office365
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "contoso.onmicrosoft.com,fabrikam.onmicrosoft.com"  <----your tenants restriction configuration
                next
                edit 2
                    set name "Restrict-Access-Context"  <----header name defined by Office365 spec. input EXACTLY as it is
                    set dstaddr "Microsoft Office 365"  <----build-in destination address for Office365
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "456ff232-35l2-5h23-b3b3-3236w0826f3d" <----your directory ID can find in Azure portal
                next
                edit 3
                    set name "X-GooGApps-Allowed-Domains"  <----header name defined by Google G suite.
                    set dstaddr "G Suite"  <---- built-in G Suite destination address
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "abcd.com"    <----your domain restriction when you create G Suite account
                next
    
                edit 4
                    set name "X-Dropbox-allowed-Team-Ids" <----header defined by Dropbox
                    set dstaddr "wildcard.dropbox.com"  <----build-in destination address for Dropbox
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "dbmid:FDFSVF-DFSDF"  <----your team-Id in Dropbox 
                next
            end
        next
    end
  2. Apply the web proxy profile to a firewall policy:
    config firewall policy
         edit 1
    		set name "WF"
    		set uuid 09928b08-ce46-51e7-bd95-422d8fe4f200
    		set srcintf "port10" "wifi"
    		set dstintf "port9"
    		set srcaddr "all"
    		set dstaddr "all"
    		set action accept
    		set schedule "always"
    		set service "ALL"
    		set webproxy-profile "SaaS-Tenant-Restriction"
    		set utm-status enable
    		set utm-inspection-mode proxy
    		set logtraffic all
    		set webfilter-profile "blocktest2" 
            set application-list "g-default"
    		set profile-protocol-options "protocol"
    		set ssl-ssh-profile "protocols"
    		set nat enable
    	next
    end

Restricted SaaS access (Office 365, G Suite, Dropbox)

Restricted SaaS access (Office 365, G Suite, Dropbox)

With the web proxy profile, you can specify access permissions for Microsoft Office 365, Google G Suite, and Dropbox. You can insert vendor-defined headers that restrict access to the specific accounts. You can also insert custom headers for any destination.

You can configure the web proxy profile with the required headers for the specific destinations, and then directly apply it to a policy to control the header's insertion.

To implement Office 365 tenant restriction, G Suite account access control, and Dropbox network access control:
  1. Configure a web proxy profile according to the vendors' specifications:
    1. Define the traffic destination (service provider).
    2. Define the header name, defined by the service provider.
    3. Define the value that will be inserted into the traffic, defined by your settings.
  2. Apply the web proxy profile to a policy.

The following example creates a web proxy profile for Office 365, G Suite, and Dropbox access control.

Note

Due to vendors' changing requirements, this example may no longer comply with the vendors' official guidelines.

To create a web proxy profile for access control using the CLI:
  1. Configure the web proxy profile:
    config web-proxy profile
       edit "SaaS-Tenant-Restriction"
            set header-client-ip pass
            set header-via-request pass
            set header-via-response pass
            set header-x-forwarded-for pass
            set header-front-end-https pass
            set header-x-authenticated-user pass
            set header-x-authenticated-groups pass
            set strip-encoding disable
            set log-header-change disable
            config headers
                edit 1
                    set name "Restrict-Access-To-Tenants"  <---header name defined by Office365 spec. input EXACTLY as it is
                    set dstaddr "Microsoft Office 365" <----built-in destination address for Office365
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "contoso.onmicrosoft.com,fabrikam.onmicrosoft.com"  <----your tenants restriction configuration
                next
                edit 2
                    set name "Restrict-Access-Context"  <----header name defined by Office365 spec. input EXACTLY as it is
                    set dstaddr "Microsoft Office 365"  <----build-in destination address for Office365
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "456ff232-35l2-5h23-b3b3-3236w0826f3d" <----your directory ID can find in Azure portal
                next
                edit 3
                    set name "X-GooGApps-Allowed-Domains"  <----header name defined by Google G suite.
                    set dstaddr "G Suite"  <---- built-in G Suite destination address
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "abcd.com"    <----your domain restriction when you create G Suite account
                next
    
                edit 4
                    set name "X-Dropbox-allowed-Team-Ids" <----header defined by Dropbox
                    set dstaddr "wildcard.dropbox.com"  <----build-in destination address for Dropbox
                    set action add-to-request
                    set base64-encoding disable
                    set add-option new
                    set protocol https http
                    set content "dbmid:FDFSVF-DFSDF"  <----your team-Id in Dropbox 
                next
            end
        next
    end
  2. Apply the web proxy profile to a firewall policy:
    config firewall policy
         edit 1
    		set name "WF"
    		set uuid 09928b08-ce46-51e7-bd95-422d8fe4f200
    		set srcintf "port10" "wifi"
    		set dstintf "port9"
    		set srcaddr "all"
    		set dstaddr "all"
    		set action accept
    		set schedule "always"
    		set service "ALL"
    		set webproxy-profile "SaaS-Tenant-Restriction"
    		set utm-status enable
    		set utm-inspection-mode proxy
    		set logtraffic all
    		set webfilter-profile "blocktest2" 
            set application-list "g-default"
    		set profile-protocol-options "protocol"
    		set ssl-ssh-profile "protocols"
    		set nat enable
    	next
    end