Technical Tip: Allow access for specific domains Email and Other Email Account Restriction

Requirement:

The firewall/policy has to be in Proxy-based inspection mode.

How it works:

The firewall will inject the HTTP header X-GoogApps-Allowed-Domains.

It is also possible to inject multiple domains via the X-GoogApps-Allowed-Domains header.

Firewall Configuration:

Follow the below article:

Technical Tip: Restrict Google account usage to specific domains

Once configured, the specific domains Email on the Web-Filter.

Configuration on CLI injected by firewall.

config web-proxy profile

    edit "Auto-web-proxy-profile_iwd4cg3tf"

        config headers

            edit 1

                set name "X-GoogApps-Allowed-Domains"

                set content "abc.com, xyz.com" <----- The company domain hosted in Google mail services.

            next

        end

    next

end

Once created a Web-proxy profile on the CLI:

Next, it is necessary to add it to the Firewall Policy ID: XXX.

Config Firewall Policy
   edit xx
       Set web-proxy-profile "added name"<----- Auto-web-proxy-profile_iwd4cg3tf.
   next

end

From the GUI, go to Security Profile -> SSL/SSH Inspection -> Customs SSL deep inspection or Customs-Deep-inspection.
 

  1. Remove all Google-related accounts under Exempt from SSL Inspection.

2. Once removed the Google-related account from SSL/SSH Inspection on Customs-deep-inspection.
   Download the CA certificate, and install it on the Client's PC under the trusted root certificate.
3. . Now try to access Personal Gmail, it will restrict access, and only a Specific Domain account will have access.