Block all traffic except gmail.

Hi,

do you mean you only want people to access gmail and nothing else on the internet?

Ian

Yes!!

Hi,

are your gmail accounts web based or application based?

How do you manage software updates to your machines?

Ian

I want each and everything to block even it's a software update. Gmail is web based

Hi, the rule will look a bit like this

source LAN network any

destination WAN network *.gmail.com

protocol https http

scan http, ftp, block QUIC

log

IPS LAN to WAN

WEB - allow

application - Allow

The application and web can be tuned later if need be. MASQ How do you plan to handle the websites contained within mail messages?

Ian

I doubt that you will have much success with this. Neither allowing access to *.gmail.com will work, because Gmail is hosted on many different domain names (none of which is gmail.com, by the way), nor did you put a rule in that would block the rest (everything but gmail). 

I would rather use Application Filtering here. E.g. have an App Filter profile that only allows Gmail (which exists as an App in the database) and then add a second rule below that denies any any all. 

I doubt that you will have much success with this. Neither allowing access to *.gmail.com will work, because Gmail is hosted on many different domain names (none of which is gmail.com, by the way), nor did you put a rule in that would block the rest (everything but gmail). 

I would rather use Application Filtering here. E.g. have an App Filter profile that only allows Gmail (which exists as an App in the database) and then add a second rule below that denies any any all. 

Hi,

while you might be correct about gmail.com, you do not require a block rule. By default XG blocks all traffic until you create an allow rule.

Instead of *.gmail.com use smtp.gmail.com and imap.gmail.com.

Ian

another thought, try accounts.google.com. The urls I posted above only work if you have a mail client.

Easiest way to do this is with a firewall rule that only allows port 80/443.

Then open up developer tools of your browser and check what domains gmail uses. Add these to a whitelist and block all other traffic. 

That is actually not the easiest method as it is unreliable and needs constant attention (updating it every time Google adds new URLs, which is quite common). 

The easiest, most reliable option is to use Application Filtering. Sophos are doing the work for you. App Filtering is able to detect Gmail in your traffic, no matter the URL. Create an App Filter profile with two rules. One rule denies everything, and another rule using a smart filter with the word "gmail" and set that to allow. Put that app filter profile in a firewall rule and you're all set. 

Since we're using a smart filter here, the filter will automatically update when new application signatures containing the words "gmail" are made available. 

You probably won't have to touch that rule ever again after setting it once.