By, José C. Nieves Pérez

To block all internet traffic except Microsoft Services on a Fortigate Firewall, you can create a firewall policy that allows traffic only to Microsoft Services and block all other traffic. Here are the steps to achieve this:

1. Create an address object for Microsoft Services IP addresses that you want to allow. You can find the list of Microsoft Services IP addresses from the following URL: https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
2. Create a firewall policy that allows traffic only to the Microsoft Services IP addresses. To create a firewall policy, go to Policy & Objects > IPv4 Policy and click on Create New.
3. In the General Settings tab, give a name to the policy, select the Incoming or Outgoing Interface, and select the IPv4 address object for Microsoft Services in the Source field.
4. In the Destination field, select the Any option to allow traffic to all destinations.
5. In the Service field, select the TCP and UDP protocols and add the ports required by the Microsoft Services you want to allow. You can find the list of required ports for Microsoft Services from the following URL: https://docs.microsoft.com/en-us/microsoft-365/enterprise/office-365-ip-web-service?view=o365-worldwide
6. In the Action field, select Accept to allow traffic to the Microsoft Services and in the Log field, select All Sessions to log all the traffic.
7. Create a second firewall policy that blocks all traffic not going to the Microsoft Services. To create this policy, go to Policy & Objects > IPv4 Policy and click on Create New.
8. In the General Settings tab, give a name to the policy, select the Incoming or Outgoing Interface, and select the Any option in the Source field.
9. In the Destination field, select the Address Object for Microsoft Services that you created in step 1.
10. In the Service field, select the TCP and UDP protocols and add the ports required by the Microsoft Services you want to allow.
11. In the Action field, select Deny to block all traffic not going to the Microsoft Services and in the Log field, select All Sessions to log all the traffic.
12. Arrange the firewall policies so that the policy that allows traffic to the Microsoft Services is above the policy that blocks all other traffic.