CCNA 200-301

CCNP Enterprise

CCNP Security

CCIE Enterprise Lab

CCIE Security Lab

CCNP Service Provider

CCNP Data Center

CCNP Collaboration

CCIE DC Lab

1. What “FortiGate on Chrome” Actually Means

FortiGate’s browser-side integrations come in two main flavors:

  • FortiClient Web Filter Chrome Extension (formerly “FortiProxy”) that enforces URL filtering in the browser via the FortiGuard subscription.
  • FortiGate SSL-VPN ActiveX/NW.js plugin or “chrome_extension” that allows SSL-VPN users to connect directly from Chrome without a separate client.

Both are delivered either via FortiClient EMS (Endpoint Management Server) or by end-users installing from the Chrome Web Store/portal. Disabling or removing them breaks filtering or SSL-VPN connectivity, so it’s important to understand which integration you have before proceeding.

2. End-User GUI: Disabling or Removing the Extension

If you simply want to turn off the FortiClient Web Filter in your own Chrome browser, follow these steps:

  1. Open Chrome Extensions Page
    • In the address bar type chrome://extensions and press Enter.
  2. Locate the FortiClient Web Filter Extension
    • Look for FortiClient Web Filter or FortiProxy for Chrome in the list.
  3. Toggle It Off or Remove It
    • To temporarily disable, click the blue toggle so it turns gray (extension is inactive).
    • To permanently remove, click Remove, then confirm by clicking Remove again in the dialog .
  4. Restart Chrome
    • Close all Chrome windows and reopen to ensure the extension is fully unloaded.

Result: Your browser will no longer perform DPI-based URL filtering or web-category enforcement.

3. Logging Out of a FortiGate SSL-VPN Session

If you’re connected to your organization’s FortiGate via the browser-based SSL-VPN portal, closing the extension may not terminate the active VPN session on the firewall. To fully disconnect:

  1. Access the SSL-VPN Web Portal
    • Navigate back to the VPN portal URL (e.g., https://vpn.example.com/remote).
  2. Click “Disconnect” or “Log Out”
    • On the top-right, you’ll usually see a Disconnect or Log Out button—click that.
  3. Verify on the Firewall
  • An administrator can run on the FortiGate CLI:
diagnose vpn sslvpn sessions list
  • Then remove your session with: shell
diagnose vpn sslvpn session clear <session-id>
  • This ensures no lingering tunnel remains on the appliance.

4. Enterprise-Level Controls

4.1 Disabling via FortiClient EMS

If you manage endpoints with FortiClient EMS, you can centrally turn off the Web Filter extension or prevent its installation:

  1. In the EMS console, go to Device Management → Chrome Management → App Management.
  2. Select FortiClient Chrome Web Filter Extension.
  3. Under User Settings, toggle Block Installation or Force Disable.
  4. Deploy the updated settings to your endpoint group.

4.2 Using Google Admin / Chrome Enterprise Policy

For organizations leveraging Chrome Enterprise and G Suite / Google Workspace, you can push an extension-block policy:

  1. Log in to the Google Admin console.
  2. Navigate to Devices → Chrome → Apps & Extensions → Users & Browsers.
  3. Click Add under Blocked extensions.
  4. Enter the FortiClient Web Filter’s extension ID (found on the Chrome Web Store page).
  5. Save and apply to your OU.

All managed Chrome browsers will automatically disable or uninstall the FortiClient extension on next policy refresh.

4.3 Group Policy Objects (Windows-Only)

If Chrome is managed via Active Directory, set the registry key via GPO:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlacklist]
"1"="extension_id_here"

This blacklist prevents users from installing or running the FortiClient filter extension.

5. Troubleshooting & Best Practices

  • Still See Filtering?
    • Double-check under chrome://policy to ensure no Chrome policies are re-enabling the extension.
    • Look in chrome://net-internals/#dns and clear host cache if URL filtering seems stuck.
  • Leftover Files
    • Manually remove %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\<extension_id>.
  • Re-enabling Later
    • If you need filtering again, simply re-install from the Chrome Web Store or re-enable via EMS/Policy.
  • Security Implications
    • Disabling FortiClient Web Filter removes corporate URL protection—ensure end-users know when and why they’re doing this.
    • Always require SSL-VPN reconnection for remote access.
  • Automated Cleanup Script (PowerShell)
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlacklist]
"1"="extension_id_here"
  • Running this script in a login script or endpoint management tool can sweep out the extension
Please follow and like us:
Tweet
fb-share-icon
Last modified: May 22, 2025

Author

Comments

Write a Reply or Comment

Your email address will not be published.