Fortinet

Three ways to block ChatGPT using Fortinet FortiGate

Blocking ChatGPT with Fortinet FortiGate

by

Scott Glew

ChatGPT can help with many tasks, such as researching topics quickly, providing suggestions, creating outlines, organizing your own thoughts and so much more, but it is also a fairly significant cheat code for students in classrooms who just want the answer to a question without really thinking about it themselves..

So how can schools prevent students from accessing ChatGPT? Fortunately most schools employ a security firewall with content filtering capabilities. This means that the IT team at the school can quite easily block ChatGPT at the firewall, preventing it from being accessed by student devices while they are on the school's network.

This article will take you through three different methods to block ChatGPT using Fortinet FortiGate firewalls.

The argument for blocking ChatGPT

One of the main goals of schooling is to develop young people's critical thinking and problem solving skills, and when answers are provided so easily through AI tools such as ChatGPT, what are they really learning along the way?

It's a bit like giving students a calculator and telling them they never have to learn their multiplication tables because technology has deemed that knowledge redundant. Are we developing smarter children by giving them technology that answers questions faster? Or are we taking away a critical part of the learning process?

ChatGPT is a tool, just like the calculator is a tool. It should be used to assist, but can be used to cheat.

Schools can and often do ban calculators in classrooms and exams when it is appropriate, so preventing access to ChatGPT is not unreasonable, especially when a majority of a student's school work is conducted on their computer. However, it's not without its issues.

Issues with blocking ChatGPT

Although you can block anyone going to chat.openai.com, don't forget that ChatGPT is built into Microsoft Bing, and hundreds of other AI writing assistants are popping up every day (such as Rytr, HyperWrite, ParagraphAI and WordTune). AI features have also been embedded into popular apps like Notion, and you can even install GPT add-ons in Google Sheets.

Stopping the use of AI tools in general is quickly becoming an unrealistic expectation.

Monitoring ChatGPT prompts instead

Another approach is to allow students and staff to use ChatGPT and monitor the prompts they're entering to make sure it is being used responsibly.

For more information, see my other article on how to monitor AI Prompts such as ChatGPT and Google Bard using FortiGate and Fastvue Reporter.

Three ways to block ChatGPT using Fortinet FortiGate

Nevertheless, ChatGPT is the AI tool of choice for many right now, so in this article I will take you through the following three methods of blocking ChatGPT using Fortinet FortiGate.

  1. Using a URL Filter within your Web Filter profile

  2. Using an Application Override within Application Control

  3. Using a Custom Category and Web Rating Overrides

Method 1: Blocking ChatGPT using a URL Filter

This method simply involves blocking ChatGPT's domain which is chat.openai.com. You can also block the entire openai.com domain if you want to.

To block ChatGPT by its domain:

  1. In Fortinet FortiGate, go to Security Profiles > Web Filter, and edit the Web Filter profile that is applied to policies for outbound web access for your users. If you have several Web Filter profiles for different user groups, you will need to do this for each one.

  2. Scroll down to the URL Filter section and click Create New.

  3. Enter chat.openai.com into the URL edit box.

  4. Set the type to Simple, set the Action to Block and the Status to Enable

  5. Click OK.

    Adding a URL Filter to Block ChatGPT in a Fortinet FortiGate Web Filter profile.
  6. Once added, you will see your new URL filter in the list.

    Viewing the URL filter to block Chat GPT in a Fortinet FortiGate's web filter profile.

Now try browsing to chat.openai.com and you should see the FortiGate block page:

The Fortinet FortiGate Banned URL Block Page when accessing ChatGPT

The Web Filter log will also contain these blocked URLs (Log & Report > Security Events > Logs. Select Web Filter from the dropdown.

Fortinet FortiGate's Web Filter log showing blocked ChatGPT URLs

Notice that the Category field is blank in the screenshot above. When you block a site using a URL filter, matching traffic will not pass through other firewall features such as URL categorization, for performance reasons.

You'll also see these block events in the Blocked Traffic > Blocked Sites section in Fastvue Reporter's IT Network and Security report.

Blocked sites in Fastvue Reporter showing Chat GPT

Method 2: Blocking ChatGPT using Application Control

Fortinet FortiGate's application control can detect when someone is using ChatGPT by its application signature, and subsequently block access.

Fortinet FortiGate's Application Signatures for Chat GPT

To block ChatGPT using Application Control

  1. In Fortinet FortiGate, go to Security Profiles > Application Control and edit the Application Control profile that is applied to your policies for outbound web access for your users. If you have several Application Control profiles for different user groups, you will need to do this for each one.

  2. In the Application and Filter Overrides section, click Create New.

  3. Make sure the Action is set to Block and then search for ChatGPT (no spaces).

  4. Click Add All Results to add all of the returned ChatGPT signatures and click OK. Note that it is also possible to only block ChatGPT Posts using the OpenAI.ChatGPT_Post signature, but otherwise let people login and look around ChatGPT.

    Adding an Application Override to Block Chat GPT in Fortinet FortiGate
  5. Once added, you will see your new Application Override in the list.

    Fortinet FortiGate's Application Overrides showing Chat GPT

Now try browsing to chat.openai.com and you should see a browser timeout error:

Browser time out error when blocking Chat GPT using Fortinet FortiGate's Application Control

The Application Control log will also contain these blocked Applications (Log & Report > Security Events > Logs. Select Application Control from the dropdown)

Fortinet FortiGate's Application Control Log showing ChatGPT Blocks

You'll also see these block events in the Blocked Traffic > Blocked Applications section in Fastvue Reporter's IT Network and Security report.

Blocked Applications in Fastvue Reporter showing ChatGPT

Method 3: Blocking ChatGPT using a Custom Category and Web Rating Overrides

The above two methods work fine, however you may have a range of websites in addition to ChatGPT (such as Google Bard) that you want to block and adding URL Filters or Application Overrides for each one can become time consuming and difficult to manage.

Fortinet FortiGate overcomes this by allowing you to create a Custom Category that you can add these AI URLs to, and then simply block the category in your Web Filter profiles.

Update: Fortinet added a new URL category called Artificial Intelligence Technology that can be used instead of creating a custom category as described below. This was introduced in FortiOS 7.2.8 (see FortiOS 7.2.8 release notes).

For more information on blocking the Artificial Intelligence Technology category in your Web Filter policies, see Add FortiGuard web filter categories for AI and cryptocurrency

First create a custom category. To do this:

  1. Go to Security Profiles > Web Rating Overrides and click the Custom Categories button.

  2. Click the Create New button and name the new custom category AI Tools (for example) and make sure it is set to Enable.

    Create a new custom category called Blocked URLs in Fortinet FortiGate
  3. Go back to Security Profiles > Web Rating Overrides and click Create New to add a new Web Rating Override.

  4. Enter chat.openai.com into the URL edit box and click Lookup rating. You'll see that the site is currently categorised as General Interest - Business, and the Sub-Category is Information Technology. As it is unlikely you want to block these categories, let's next assign chat.openai.com to our new AI Tools category.

  5. In the Override to section, select Custom Categories as the Category, and your new AI Tools category as the Sub-Category and click OK.

Now that you have added a custom category and added chat.openai.com to that category, you can block the AI Tools custom category in your Web Filter profile(s).

To do this:

  1. Go to Security Profiles > Web Filter, and edit the Web Filter profile that is applied to outbound web access policies. If you have several Web Filter profiles for different user groups, you will need to do this for each one.

  2. In the FortiGuard Category Based Filter section, you will see your AI Tools category under the Local Categories section. Select it, and then click the Block button on the toolbar. Save your changes.

    Blocking Chat GPT using a custom category in Fortinet FortiGate

Now try browsing to chat.openai.com and you should see the FortiGate block page that presents the AI Tools custom category as the reason.

Fortinet FortiGate's Block Page showing the custom AI Tools category

Summary

Above are the three main ways of blocking sites such as ChatGPT in Fortinet FortiGate: from a simple URL filter, to using Application Control, as well as using a Custom Category to group all your blocked AI Tools in one place.

The method with the least impact on FortiGate's performance will be the URL Filter, followed by the Custom Category / Web Rating Override option, and finally Application Control.

As discussed above, blocking ChatGPT is like playing a game of whac-a-mole with other AI tools and ChatGPT integrations popping up in hundreds of other applications every day.

So you may want to consider another approach — allowing your students and staff to embrace the benefits of AI and simply monitoring their AI prompts to make sure ChatGPT is being used responsibly.

Try Reporter for FortiGate free, or learn more

  • Share this story
    facebook
    twitter
    linkedIn