2021 update: here, we've all got rid of WhatsApp universally and with absolutely no regrets at all. We really think you shall do that too !!! There's plenty of cool, nice to you, not spying upon you alternative options !!! https://www.securemessagingapps.com/
As I'm not the only one behind those FortiGates around here, when something isn't behaving as it's supposed to, I'm rapidly made aware of it =)
WhatsApp, ahh good god, controlling WhatsApp is a nightmare, that app goes anywhere, pretty much.. Facebook, WhatsApp backend of course but many other destinations are needed as well.
So, here is my WhatsApp firewall policy, I'm indeed allowing WhatsApp to go anywhere, although I'm making sure that on the Application Control profile, the only allowed application set here is WhatsApp itself.
Here is how this Application Control Security Profile is setup:
Aside of the application control security profile, I'm also restricting the possible services ports and here is a view of my WhatsApp services object:
A text version for your convenience.
config firewall service custom edit "WhatsApp" set category "VoIP, Messaging & Other Applications" set tcp-portrange 4244 5222 5223 5228 5229 5230 5242 set udp-portrange 3478 45395 next end
Et voilà, everybody is happily receiving notifications, VoIP calls and so on..