Technical Note: Blocking Google search results containing specific keywords
Description
Blocking Google search results containing specific keywords becomes necessary in some network environments where the FortiGate is being used.
This can be achieved by disabling the QUIC protocol to force web browsers such as Google Chrome to use TLS and to use the data leak prevention (DLP) feature to block access to actual search results.
This can be achieved by disabling the QUIC protocol to force web browsers such as Google Chrome to use TLS and to use the data leak prevention (DLP) feature to block access to actual search results.
Solution
Create a custom firewall service to block the QUIC protocol and force Google to use TLS v1.2 instead of QUIC. Ensure the firewall policy that blocks QUIC is above other policies:
Create a DLP sensor with entries to block search results with keywords (replace the keywords "proxy" and "restricted" below to test with keywords to be blocked), then apply the DLP sensor to the desired firewall policy:
It should be noted in this example that:
config firewall service custom
edit "QUIC"
set udp-portrange 443
end
config firewall policy
edit 0
set srcintf "lan"
set dstintf "wan"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "QUIC"
set logtraffic all
end
Create a DLP sensor with entries to block search results with keywords (replace the keywords "proxy" and "restricted" below to test with keywords to be blocked), then apply the DLP sensor to the desired firewall policy:
config dlp sensor
edit "content"
config filter
edit 1
set proto http-get http-post
set filter-by regexp
set regexp "\\bproxy\\b"
set action block
next
edit 2
set proto http-get http-post
set filter-by regexp
set regexp "\\brestricted\\b"
set action block
end
config firewall policy
edit <ID>
set utm-status enable
set dlp-sensor "content"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
set
end
SSL deep inspection must be enabled for this configuration to work.
When attempting to search Google using the configured keywords, the FortiGate will deny access and present the DLP block page.
It should be noted in this example that:
- It is necessary to manage the DLP sensor manually and add keywords as required to block the Google search results in which they are contained.
- The DLP sensor would also apply to traffic beyond just Google search results. It will apply to general web browsing and other web applications.
Related Articles
Technical Note: Disabling / Blocking QUIC Protocol to force Google Chrome to use TLS