Technical Tip: Safe Search feature in FortiOS and how to enable it
Description
This article describes the FortiOS 'Safe Search' feature, which will force connections going to certain search engines to use safe search feature on the portal, and provides steps on how to enable it.
Scope
FortiGate, Safe Search, Google, Yahoo, Bing.
Solution
Safe Search is a feature of popular search sites that prevents explicit websites and images from appearing in search results. Although Safe Search is a useful tool, especially in educational environments, the resourceful user may be able to simply turn it off. Enabling Safe Search for the supported search sites enforces its use by rewriting the search URL to include the code to indicate the use of the Safe Search feature.
For example, on a Google search, it would mean adding the string '&safe=active' to the URL in the search.
The search sites supported are:
- Google.
- Yahoo.
- Bing.
- Yandex.
Enabling Safe Search in the GUI:
- Navigate to the FortiGate GUI -> Security Profiles -> Web Filter.
- Select the intended Web Filter Profile.
- Select Search Engines.
- Enable Enforce 'Safe Search' on Google, Yahoo!, Bing, and Yandex.
- Select Apply.
Enabling Safe Search in the CLI:
Run the following configuration in the CLI:
config webfilter profile
edit default
set feature-set proxy
config web
set safe-search <url>
end
end
For Google, it may be necessary to block QUIC under the application control menu:
This enforces the use of Safe Search in traffic controlled by the firewall policies using the web filter that was configured.
If Safe search still not working as expected, then use the firewall policy instead of application control to block the QUIC protocol and place it on top of the firewall policy, having Web Filter Profile enabled with Safe Search.
config firewall service custom
edit "QUIC"
set udp-portrange 443
next
end
edit "QUIC"
set udp-portrange 443
next
end
config firewall policy
edit <Policy ID>
set name "Block QUIC"
set srcintf "<Incoming Interface>"
set dstintf "<Outgoing Interface>"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "QUIC"
set logtraffic all
next
end
edit <Policy ID>
set name "Block QUIC"
set srcintf "<Incoming Interface>"
set dstintf "<Outgoing Interface>"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "QUIC"
set logtraffic all
next
end
Note:
The 'Safe Search' feature is only available when the Web Filter profile and the firewall policy are set to proxy-based. See the document: Inspection mode feature comparison for more information. SSL/SSH deep inspection is mandatory for safe search enforcement to work when using a Web Filter. Enable a deep inspection profile in the corresponding firewall policy. Make sure the search engine FQDN wildcard is not in the SSL Inspection exempt list.
Alternatively, it is possible to enforce Safe Search using a DNS Filter without deep inspection. Refer to this article: Technical Tip: Configuring DNS safe search.
Related articles: