FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vprabhu_FTNT
Staff
Staff
Description
This article helps with the configuration of SafeSearch for Google and Bing, etc, search engines.
In some cases, Google does not allow deep inspection and detects it as mitm man in the middle attack.

Scope
FortiGate has to have active FortiGuard web filtering licence.

Solution
1) Enabling web filtering.

Go to System -> Config -> Features and make sure that 'Web Filter' is ON. If necessary, apply the changes. 

   


2) Blocking the Adult/Mature Content category and enabling Safe Search.

Go to Security Profiles -> Web Filter and edit the default profile. Enable FortiGuard Categories.
Select the Adult/Mature Content category and set it to 'Block'.
Under Search Engines, select 'Enable Safe Search' and 'Search Engine Safe Search – Google, Yahoo!, Bing, Yandex'.





3) Adding web filtering to the Internet access policy.

Go to Policy & Objects -> Policy -> IPv4 and edit the policy that allows connections from the internal network to the Internet.
Under 'Security Profiles', enable 'Web Filter' and set it to use the default profile.



4) Enforcing Google SafeSearch for all traffic.

Because Google search often uses the HTTPS protocol, web filtering alone is not able to block all adult/mature content.
There are two methods that can be used to enforce Google SafeSearch for all traffic: using full SSL inspection so that encrypted traffic is fully inspected (which can cause certificate errors), or changing the DNS records to force search traffic to use forcesafesearch.google.com.

Method 1: Using full SSL inspection.

Go to Policy & Objects -> Policy -> IPv4 and edit the policy that allows connections from the internal network to the Internet.
Set SSL/SSH Inspection to use the deep-inspection profile.
Using the deep-inspection profile can cause certificate errors.
For information about avoiding this, see Preventing certificate warnings.





Method 2: Changing the DNS records for www.google.com.

To force Google SafeSearch for the entire network, set the DNS entry for www.google.com (and another other Google search domains, such as www.google.ca) to be a Canonical Name (CNAME) for forcesafesearch.google.com.
This will force all search traffic to use forcesafesearch.google.com.
The method for changing the DNS records using the FortiGate varies, depending on whether the FortiGate is the network’s DNS server, or if an external server is used.

FortiGate as the network’s DNS server.

Go to System -> Config -> Features and select 'Show More'.
Make sure that DNS Database is ON.
If necessary, apply the changes.





Go to System -> Dashboard -> Status and enter the following command into the CLI Console using the internal interface:    
# config system dns-server
    edit internal
        set mode recursive
end
Go to System -> Network -> DNS Servers. The new server is listed under DNS Service on interface.



Under 'DNS Database', select 'Create New'.
Set 'DNS Zone' as Google, 'Domain Name' to google.com, and disable Authoritative.





Under 'DNS Entries', select 'Create New'.
Set 'Type' to 'Address (A)', set 'Hostname' to 'www', and 'IP Address' to '216.239.38.120' (the IP address of forcesafesearch.google.com).




If required, create additional DNS Database entries for other Google search domains (entry for www.google.ca shown).
A list of Google search domains can be found here.

The network uses an external DNS server.

Using this method will make the FortiGate intercept all DNS queries.
Because all DNS traffic will be forwarded to the FortiGate internal DNS Service, there is a performance impact on the FortiGate.

Go to System -> Config -> Features and select 'Show More'. Make sure that DNS Database is ON. If necessary, apply the changes.





Go to System -> Network -> Interfaces and create an interface to be used for the FortiGate DNS service.
Set 'Type' to 'Loopback Interface' and assign an IP/Network Mask (in the example, 10.10.10.10/255.255.255.255).





Go to System -> Dashboard -> Status and enter the following command into the CLI Console:    
# config system dns-server
    edit dns-loopback
        set mode recursive
end
Go to System -> Network -> DNS Servers. The new server is listed under 'DNS Service' on 'Interface'.
Under 'DNS Database', select 'Create New'.





Set 'DNS Zone' as 'Google', 'Domain Name' to 'google.com', and disable Authoritative.




Under 'DNS Entries', select 'Create New'.

Set 'Type' to 'Address (A)', set 'Hostname' to 'www', and 'IP Address' to '216.239.38.120' (the IP address of forcesafesearch.google.com).




If required, create additional DNS Database entries for other Google search domains (entry for www.google.ca shown).





Similarly Safe Search for bing.com can be added as below:
# config system dns-database
    edit "Bing"
        set domain "bing.com"
        set authoritative disable
        # config dns-entry
            edit 1
                set hostname "www"
                set ip 204.79.197.220
            next
        end
end
Go to System -> Dashboard -> Status and enter the following command into the CLI Console to create a new virtual IP:
Set 'src-filter' to the IP range of the internal users (in the example, 10.10.80.2-10.10.80.100), 'extintf' to the internal interface, and 'mappedip' to the IP address of the loopback interface.
# config firewall vip
    edit "dns-vip"
        set type load-balance
        set src-filter "10.10.80.2-10.10.80.100"
        set extip 0.0.0.0-239.255.255.255
        set extintf internal
        set portforward enable
        set mappedip "10.10.10.10"
        set protocol udp
        set extport 53
        set mappedport 53
        set arp-reply disable
end
Go to Policy & Objects -> Policy -> IPv4 and create a policy to use the virtual IP to intercept DNS queries.
Set the 'Incoming Interface' to the 'internal interface', the 'Outgoing Interface' to the 'loopback interface', 'Destination Address' to the 'virtual IP', and 'Service' to' DNS'. Make sure NAT is disabled.





Select the Global View of the policy list.
Make sure that the new policy is located above the policy that allows connections from the internal network to the internet.



Results.
- If full SSL inspection is used, go to google.com and attempt to search for adult/mature content. When the results are shown, a message appears stating that SafeSearch is turned on. This cannot be undone.
- If  Google Chrome for internet browsing is used, disable SPDY protocol in order for SafeSearch to turn on automatically.
- If the DNS settings are altered, go to google.com. A message at the top of the page states that the network has turned on SafeSearch.




Related Articles.
This setting is in-line with the Google suggestions to enforce safesearch as suggested below:
https://support.google.com/websearch/answer/186669?hl=en


Contributors