Technical Tip: Configuring SafeSearch for Google and Bing

Description

This article describes the configuration of SafeSearch for Google Bing, etc, search engines.
In some cases, Google does not allow deep inspection and detects it as the man in the middle attack.

Scope

FortiGate has to have an active FortiGuard web filtering license.

Solution

1. Enable web filtering.
   Go to System -> Feature Visibility and make sure that 'Web Filter' is ON. If necessary, apply the changes. 
      

2. Block the Adult/Mature Content category and enable Safe Search. Go to Security Profiles -> Web Filter and edit the default profile. Enable FortiGuard Categories. Select the Adult/Mature Content category and set it to 'Block'. Under Search Engines, select 'Enable Safe Search' and 'Search Engine Safe Search – Google, Yahoo!, Bing, Yandex'.

 

 

3. Add web filtering to the Internet access policy. Go to Policy & Objects -> Policy -> IPv4 and edit the policy that allows connections from the internal network to the Internet. Under 'Security Profiles', enable 'Web Filter' and set it to use the default profile.
   

 

 

4. Enforce Google SafeSearch for all traffic. Because Google search often uses the HTTPS protocol, web filtering alone is not able to block all adult/mature content. Two methods can be used to enforce Google SafeSearch for all traffic: using full SSL inspection so that encrypted traffic is fully inspected (which can cause certificate errors), or changing the DNS records to force search traffic to use forcesafesearch.google.com.

 

Method 1: Using full SSL inspection.

 

Go to Policy & Objects -> Policy -> IPv4 and edit the policy that allows connections from the internal network to the Internet. Set SSL/SSH Inspection to use the deep-inspection profile.  Using the deep-inspection profile can cause certificate errors.  For information about avoiding this, see Preventing certificate warnings.

 

 

Set the 'DNS Zone' to Google, 'Domain Name' to google.com, and disable Authoritative. 

 

 

 

 

If required, create additional DNS Database entries for other Google search domains (an entry for www.google.ca is shown above).
A list of Google search domains can be found on PDF attached named as Google_SafeSearch_DNS_Database.pdf

 

The network uses an external DNS server.

Using this method will make the FortiGate intercept all DNS queries.
Because all DNS traffic will be forwarded to the FortiGate internal DNS Service, there is a performance impact on the FortiGate.

Go to System -> Config -> Features and select 'Show More'. Make sure that the DNS Database is ON. If necessary, apply the changes.

 

 

 

 

Go to System -> Network -> Interfaces and create an interface to be used for the FortiGate DNS service.
Set the 'Type' to 'Loopback Interface' and assign an IP/Network Mask (in the example, 10.10.10.10/255.255.255.255).

 

 

 

Go to System -> Dashboard -> Status and enter the following command into the CLI Console:    

config system dns-server
    edit dns-loopback
        set mode recursive
end

 

Go to System -> Network -> DNS Servers. The new server is listed under 'DNS Service' on 'Interface'.
Under 'DNS Database', select 'Create New'.

 

 

Set 'DNS Zone' as 'Google', 'Domain Name' to 'google.com', and disable Authoritative.

 

 

Under 'DNS Entries', select 'Create New'.

Set 'Type' to 'Address (A)', set 'Hostname' to 'www', and 'IP Address' to '216.239.38.120' (the IP address of forcesafesearch.google.com).

 

 

 

If required, create additional DNS Database entries for other Google search domains (an entry for www.google.ca is shown).

 

 

 

Similarly, Safe Search for bing.com can be added as below:

config system dns-database

    edit "Bing"

        set domain "bing.com"

        set authoritative disable

            config dns-entry

                edit 1

                    set hostname "www"

                    set ip 204.79.197.220

                next

            end

end

 

Enter the following command into the CLI Console to create a new virtual IP.
Set 'src-filter' to the IP range of the internal users (in the example, 10.10.80.2-10.10.80.100), 'extintf' to the internal interface, and 'mappedip' to the IP address of the loopback interface. Make sure to use the command 'set arp-reply disable' and 'set type load-balance'.

config firewall vip
    edit "dns-vip"
        set type load-balance
        set src-filter "10.10.80.2-10.10.80.100"
        set extip 0.0.0.0-239.255.255.255
        set extintf port2
        set portforward enable
        set mappedip "10.10.10.10"
        set protocol udp
        set extport 53
        set mappedport 53
        set arp-reply disable
end

 

 

Go to Policy & Objects -> Policy -> IPv4 and create a policy to use the virtual IP to intercept DNS queries.
Set the 'Incoming Interface' to the 'internal interface', the 'Outgoing Interface' to the 'loopback interface', the 'Destination Address' to the 'virtual IP', and the 'Service' to' DNS'. Make sure NAT is disabled.

  

 

 

Select the Global View of the policy list.

Make sure that the new policy is located above the policy that allows connections from the internal network to the internet.

 

 

 

 

Results.

• If full SSL inspection is used, go to google.com and attempt to search for adult/mature content. When the results are shown, a message appears stating that SafeSearch is turned on. This cannot be undone.
• If Google Chrome for internet browsing is used, disable SPDY protocol for SafeSearch to turn on automatically.
• If the DNS settings are altered, go to google.com. A message at the top of the page states that the network has turned on SafeSearch.

 

Note:

In recent versions, it is mandatory to block QUIC under the application control or UDP port 443 to force the communication to use TCP. This way, FortiGate will be able to inspect the packets.

 

DNS safe search in 7.4.0.

Related article:
This setting is in line with Google's suggestions to enforce safesearch.