Description
This article helps with the configuration of SafeSearch for Google Bing, etc, search engines.
In some cases, Google does not allow deep inspection and detects it as mitm man in the middle attack.
Scope
FortiGate has to have an active FortiGuard web filtering license.
Solution
- Enable web filtering.
Go to System -> Config -> Features and make sure that 'Web Filter' is ON. If necessary, apply the changes.
- Block the Adult/Mature Content category and enable Safe Search.
Go to Security Profiles -> Web Filter and edit the default profile. Enable FortiGuard Categories.
Select the Adult/Mature Content category and set it to 'Block'.
Under Search Engines, select 'Enable Safe Search' and 'Search Engine Safe Search – Google, Yahoo!, Bing, Yandex'.
- Add web filtering to the Internet access policy.
Go to Policy & Objects -> Policy -> IPv4 and edit the policy that allows connections from the internal network to the Internet.
Under 'Security Profiles', enable 'Web Filter' and set it to use the default profile.
- Enforce Google SafeSearch for all traffic. Because Google search often uses the HTTPS protocol, web filtering alone is not able to block all adult/mature content.
There are two methods that can be used to enforce Google SafeSearch for all traffic: using full SSL inspection so that encrypted traffic is fully inspected (which can cause certificate errors), or changing the DNS records to force search traffic to use forcesafesearch.google.com.
Method 1: Using full SSL inspection.
Go to Policy & Objects -> Policy -> IPv4 and edit the policy that allows connections from the internal network to the Internet.
Set SSL/SSH Inspection to use the deep-inspection profile.
Set SSL/SSH Inspection to use the deep-inspection profile.
Using the deep-inspection profile can cause certificate errors.
For information about avoiding this, see Preventing certificate warnings.
Method 2: Changing the DNS records for www.google.com.
To force Google SafeSearch for the entire network, set the DNS entry for www.google.com (and another other Google search domains, such as www.google.ca) to be a Canonical Name (CNAME) for forcesafesearch.google.com.
To force Google SafeSearch for the entire network, set the DNS entry for www.google.com (and another other Google search domains, such as www.google.ca) to be a Canonical Name (CNAME) for forcesafesearch.google.com.
This will force all search traffic to use forcesafesearch.google.com.
The method for changing the DNS records using the FortiGate varies, depending on whether the FortiGate is the network’s DNS server or an external server is used.
The method for changing the DNS records using the FortiGate varies, depending on whether the FortiGate is the network’s DNS server or an external server is used.
FortiGate as the network’s DNS server.
Go to System -> Config -> Features and select 'Show More'.
Go to System -> Config -> Features and select 'Show More'.
Make sure that DNS Database is ON.
If necessary, apply the changes.
Go to System -> Dashboard -> Status and enter the following command into the CLI Console using the internal interface:
config system dns-server
edit internal
set mode recursive
end
edit internal
set mode recursive
end
Go to System -> Network -> DNS Servers. The new server is listed under DNS Service on interface.
Under 'DNS Database', select 'Create New'.
Set the 'DNS Zone' to Google, 'Domain Name' to google.com, and disable Authoritative.
Set the 'DNS Zone' to Google, 'Domain Name' to google.com, and disable Authoritative.
Under 'DNS Entries', select 'Create New'.
Set the 'Type' to 'Address (A)', set the 'Hostname' to 'www', and set 'IP Address' to '216.239.38.120' (the IP address of forcesafesearch.google.com).
Set the 'Type' to 'Address (A)', set the 'Hostname' to 'www', and set 'IP Address' to '216.239.38.120' (the IP address of forcesafesearch.google.com).
If required, create additional DNS Database entries for other Google search domains (an entry for www.google.ca is shown above).
A list of Google search domains can be found here.
A list of Google search domains can be found here.
The network uses an external DNS server.
Using this method will make the FortiGate intercept all DNS queries.
Because all DNS traffic will be forwarded to the FortiGate internal DNS Service, there is a performance impact on the FortiGate.
Go to System -> Config -> Features and select 'Show More'. Make sure that DNS Database is ON. If necessary, apply the changes.
Using this method will make the FortiGate intercept all DNS queries.
Because all DNS traffic will be forwarded to the FortiGate internal DNS Service, there is a performance impact on the FortiGate.
Go to System -> Config -> Features and select 'Show More'. Make sure that DNS Database is ON. If necessary, apply the changes.
Go to System -> Network -> Interfaces and create an interface to be used for the FortiGate DNS service.
Set the 'Type' to 'Loopback Interface' and assign an IP/Network Mask (in the example, 10.10.10.10/255.255.255.255).
Set the 'Type' to 'Loopback Interface' and assign an IP/Network Mask (in the example, 10.10.10.10/255.255.255.255).
Go to System -> Dashboard -> Status and enter the following command into the CLI Console:
config system dns-server
edit dns-loopback
set mode recursive
end
Go to System -> Network -> DNS Servers. The new server is listed under 'DNS Service' on 'Interface'.
Under 'DNS Database', select 'Create New'.
Under 'DNS Database', select 'Create New'.
Set 'DNS Zone' as 'Google', 'Domain Name' to 'google.com', and disable Authoritative.
Under 'DNS Entries', select 'Create New'.
Set 'Type' to 'Address (A)', set 'Hostname' to 'www', and 'IP Address' to '216.239.38.120' (the IP address of forcesafesearch.google.com).
Set 'Type' to 'Address (A)', set 'Hostname' to 'www', and 'IP Address' to '216.239.38.120' (the IP address of forcesafesearch.google.com).
If required, create additional DNS Database entries for other Google search domains (an entry for www.google.ca is shown).
Similarly, Safe Search for bing.com can be added as below:
config system dns-database
edit "Bing"
set domain "bing.com"
set authoritative disable
config dns-entry
edit 1
set hostname "www"
set ip 204.79.197.220
next
end
end
Go to System -> Dashboard -> Status and enter the following command into the CLI Console to create a new virtual IP.
Set 'src-filter' to the IP range of the internal users (in the example, 10.10.80.2-10.10.80.100), 'extintf' to the internal interface, and 'mappedip' to the IP address of the loopback interface.
Set 'src-filter' to the IP range of the internal users (in the example, 10.10.80.2-10.10.80.100), 'extintf' to the internal interface, and 'mappedip' to the IP address of the loopback interface.
config firewall vip
edit "dns-vip"
set type load-balance
set src-filter "10.10.80.2-10.10.80.100"
set extip 0.0.0.0-239.255.255.255
set extintf internal
set portforward enable
set mappedip "10.10.10.10"
set protocol udp
set extport 53
set mappedport 53
set arp-reply disable
end
Go to Policy & Objects -> Policy -> IPv4 and create a policy to use the virtual IP to intercept DNS queries.
Set the 'Incoming Interface' to the 'internal interface', the 'Outgoing Interface' to the 'loopback interface', 'Destination Address' to the 'virtual IP', and 'Service' to' DNS'. Make sure NAT is disabled.
Select the Global View of the policy list.
Make sure that the new policy is located above the policy that allows connections from the internal network to the internet.
Results.
- If full SSL inspection is used, go to google.com and attempt to search for adult/mature content. When the results are shown, a message appears stating that SafeSearch is turned on. This cannot be undone.
- If Google Chrome for internet browsing is used, disable SPDY protocol in order for SafeSearch to turn on automatically.
- If the DNS settings are altered, go to google.com. A message at the top of the page states that the network has turned on SafeSearch.
Note:
In recent versions, it is mandatory to block QUIC under the application control or UDP port 443 to force the comunication to use TCP. This way, FortiGate will be able to inspect the packets.
