Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aley
New Contributor

Created on ‎11-03-2017 01:44 AM

DNS Filter: Enable Safe search for Google, but don't restrict YouTube

We're using a few FortiGate 50E with FortiOS 5.6.2 and DNS filtering, which works great (properly enforces SafeSearch over SSL/TLS without requiring a local certificate to be installed).

 

However, when Safe search is enforced, YouTube restrictions must be set to "strict" or "moderate". Even moderate YouTube restriction blocks LOTS of videos that aren't in any way problematic for a school.

 

Is there a way to have Safe search enabled for search engines (Google, Bing, etc.) but not restrict YouTube?

29232
0 Kudos
1 Solution
jonathanaxford
New Contributor II
In response to lcstn

Created on ‎09-04-2019 07:08 AM

Hi all,

 

I've had confirmation from Fortinet that the DNS filter is an 'all or nothing' setting, its not possible to remove the youtube restrictions and keep the google restrictions on. The only way to cover this is to use SSL inspection and apply the requirements via a webfilter. 

 

Cheers

Jon

View solution in original post

11114
0 Kudos
11 REPLIES 11
sub7even
New Contributor II

Created on ‎11-06-2017 04:22 PM

looking forward to get updated reply from this as well..

9451
0 Kudos
gabriel
New Contributor
In response to sub7even

Created on ‎10-02-2018 10:14 AM

Hi, anyone have solved this?

9451
0 Kudos
blackhole_route
New Contributor III

Created on ‎10-13-2018 04:31 PM

It looks like this is possible at the CLI, at least on FortiOS 6.0.2. You can set safe-search enable on the dnsfilter profile, but not set youtube restricted.

config dnsfilter profile

edit profilename

set safe-search enable

unset youtube-restrict

end

 

 

Another option which requires a bit of work is to set up an internal recursive DNS server to do this. Rewrite the documented google.com domains (using something like BIND RPZ's) to forcesafesearch.google.com (https://support.google.com/websearch/answer/186669?hl=en) , and depending on internal client address, rewrite www.youtube.com (and other associated domains) to restrict.youtube.com or restrictmoderate.youtube.com. Google use to publish the list of domains to rewrite publicly but now apparently have restricted access to that information only to GSuite Admin accounts. If you need it, I can dig it up from config files I'm running currently....

9451
0 Kudos
golemb
New Contributor
In response to blackhole_route

Created on ‎10-15-2018 09:08 AM

I would love a easy built in solution for this, educational environment.   The Enforce Safe Search works great for Google / Bing search engines, users can't turn it off via the browser.   Works on every device.   My users hate it so I know its working

 

The YouTube filter is way to restrictive even on moderate, this is where the problem is for my users.   I tried the above CLI commands on one of my FortiGates firewalls as were running FortiOS 6.02.  They do execute without error in the CLI but when browsing to YouTube after making the changes via the CLI YouTube still in restricted mode.   I don't know if someone else can confirm this.

 

If there was an option via DNS filtering to leave YouTube unfiltered that would be super.   Three options for YouTube  Strict, Moderate, Unfiltered.   Could this be a feature request?

 

I have looked at the cookbook for the internal recursive DNS setup, don't really want to go down that path if I don't have too.

9451
0 Kudos
Silver
New Contributor
In response to golemb

Created on ‎05-24-2019 12:53 AM

Dear All,

anyone can help to block safe search without ssl deep inspection. but users should not be able to have the options to turn off safe search into there browsers.

 

Thanks

silver

9451
0 Kudos
jonathanaxford
New Contributor II
In response to Silver

Created on ‎08-28-2019 06:10 AM

Hi all,

 

Resurrecting this thread in the vain hope that a solution was found...

 

We are relying on the DNS Filter to force google safesearch but the youtube restrictions are killing us. We currently have no option of implementing SSL Inspection so would like to try and keep the DNS filter in place, but remove any filtering for youtube...

 

Cheers

 

Jon

9451
0 Kudos
lcstn
New Contributor
In response to jonathanaxford

Created on ‎09-04-2019 06:28 AM

Ditto here. Our school is running a 100E on 6.0.3. I'm hoping to keep this thread alive for any resolution to this issue.

9451
0 Kudos
jonathanaxford
New Contributor II
In response to lcstn

Created on ‎09-04-2019 07:08 AM

Hi all,

 

I've had confirmation from Fortinet that the DNS filter is an 'all or nothing' setting, its not possible to remove the youtube restrictions and keep the google restrictions on. The only way to cover this is to use SSL inspection and apply the requirements via a webfilter. 

 

Cheers

Jon

11115
0 Kudos
lcstn
New Contributor
In response to jonathanaxford

Created on ‎09-04-2019 07:39 AM

jonathanaxford wrote:

Hi all,

 

I've had confirmation from Fortinet that the DNS filter is an 'all or nothing' setting, its not possible to remove the youtube restrictions and keep the google restrictions on. The only way to cover this is to use SSL inspection and apply the requirements via a webfilter. 

 

Cheers

Jon

Jon, thanks for that info. At least I now have some sort of confirmation on the issue. We hope to be implementing SSL inspection in the coming months, so hopefully that'll alleviate some of my users' woes.

9451
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.