Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aley
New Contributor

DNS Filter: Enable Safe search for Google, but don't restrict YouTube

We're using a few FortiGate 50E with FortiOS 5.6.2 and DNS filtering, which works great (properly enforces SafeSearch over SSL/TLS without requiring a local certificate to be installed).

 

However, when Safe search is enforced, YouTube restrictions must be set to "strict" or "moderate". Even moderate YouTube restriction blocks LOTS of videos that aren't in any way problematic for a school.

 

Is there a way to have Safe search enabled for search engines (Google, Bing, etc.) but not restrict YouTube?

1 Solution
jonathanaxford

Hi all,

 

I've had confirmation from Fortinet that the DNS filter is an 'all or nothing' setting, its not possible to remove the youtube restrictions and keep the google restrictions on. The only way to cover this is to use SSL inspection and apply the requirements via a webfilter. 

 

Cheers

Jon

View solution in original post

11 REPLIES 11
sub7even
New Contributor

looking forward to get updated reply from this as well..

gabriel

Hi, anyone have solved this?

blackhole_route
New Contributor III

It looks like this is possible at the CLI, at least on FortiOS 6.0.2. You can set safe-search enable on the dnsfilter profile, but not set youtube restricted.

config dnsfilter profile

edit profilename

set safe-search enable

unset youtube-restrict

end

 

 

Another option which requires a bit of work is to set up an internal recursive DNS server to do this. Rewrite the documented google.com domains (using something like BIND RPZ's) to forcesafesearch.google.com (https://support.google.com/websearch/answer/186669?hl=en) , and depending on internal client address, rewrite www.youtube.com (and other associated domains) to restrict.youtube.com or restrictmoderate.youtube.com. Google use to publish the list of domains to rewrite publicly but now apparently have restricted access to that information only to GSuite Admin accounts. If you need it, I can dig it up from config files I'm running currently....

golemb

I would love a easy built in solution for this, educational environment.   The Enforce Safe Search works great for Google / Bing search engines, users can't turn it off via the browser.   Works on every device.   My users hate it so I know its working

 

The YouTube filter is way to restrictive even on moderate, this is where the problem is for my users.   I tried the above CLI commands on one of my FortiGates firewalls as were running FortiOS 6.02.  They do execute without error in the CLI but when browsing to YouTube after making the changes via the CLI YouTube still in restricted mode.   I don't know if someone else can confirm this.

 

If there was an option via DNS filtering to leave YouTube unfiltered that would be super.   Three options for YouTube  Strict, Moderate, Unfiltered.   Could this be a feature request?

 

I have looked at the cookbook for the internal recursive DNS setup, don't really want to go down that path if I don't have too.

Silver
New Contributor

Dear All,

anyone can help to block safe search without ssl deep inspection. but users should not be able to have the options to turn off safe search into there browsers.

 

Thanks

silver

jonathanaxford

Hi all,

 

Resurrecting this thread in the vain hope that a solution was found...

 

We are relying on the DNS Filter to force google safesearch but the youtube restrictions are killing us. We currently have no option of implementing SSL Inspection so would like to try and keep the DNS filter in place, but remove any filtering for youtube...

 

Cheers

 

Jon

lcstn

Ditto here. Our school is running a 100E on 6.0.3. I'm hoping to keep this thread alive for any resolution to this issue.

jonathanaxford

Hi all,

 

I've had confirmation from Fortinet that the DNS filter is an 'all or nothing' setting, its not possible to remove the youtube restrictions and keep the google restrictions on. The only way to cover this is to use SSL inspection and apply the requirements via a webfilter. 

 

Cheers

Jon

lcstn

jonathanaxford wrote:

Hi all,

 

I've had confirmation from Fortinet that the DNS filter is an 'all or nothing' setting, its not possible to remove the youtube restrictions and keep the google restrictions on. The only way to cover this is to use SSL inspection and apply the requirements via a webfilter. 

 

Cheers

Jon

Jon, thanks for that info. At least I now have some sort of confirmation on the issue. We hope to be implementing SSL inspection in the coming months, so hopefully that'll alleviate some of my users' woes.

Top Kudoed Authors