We're using a few FortiGate 50E with FortiOS 5.6.2 and DNS filtering, which works great (properly enforces SafeSearch over SSL/TLS without requiring a local certificate to be installed).
However, when Safe search is enforced, YouTube restrictions must be set to "strict" or "moderate". Even moderate YouTube restriction blocks LOTS of videos that aren't in any way problematic for a school.
Is there a way to have Safe search enabled for search engines (Google, Bing, etc.) but not restrict YouTube?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi all,
I've had confirmation from Fortinet that the DNS filter is an 'all or nothing' setting, its not possible to remove the youtube restrictions and keep the google restrictions on. The only way to cover this is to use SSL inspection and apply the requirements via a webfilter.
Cheers
Jon
An alternate solution from the old Cookbook receipt (pre-dating the DNS filter) is to set up a local DNS database and/or create a hairpin "loopback" dns server to "enforce" or redirect DNS queries to itself, for google safe search.
The original source link was https://cookbook.fortinet.com/blocking-adultmature-content-google-safesearch/ but the site has since been moved "in-house" to docs.fortinet.com, so not sure where the document is now or if it's been revised or need to.
My original scripting notes for the setup as follow, though I do recall adding/adjusting something to get it to fully work (I think it was adding another DNS record.)
================================= config system interface edit "dns-loop" set vdom "root" set ip 10.10.10.10 255.255.255.255 set type loopback next end ================================= config system settings set gui-dns-database enable end ================================= config system dns-database edit "Google" set domain "google.com" set authoritative disable config dns-entry edit 1 set hostname "www" set ip 216.239.38.120 next edit 2 set hostname "google.com" set ip 216.239.38.120 next end next edit "Google Canada" set domain "google.ca" set authoritative disable config dns-entry edit 1 set hostname "www" set ip 216.239.38.120 next end next end ================================= config system dns-server edit "internal_net" next edit "dns-loop" next end ================================= config firewall vip edit "dns-vip" set type load-balance set src-filter "192.168.93.1-192.168.93.250" set extip 0.0.0.0-239.255.255.255 set extintf "internal_net" set arp-reply disable set portforward enable set mappedip "10.10.10.10" set protocol udp set extport 53 set mappedport 53 next end ================================= config firewall policy edit 0 set name "Map-to-DNS-Internal" set srcintf "internal_net" set dstintf "dns-loop" set srcaddr "all" set dstaddr "dns-vip" set action accept set schedule "always" set service "DNS" next end =================================
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Three years in, there is still no simple solution. :(
I thought that maybe the newly added Static Domain Filter in FortiOS 6 could be used to override the results, but it doesn't seem to be applied to responses that were modified by the Safe Search functionality.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.