Hi all,
I have some issues with Google Safe search not "applying" although it is set for my specific IPv4 Policy.
(Using a Fortigate 200D btw.)
Any ideas why it does not apply?
Thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The key thing is that you have SSL deep inspection enabled on the policy.
When you goto google.com and search for something, check the certificate for the website in your browser. Has it been signed by Google or the FortiGates certificate?
I understand.. It says Google is supplying the certificate. If I enable deep ssl inspections, would I not receive many certificate errors with different users? There are many BYOD devices.
It is just something I read, more info would be great!
Thank you!
Hi,
If you don't able to enable SSL deep inspection, you can use this solution : https://support.google.com/websearch/answer/186669?hl=en-GB
Lucas
Lucas,
I have tried the force safe search, but with Server 2008 r2, it is not working... at least not through Chrome. That's why I am resorting to the Fortigate.
Hi,
Yes, win2k8r2 is not able to do a cname on root domain. But you can add a "A" record to point to "216.239.38.120" and monitor with your monitoring system if this address change. (I did that for a customer for nosslsearch.google.com and it works fine for more than 2 years)
Lucas
Lucas,
So you add the A record in the root domain of your company? What do you point to that IP? What Google address exactly? Just www.google.com?
Hello,
The Google Safe Search signature requires deep-inspection for it to work. In addition to that, as rob.mason said, Chrome has been using their proprietary protocol QUIC to establish a lot of connections to their servers. You would need to set QUIC to Block to use most of the Google's signatures.
You will receive certificate errors if you do not import the FortiGate Certificate onto the BYOD devices. One solution would be to mandate the users to install the certificate before they are allowed to access the network. Another solution would be to get a properly signed SSL Certificate from a third party CA. This will build a proper chain of trust to the Root CA and you would not need to import the self-signed FortiGate Certificate onto the devices.
As above I found that I also needed to enable SSL Deep Scanning before it would work.
Also we are seeing more and more issues caused by Google QUIC, try blocking UDP 443 on a policy above your safe search policy.
Rob
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.