Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JPBruwer
New Contributor

Google Safe Search - issue

Hi all,

 

I have some issues with Google Safe search not "applying" although it is set for my specific IPv4 Policy.

(Using a Fortigate 200D btw.)

 

Any ideas why it does not apply?

 

Thank you

8 REPLIES 8
neonbit
Valued Contributor

The key thing is that you have SSL deep inspection enabled on the policy.

 

When you goto google.com and search for something, check the certificate for the website in your browser. Has it been signed by Google or the FortiGates certificate?

JPBruwer

I understand.. It says Google is supplying the certificate. If I enable deep ssl inspections, would I not receive many certificate errors with different users? There are many BYOD devices.

 

It is just something I read, more info would be great!

 

Thank you!

hklb
Contributor II

Hi,

 

If you don't able to enable SSL deep inspection, you can use this solution : https://support.google.com/websearch/answer/186669?hl=en-GB

 

Lucas

JPBruwer
New Contributor

Lucas,

 

I have tried the force safe search, but with Server 2008 r2, it is not working... at least not through Chrome. That's why I am resorting to the Fortigate.

hklb
Contributor II

Hi,

 

Yes, win2k8r2 is not able to do a cname on root domain. But you can add a "A" record to point to "216.239.38.120" and monitor with your monitoring system if this address change. (I did that for a customer for nosslsearch.google.com and it works fine for more than 2 years)

 

Lucas

JPBruwer
New Contributor

Lucas,

 

So you add the A record in the root domain of your company? What do you point to that IP? What Google address exactly? Just www.google.com?

hmtay_FTNT

Hello,

 

The Google Safe Search signature requires deep-inspection for it to work. In addition to that, as rob.mason said, Chrome has been using their proprietary protocol QUIC to establish a lot of connections to their servers. You would need to set QUIC to Block to use most of the Google's signatures. 

 

You will receive certificate errors if you do not import the FortiGate Certificate onto the BYOD devices. One solution would be to mandate the users to install the certificate before they are allowed to access the network. Another solution would be to get a properly signed SSL Certificate from a third party CA. This will build a proper chain of trust to the Root CA and you would not need to import the self-signed FortiGate Certificate onto the devices.

rob_mason
New Contributor

As above I found that I also needed to enable SSL Deep Scanning before it would work.

 

Also we are seeing more and more issues caused by Google QUIC, try blocking UDP 443 on a policy above your safe search policy.

 

Rob

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors