- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Safe Search not being enforced
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Safe Search not being enforced
FWF40C running 5.0.1. Webfilter is configured on my outbound policy and is working as it does block " blocked" web pages.
If I do a search with Google or Bing I' m able to turn safe search off thru the browser, IE 9 or Firefox 18. It will show regular results for " porn" but it does block me if I try clicking on a actual link, great. However, it doesn' t block Images on either Google or Bing if I disable safe search in the browser, that' s NOT GOOD.
If I try it thru Yahoo, I' m blocked two ways, first if I try to save the change to safe search it leads to a Unrated page block. If I disable Unrated pages in the firewall, I' m able to change the preference and save it but all results still show like safe search is on, which is as it should be.
How to I get Google and Bing to force safe search?
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In further testing it only works partially in 4.2.7 as well. In 4.2.7 you can' t bypass Google Safe Search in the browser even if you disable it under Settings. Then no results are found in Web or Images.
However, Bing safe search if you disable Safe Search, it blocks it in Web but not Images.
Also, in 5.0.1 Bing web search via mobile doesn' t get blocked at all, web or images.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don' t have a complete resolution for you, but I have some general suggestions.
I am not using 5.0.1, but here are some things I' ve found helpful in troubleshooting this previously:
1. Is the URL encrypted? If so, that could be part of the problem.
2. For Bing, block *.explicit.bing.net -- that' s similar to enforcing SafeSearch since all or most explicit images originate from that domain.
3. Use the IPS functions to block signatures for Google.Safe.Search.Off and similar.
I have had problems with enforcing SafeSearch on earlier firmware versions. The Fortigate is supposed to rewrite the Google URL with &safe=on, but that' s rarely if ever worked for me.
I was hoping any problems had been resolved in 5.0.1. I know there are more CLI options for configuring it now, but I have not played with them.
If you open a support ticket to resolve, please let us know how it goes.
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Under 4.3, the Web Filter Profile (under UTM Profiles) has a " Enable Safe Search (Support Search Engines: Google, Yahoo, and Ping)" option that suppose to append the correct flag or variable to the end of the search URL. For the most part it works well accept when using Google in HTTPS mode, though I understand this is suppose to be fixed in 5.0.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bob:
Thanks for the Bing tip URL Filter, that did work in Firefox but unfortunately not in IE9 or a mobile client, which is weird because when I hold on an image and get the details, it also shows http://ts4.explicit.bing.net and I would think would be blocked too. Why it works in Firefox and not IE baffles me...
Could you be more specific on what you do with IPS to block Google Safe=off?
Dave: Unfortunately while the WFP SHOULD enforce SafeSearch when enabled, it doesn' t, either in 4.2 or 5.0.1. It partially works in 4.2 unless you use https://google.com, then it fails. It isn' t fixed AT ALL in 5.0.
To all, there are more features in 5.0 re web filtering, you can actually see the wildcards, but apparently they just don' t work. I' ll post the default below from the CLI. I have created a ticket and tech support is likely going to be submitting a bug.
config webfilter search-engine
edit " google"
set hostname " .*\\.google\\..*"
set url " ^\\/((custom|search|images|videosearch|webhp)\\?)"
set query " q="
set safesearch url
set safesearch-str " &safe=active"
next
edit " yahoo"
set hostname " .*\\.yahoo\\..*"
set url " ^\\/search(\\/video|\\/images){0,1}(\\?|;)"
set query " p="
set safesearch url
set safesearch-str " &vm=r"
next
edit " bing"
set hostname " www\\.bing\\.com"
set url " ^(\\/images|\\/videos)?\\/search\\?"
set query " q="
set safesearch url
set safesearch-str " &adlt=strict"
next
edit " yandex"
set hostname " yandex\\..*"
set url " ^\\/yandsearch?\\?"
set query " text="
set safesearch url
set safesearch-str " &fyandex=1"
next
edit " youtube"
set hostname " .*\\.youtube\\..*"
set safesearch header
next
edit " baidu"
set hostname " .*\\.baidu\\.com"
set url " ^\\/s?\\?"
set query " wd="
set charset gb2312
next
edit " baidu2"
set hostname " .*\\.baidu\\.com"
set url " ^\\/(ns|q|m|i|v)\\?"
set query " word="
set charset gb2312
next
edit " baidu3"
set hostname " tieba\\.baidu\\.com"
set url " ^\\/f\\?"
set query " kw="
set charset gb2312
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you be more specific on what you do with IPS to block Google Safe=off?I made a mistake. It' s Application Control. I would go to UTM, Intrusion Protection, Application Control, Application Control List. Open or create a new list. Then add Google.Search_Safe.Off as an application and set the action to Block. Assign the Application profile to the applicable Firewall rule. I found that this solution worked to a degree. It was not consistent, though. And if someone had turned off safe search, it would completely block their access to Google Images with a timeout error. You then need to instruct the user on how to change the safe search setting. Additionally, once they got access to the Google Images site again, they appeared to be able to change the Safe Search setting to Off. My guess is the behavior varies with different browsers. I also played around with making my own IPS sensors for this traffic with some success. Google changes their site and parameters often enough, though, that this was a moving target and I gave up. Would you be willing to post your support ticket # to the forums? The link below has information on how to block Google SSL searching for your entire domain. [link=]http://support.google.com/websearch/bin/answer.py?hl=en&answer=186669[/link]
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This partially works.
On Bing, it works fine it blocks the images in Firefox IF I also have a URL filter for *.explicit.bing.net. Otherwise Firefox will let you mouse-hover and see the image. However, in IE it blocks them but if you hover the mouse it displays the image, even with the URL filter. On an Android with Dolphin browser it' ll block the images but if you click More then they' re revealed??? What the heck??? Same on the stock browser Bing will show if you click More.
On Google search there' s a larger issue where it will always redirect to HTTPS if you' re signed in with any Google service like email. On Android by default it' s http, so safe search does actually work. If you manually go to HTTPS://google.com it' ll show anything you want on image search.
...edit...
Ok, so there is a way thru config system dns-database to add a cname record which absolutely works...unless you have a 40C on 5.0 and they stripped out the ability to run the DNS server on the FortiGate...YOU' VE GOT TO BE KIDDING ME...
Related Posts
- Simple explanation enabling the LOGGING of... 159 Views
- Fortimail Cloud - list of email... 100 Views
- FortiGate Cloud central management 145 Views
- 404 Page Not Found error when... 264 Views
- Where is option: Sorting policies by... 316 Views
Labels
-
FortiGate
6,491 -
FortiClient
1,295 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.