Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AravindhN
New Contributor

Created on ‎09-02-2025 06:33 AM Edited on ‎09-02-2025 10:22 PM

SafeSearch Enforcement Issue on Mobile Devices

Requirement
The enforcement is working correctly on laptops with both the web filter and DNS filter enabled. However, on mobile devices, the Chrome browser loads the homepage initially, but subsequent pages are blocked. The expected behavior is that SafeSearch should be enforced right from the homepage, ensuring that even the homepage loads through the enforced SafeSearch..

Use case: College, School

Step-1
Create the loopback interface for enforcing DNS.
Note: The IP address should not be configured anywhere else.

AravindhN_12-1756818760838.png

Step 2: Enable the DNS Database under Feature Visibility.

AravindhN_13-1756818760843.png

Step 3: Block the P**ography category in the Web Filter and enable SafeSearch.

AravindhN_14-1756818760846.png

AravindhN_15-1756818760847.png

Step 4: Block the P**ography category in the DNS Filter as well, and enable Enforce SafeSearch.

AravindhN_16-1756818760850.png

Step 5: For the DNS-Loopback interface, enable the DNS Filter and set the mode to Recursive.
AravindhN_17-1756818760852.png

Step 6: Create the DNS entry for SafeSearch-Google.
I.AravindhN_18-1756818760854.pngII.

AravindhN_19-1756818760858.png


CLI commands for creating the DNS entry to enforce SafeSearch

config system dns-database

    edit "SafeSearch-Google"

        set domain "google.com"

        set authoritative disable

        config dns-entry

            edit 1

                set type CNAME

                set hostname "www"

                set canonical-name "forcesafesearch.google.com"

            next

        end

    next

    edit "google.com"

        set domain "google.cat"

        set authoritative disable

        config dns-entry

            edit 1

                set hostname "www"

                set ip 216.239.38.120

            next

        end

    next

end



Step 7: Policy Creation

You need to assign the DNS server IP as the Loopback interface IP to the devices. Then, create a DNS allow policy above the internet policy. Make sure that NAT is disabled for the DNS service.

 
 

Screenshot 2025-09-02 185310.png


Results:

The Result will be enabled the Enforce search by default to all browsers as mentioned below Screenshot.

AravindhN_21-1756818760866.jpeg

 



DNS filter Logs:

AravindhN_22-1756818760869.png

 







 

 

Labels:
187
0 Kudos
2 REPLIES 2
mamatka6
New Contributor

Created on ‎09-02-2025 07:18 AM

It sounds like what you really want is some kind of content blocking at the network level. What you're talking about sounds like deploying an agent of some kind to individual hosts. IMO the network based solution is going to be easier to administrate than an agent master/slave type application.

163
0 Kudos
Sivaramakrishna
New Contributor
In response to mamatka6

Created on ‎09-02-2025 10:23 PM

Here, no agent is required. He tried to block a category (for example, the Adult category), which is successfully blocked on systems but not on mobile devices. To address this, he enforced Safe Search by creating a DNS loopback interface in the firewall, which is mapped to the DNS filter and applied in the policy. This way, users receive the DNS server IP as the loopback interface IP configured in the firewall. Whenever a user tries to access adult content, the DNS server enforces Safe Search.

131
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.