In this recipe, you will use FortiGate web filtering to ensure that SafeSearch is applied to all Google search results. You will also block access to websites in the adult/mature content FortiGuard category for all network users.
This recipe requires an active FortiGuard web filtering licence.
Watch the video
1. Enabling web filtering |
|
| Go to System > Config > Features and make sure that Web Filter is ON. If necessary, Apply your changes. |  |
2. Blocking the Adult/Mature Content category and enabling Safe Search |
|
|
Go to Security Profiles > Web Filter and edit the default profile. Enable FortiGuard Categories. Select the Adult/Mature Content category and set it to Block. Under Search Engines, select Enable Safe Search and Search Engine Safe Search – Google, Yahoo!, Bing, Yandex. |
 |
3. Adding web filtering to your Internet access policy |
|
|
Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet. Under Security Profiles, enable Web Filter and set it to use the default profile. |
 |
4. Enforcing Google SafeSearch for all traffic |
|
|
Because Google search often uses the HTTPS protocol, web filtering alone may not be able to block all adult/mature content. There are two methods that can be used to enforce Google SafeSearch for all traffic: using full SSL inspection so that encrypted traffic is fully inspected (which can cause certificate errors), or changing the DNS records to force search traffic to use forcesafesearch.google.com. |
|
Method 1: Using full SSL inspection |
|
|
Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet. Set SSL/SSH Inspection to use the deep-inspection profile. Using the deep-inspection profile may cause certificate errors. For information about avoiding this, see Preventing certificate warnings. |
 |
Method 2: Changing the DNS records for www.google.com |
|
|
If you wish to force Google SafeSearch for your entire network, you can set the DNS entry for www.google.com (and another other Google search domains, such as www.google.ca) to be a Canonical Name (CNAME) for forcesafesearch.google.com. This will force all search traffic to use forcesafesearch.google.com. The method for changing the DNS records using your FortiGate varies, depending on whether your FortiGate is the network’s DNS server, or if an external server is used. |
|
FortiGate is the network’s DNS server |
|
| Go to System > Config > Features and select Show More. Make sure that DNS Database is ON. If necessary, Apply your changes. |  |
| Go to System > Dashboard > Status and enter the following command into the CLI Console using your internal interface: |
|
|
Go to System > Network > DNS Servers. The new server is listed under DNS Service on Interface. |
 |
|
Under DNS Database, select Create New. Set DNS Zone as Google, Domain Name to google.com, and disable Authoritative. |
 |
|
Under DNS Entries, select Create New. Set Type to Address (A), set Hostname to www, and IP Address to 216.239.38.120 (the IP address of forcesafesearch.google.com). |
 |
|
If required, create additional DNS Database entries for other Google search domains (entry for www.google.ca shown). A list of Google search domains can be found here. |
 |
The network uses an external DNS server |
|
| Using this method will cause your FortiGate to intercept all DNS queries. Because all DNS traffic will be forwarded to the FortiGate internal DNS Service, there might be a performance impact on the FortiGate. | |
|
Go to System > Config > Features and select Show More. Make sure that DNS Database is ON. If necessary, Apply your changes. |
|
|
Go to System > Network > Interfaces and create an interface to be used for the FortiGate DNS service. Set Type to Loopback Interface and assign an IP/Network Mask (in the example, 10.10.10.10/255.255.255.255). |
 |
| Go to System > Dashboard > Status and enter the following command into the CLI Console: | config system dns-server edit dns-loopback set mode recursive end |
| Go to System > Network > DNS Servers. The new server is listed under DNS Service on Interface. |  |
|
Under DNS Database, select Create New. Set DNS Zone as Google, Domain Name to google.com, and disable Authoritative. |
|
|
Under DNS Entries, select Create New. Set Type to Address (A), set Hostname to www, and IP Address to 216.239.38.120 (the IP address of forcesafesearch.google.com). |
|
|
If required, create additional DNS Database entries for other Google search domains (entry for www.google.ca shown). A list of Google search domains can be found here. |
|
|
Go to System > Dashboard > Status and enter the following command into the CLI Console to create a new virtual IP: Set src-filter to the IP range of your internal users (in the example, 10.10.80.2-10.10.80.100), extintf to your internal interface, and mappedip to the IP address of the loopback interface. |
|
|
Go to Policy & Objects > Policy > IPv4 and create a policy to use the virtual IP to intercept DNS queries. Set the Incoming Interface to your internal interface, the Outgoing Interface to the loopback interface, Destination Address to the virtual IP, and Service to DNS. Make sure NAT is disabled. |
 |
|
Select the Global View of the policy list. Make sure that the new policy is located above the policy that allows connections from the internal network to the Internet. |
 |
Results |
|
|
If you are using full SSL inspection, go to google.com and attempt to search for adult/mature content. When the results are shown, a message appears stating that SafeSearch is turned on. This cannot be undone. If you are using Google Chrome for Internet browsing, you may need to disable SPDY protocol in order for SafeSearch to turn on automatically. |
 |
| If you have altered the DNS settings, go to google.com. A message at the top of the page states that your network has turned on SafeSearch. |  |
For further reading, check out SafeSearch and DNS Services in the FortiOS 5.2 Handbook.
The post Blocking adult/mature content with Google SafeSearch appeared first on Fortinet Cookbook.