Blocking adult/mature content with Google SafeSearch

In this recipe, you will use FortiGate web filtering to ensure that SafeSearch is applied to all Google search results. You will also block access to websites in the adult/mature content FortiGuard category for all network users.

This recipe requires an active FortiGuard web filtering licence.

1. Enabling web filtering

Go to System > Config > Features and make sure that Web Filter is ON. If necessary, Apply your changes.  

2. Blocking the Adult/Mature Content category and enabling Safe Search

Go to Security Profiles > Web Filter and edit the default profile. Enable FortiGuard Categories.

Select the Adult/Mature Content category and set it to Block.

Under Search Engines, select Enable Safe Search and Search Engine Safe Search – Google, Yahoo!, Bing, Yandex.

 

3. Adding web filtering to your Internet access policy

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet.

Under Security Profiles, enable Web Filter and set it to use the default profile. 

 

4. Enforcing Google SafeSearch for all traffic

Because Google search often uses the HTTPS protocol, web filtering alone may not be able to block all adult/mature content. There are two methods that can be used to enforce Google SafeSearch for all traffic: using full SSL inspection so that encrypted traffic is fully inspected (which can cause certificate errors), or changing the DNS records to force search traffic to use forcesafesearch.google.com.

Method 1: Using full SSL inspection

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet.

Set SSL/SSH Inspection to use the deep-inspection profile. Using the deep-inspection profile may cause certificate errors. For information about avoiding this, see Preventing certificate warnings.

 

Method 2: Changing the DNS records for www.google.com

If you wish to force Google SafeSearch for your entire network, you can set the DNS entry for www.google.com (and another other Google search domains, such as www.google.ca) to be a Canonical Name (CNAME) for forcesafesearch.google.com. This will force all search traffic to use forcesafesearch.google.com.

The method for changing the DNS records using your FortiGate varies, depending on whether your FortiGate is the network’s DNS server, or if an external server is used.

FortiGate is the network’s DNS server

Go to System > Config > Features and select Show More. Make sure that DNS Database is ON. If necessary, Apply your changes.  
Go to System > Dashboard > Status and enter the following command into the CLI Console using your internal interface:

config system dns-server
  edit internal
    set mode recursive
  end

 

Go to System > Network > DNS Servers. The new server is listed under DNS Service on Interface.

 

Under DNS Database, select Create New.

Set DNS Zone as Google, Domain Name to google.comand disable Authoritative.

 

Under DNS Entries, select Create New.

Set Type to Address (A), set Hostname to www, and IP Address to 216.239.38.120 (the IP address of forcesafesearch.google.com).

 

If required, create additional DNS Database entries for other Google search domains (entry for www.google.ca shown).

A list of Google search domains can be found here.

 

The network uses an external DNS server

Using this method will cause your FortiGate to intercept all DNS queries. Because all DNS traffic will be forwarded to the FortiGate internal DNS Service, there might be a performance impact on the FortiGate.

Go to System > Config > Features and select Show More. Make sure that DNS Database is ON. If necessary, Apply your changes.

 

Go to System > Network > Interfaces and create an interface to be used for the FortiGate DNS service.

Set Type to Loopback Interface and assign an IP/Network Mask (in the example, 10.10.10.10/255.255.255.255).

 
Go to System > Dashboard > Status and enter the following command into the CLI Console: config system dns-server
  edit dns-loopback
    set mode recursive
  end
Go to System > Network > DNS Servers. The new server is listed under DNS Service on Interface.  

Under DNS Database, select Create New.

Set DNS Zone as Google, Domain Name to google.comand disable Authoritative.

 

Under DNS Entries, select Create New.

Set Type to Address (A), set Hostname to www, and IP Address to 216.239.38.120 (the IP address of forcesafesearch.google.com). 

 

If required, create additional DNS Database entries for other Google search domains (entry for www.google.ca shown). 

A list of Google search domains can be found here.

 

Go to System > Dashboard > Status and enter the following command into the CLI Console to create a new virtual IP:

Set src-filter to the IP range of your internal users (in the example, 10.10.80.2-10.10.80.100), extintf to your internal interface, and mappedip to the IP address of the loopback interface.

 config firewall vip
  edit "dns-vip"
    set type load-balance
    set src-filter "10.10.80.2-10.10.80.100"
    set extip 0.0.0.0-239.255.255.255
    set extintf internal
    set portforward enable
    set mappedip "10.10.10.10"
    set protocol udp
    set extport 53
    set mappedport 53
    set arp-reply disable

  end

Go to Policy & Objects > Policy > IPv4 and create a policy to use the virtual IP to intercept DNS queries.

Set the Incoming Interface to your internal interface, the Outgoing Interface to the loopback interface, Destination Address to the virtual IP, and Service to DNS. Make sure NAT is disabled.

 

Select the Global View of the policy list. Make sure that the new policy is located above the policy that allows connections from the internal network to the Internet.

 

Results  

If you are using full SSL inspection, go to google.com and attempt to search for adult/mature content. When the results are shown, a message appears stating that SafeSearch is turned on. This cannot be undone.

If you are using Google Chrome for Internet browsing, you may need to disable SPDY protocol in order for SafeSearch to turn on automatically.

 
If you have altered the DNS settings, go to google.com. A message at the top of the page states that your network has turned on SafeSearch.  

For further reading, check out SafeSearch and DNS Services in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Daniel Azeredo

    Nice post, it was very helpfull for me!!

    Thanks!

  • Abdulaziz Alatar

    Hello Vectoria,
    Thank you for this recipe.
    I want ask you, if i can use safesearch without Fortiguard subscription ?

    • Victoria Martin

      Hello Abdulaziz,

      The only part of this recipe that requires FortiGuard is when FortiGuard categories are used to block Adult/Mature Content.