Blocking adult/mature content with Google SafeSearch

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will use FortiGate web filtering to ensure that SafeSearch is applied to all Google search results. You will also block access to websites in the adult/mature content FortiGuard category for all network users.

This recipe requires an active FortiGuard web filtering licence.

1. Enabling web filtering

Go to System > Config > Features and make sure that Web Filter is ON. If necessary, Apply your changes.  

2. Blocking the Adult/Mature Content category and enabling Safe Search

Go to Security Profiles > Web Filter and edit the default profile. Enable FortiGuard Categories.

Select the Adult/Mature Content category and set it to Block.

Under Search Engines, select Enable Safe Search and Search Engine Safe Search – Google, Yahoo!, Bing, Yandex.

 

3. Adding web filtering to your Internet access policy

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet.

Under Security Profiles, enable Web Filter and set it to use the default profile. 

 

4. Enforcing Google SafeSearch for all traffic

Because Google search often uses the HTTPS protocol, web filtering alone may not be able to block all adult/mature content. There are two methods that can be used to enforce Google SafeSearch for all traffic: using full SSL inspection so that encrypted traffic is fully inspected (which can cause certificate errors), or changing the DNS records to force search traffic to use forcesafesearch.google.com.

Method 1: Using full SSL inspection

Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet.

Set SSL/SSH Inspection to use the deep-inspection profile. Using the deep-inspection profile may cause certificate errors. For information about avoiding this, see Preventing certificate warnings.

 

Method 2: Changing the DNS records for www.google.com

If you wish to force Google SafeSearch for your entire network, you can set the DNS entry for www.google.com (and another other Google search domains, such as www.google.ca) to be a Canonical Name (CNAME) for forcesafesearch.google.com. This will force all search traffic to use forcesafesearch.google.com.

The method for changing the DNS records using your FortiGate varies, depending on whether your FortiGate is the network’s DNS server, or if an external server is used.

FortiGate is the network’s DNS server

Go to System > Config > Features and select Show More. Make sure that DNS Database is ON. If necessary, Apply your changes.  
Go to System > Dashboard > Status and enter the following command into the CLI Console using your internal interface:

config system dns-server
  edit internal
    set mode recursive
  end

 

Go to System > Network > DNS Servers. The new server is listed under DNS Service on Interface.

 

Under DNS Database, select Create New.

Set DNS Zone as Google, Domain Name to google.comand disable Authoritative.

 

Under DNS Entries, select Create New.

Set Type to Address (A), set Hostname to www, and IP Address to 216.239.38.120 (the IP address of forcesafesearch.google.com).

 

If required, create additional DNS Database entries for other Google search domains (entry for www.google.ca shown).

A list of Google search domains can be found here.

 

The network uses an external DNS server

Using this method will cause your FortiGate to intercept all DNS queries. Because all DNS traffic will be forwarded to the FortiGate internal DNS Service, there might be a performance impact on the FortiGate.

Go to System > Config > Features and select Show More. Make sure that DNS Database is ON. If necessary, Apply your changes.

 

Go to System > Network > Interfaces and create an interface to be used for the FortiGate DNS service.

Set Type to Loopback Interface and assign an IP/Network Mask (in the example, 10.10.10.10/255.255.255.255).

 
Go to System > Dashboard > Status and enter the following command into the CLI Console: config system dns-server
  edit dns-loopback
    set mode recursive
  end
Go to System > Network > DNS Servers. The new server is listed under DNS Service on Interface.  

Under DNS Database, select Create New.

Set DNS Zone as Google, Domain Name to google.comand disable Authoritative.

 

Under DNS Entries, select Create New.

Set Type to Address (A), set Hostname to www, and IP Address to 216.239.38.120 (the IP address of forcesafesearch.google.com). 

 

If required, create additional DNS Database entries for other Google search domains (entry for www.google.ca shown). 

A list of Google search domains can be found here.

 

Go to System > Dashboard > Status and enter the following command into the CLI Console to create a new virtual IP:

Set src-filter to the IP range of your internal users (in the example, 10.10.80.2-10.10.80.100), extintf to your internal interface, and mappedip to the IP address of the loopback interface.

 config firewall vip
  edit "dns-vip"
    set type load-balance
    set src-filter "10.10.80.2-10.10.80.100"
    set extip 0.0.0.0-239.255.255.255
    set extintf internal
    set portforward enable
    set mappedip "10.10.10.10"
    set protocol udp
    set extport 53
    set mappedport 53
    set arp-reply disable

  end

Go to Policy & Objects > Policy > IPv4 and create a policy to use the virtual IP to intercept DNS queries.

Set the Incoming Interface to your internal interface, the Outgoing Interface to the loopback interface, Destination Address to the virtual IP, and Service to DNS. Make sure NAT is disabled.

 

Select the Global View of the policy list. Make sure that the new policy is located above the policy that allows connections from the internal network to the Internet.

 

Results  

If you are using full SSL inspection, go to google.com and attempt to search for adult/mature content. When the results are shown, a message appears stating that SafeSearch is turned on. This cannot be undone.

If you are using Google Chrome for Internet browsing, you may need to disable SPDY protocol in order for SafeSearch to turn on automatically.

 
If you have altered the DNS settings, go to google.com. A message at the top of the page states that your network has turned on SafeSearch.  

For further reading, check out SafeSearch and DNS Services in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
  • Victoria Martin

    If you look at the Product Integration and Support section of the Release Notes, you can find which browser versions are supported: http://docs.fortinet.com/fortigate/release-information

    • John Cardona

      thank you very much for your help Victoria!!!!!

  • John Cardona

    Hi Victoria, thanks for this post, it really works!!!but I have a question, how can I use this with Yahoo search?

    • Victoria Martin

      Hi John,

      I’m glad you were able to get it working. I looked into it and, as far as I can tell, Yahoo does not have a URL that forces SafeSearch the same way Google does, so the only way to make sure SafeSearch is applied to Yahoo search traffic would be the full SSL inspection method.

  • Victoria Martin

    Hi Peter,

    We don’t have a recipe specifically for YouTube but you should be able to configure a DNS solution using this recipe but just substituting the addresses shown in the link you shared.

  • Peter L

    Is there a similar DNS setup for YouTube?
    https://support.google.com/youtube/answer/6214622

  • Issam Bakir

    Hello Victoria,
    1-Is this work with v5.4?
    Thank you

    • Victoria Martin

      Hello Issam,

      I have not tried this recipe using 5.4 but I believe it should work, though at very least there will be some differences in GUI paths and appearance.

      • Jorge Luis Pomachagua

        I tried this configuration on v 5.4.3 and it works, all the commands are the same.

        • Victoria Martin

          Thanks for the confirmation.

  • Abdulaziz Alatar

    Hello Vectoria,
    Thank you for this recipe.
    I want ask you, if i can use safesearch without Fortiguard subscription ?

    • Victoria Martin

      Hello Abdulaziz,

      The only part of this recipe that requires FortiGuard is when FortiGuard categories are used to block Adult/Mature Content.

  • Daniel Azeredo

    Nice post, it was very helpfull for me!!

    Thanks!