FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fmerin_FTNT
Staff
Staff
Article Id 197155

Description

Blocking Google search results containing specific keywords becomes necessary in some network environments where the FortiGate is being used.

This can be achieved by disabling the QUIC protocol to force web browsers such as Google Chrome to use TLS and to use the data leak prevention (DLP) feature to block access to actual search results.  


Solution

Create a custom firewall service to block the QUIC protocol and force Google to use TLS v1.2 instead of QUIC.  Ensure the firewall policy that blocks QUIC is above other policies:
config firewall service custom
edit "QUIC"
set udp-portrange 443
end

config firewall policy
edit 0
set srcintf "lan"
set dstintf "wan"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "QUIC"
set logtraffic all
end

Create a DLP sensor with entries to block search results with keywords (replace the keywords "proxy" and "restricted" below to test with keywords to be blocked), then apply the DLP sensor to the desired firewall policy:
config dlp sensor
edit "content"
config filter
edit 1
set proto http-get http-post
set filter-by regexp
set regexp "\\bproxy\\b"
set action block
next
edit 2
set proto http-get http-post
set filter-by regexp
set regexp "\\brestricted\\b"
set action block
end

config firewall policy

edit <ID>

set utm-status enable

set dlp-sensor "content"

set profile-protocol-options "default"

set ssl-ssh-profile "deep-inspection"

set

end

SSL deep inspection must be enabled for this configuration to work.

 

When attempting to search Google using the configured keywords, the FortiGate will deny access and present the DLP block page.

It should be noted in this example that:
  • It is necessary to manage the DLP sensor manually and add keywords as required to block the Google search results in which they are contained.
  • The DLP sensor would also apply to traffic beyond just Google search results.  It will apply to general web browsing and other web applications.

 

Related Articles

Technical Note: Disabling / Blocking QUIC Protocol to force Google Chrome to use TLS

Contributors