Block adult images

kevwit

I have a "cheap" Gryphon router at home that does a perfect job of implementing SafeSearch for Google and bing. I can't get the Watchguard Firebox 12.4 OS to do the same thing. I see that potentially the fix is forcing DNS override?

How can my Gryphon box figure this out but Watchguard can't?

james.carson

Hi @kevwit

You'll need to ensure that content inspection is turned on in the HTTPS proxy, and that your browser is not trying to use the QUIC protocol

(How to prevent connections from Chrome browsers that bypass WebBlocker and SafeSearch restrictions with QUIC protocol?)
https://watchguardsupport.secure.force.com/publicKB?type=Article&SFDCID=kA10H000000g3dzSAA&lang=en_US

In the HTTPS proxy action you've set up, the "if none matched" option needs to be set to "inspect" so that the firewall will inspect HTTPS traffic. Since google sends all traffic over https.

Both devices are capable of doing this, the WatchGuard is just much more customizable.

kevwit

QUIC is disabled via a rule and HTTPS proxy... prefect! Thank you. I didn't notice that it was set to "allow" at the bottom of the list. That was exactly my problem. Thank you, I couldn't easily understand this from documentation.

kevwit

Could you point me to the proper way to install the certificate in a business Enterprise so this doesn't disrupt users?

Bruce_Briggs

Via Group Policies.
See this example:

How to push the Securly SSL certificate with Active Directory GPO
https://support.securly.com/hc/en-us/articles/206688537-How-to-push-the-Securly-SSL-certificate-with-Active-Directory-GPO-

greggmh123

In case it wasn't obvious from the article Bruce linked, in step 1 that would be your own "Fireware HTTPS Proxy" cert that you will import into the GPO. That will take care of Internet Explorer, Edge, and Chrome, but you will need to set Firefox manually (about:config, then set "security.enterprise_roots.enabled" to true by double-clicking it) or via GPO after you download the Mozilla ADMX files because it does not use the local computer cert store by default.

greggmh123

WatchGuard's article on the subject with various importing types:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/import_client_cert.html

greggmh123

Egad! I just read WatchGuard's method for using GPO for Firefox. IGNORE THAT METHOD!

Just get the Mozilla ADMX files and use them in a GPO. It's MUCH easier!

https://github.com/mozilla/policy-templates/releases

Gregg

greggmh123

You also can use the Firefox GPO to disable DoH so you don't see its attempts in your logs when you disable DNS over HTTPS.