Block adult images
I have a "cheap" Gryphon router at home that does a perfect job of implementing SafeSearch for Google and bing. I can't get the Watchguard Firebox 12.4 OS to do the same thing. I see that potentially the fix is forcing DNS override?
How can my Gryphon box figure this out but Watchguard can't?
Sign In to comment.
You'll need to ensure that content inspection is turned on in the HTTPS proxy, and that your browser is not trying to use the QUIC protocol
(How to prevent connections from Chrome browsers that bypass WebBlocker and SafeSearch restrictions with QUIC protocol?)
In the HTTPS proxy action you've set up, the "if none matched" option needs to be set to "inspect" so that the firewall will inspect HTTPS traffic. Since google sends all traffic over https.
Both devices are capable of doing this, the WatchGuard is just much more customizable.
WatchGuard Customer Support
QUIC is disabled via a rule and HTTPS proxy... prefect! Thank you. I didn't notice that it was set to "allow" at the bottom of the list. That was exactly my problem. Thank you, I couldn't easily understand this from documentation.
Could you point me to the proper way to install the certificate in a business Enterprise so this doesn't disrupt users?
Via Group Policies.
See this example:
How to push the Securly SSL certificate with Active Directory GPO
In case it wasn't obvious from the article Bruce linked, in step 1 that would be your own "Fireware HTTPS Proxy" cert that you will import into the GPO. That will take care of Internet Explorer, Edge, and Chrome, but you will need to set Firefox manually (about:config, then set "security.enterprise_roots.enabled" to true by double-clicking it) or via GPO after you download the Mozilla ADMX files because it does not use the local computer cert store by default.
WatchGuard's article on the subject with various importing types:
Egad! I just read WatchGuard's method for using GPO for Firefox. IGNORE THAT METHOD!
Just get the Mozilla ADMX files and use them in a GPO. It's MUCH easier!
You also can use the Firefox GPO to disable DoH so you don't see its attempts in your logs when you disable DNS over HTTPS.