Prisma Access

If you’re using Panorama to manage Prisma Access:
Toggle over to the
PAN-OS
tab and follow the guidance there.
If you’re using Prisma Access Cloud Management, continue here.
  1. Enable Safe Search Enforcement in a URL Access Management profile.
    1. Select
      Manage
      Configuration
      Security Services
      URL Access Management
      .
    2. Under URL Access Management Profiles, select an existing profile or
      Add Profile
      to create a new one. Configuration options appear.
    3. Under
      Settings
      , select
      Safe Search Enforcement
      .
    4. Save
      the profile.
  2. (
    Optional
    ) Restrict the search engines that end users can access.
    1. Select
      Manage
      Configuration
      Security Services
      URL Access Management
      .
    2. Under
      Access Control
      ,
      Search
      ( ) for the
      search-engines
      category.
    3. Set Site Access for the
      search-engines
      category to
      block
      .
      To specify the search engines you do want users to access, create a custom URL category of
      URL List
    4. Save
      the profile.
  3. Apply the URL Access Management profile to Security policy rules that allow traffic from clients in the trust zone to the internet.
    To activate a URL Access Management profile (and any Security profile), add it to
    profile group
    and reference the profile group in a Security policy rule.
  4. Edit the URL Access Management safe search block page, replacing the existing code with JavaScript for rewriting search query URLs.
    1. Select
      Manage
      Configuration
      Security Services
      URL Access Management
      Response Pages
      .
    2. Export HTML Template
      for URL Access Management Block Page.
    3. Use an HTML editor and replace all of the existing block page text with the following text. Then, save the file.
      <html> <head> <title>Search Blocked</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta http-equiv="pragma" content="no-cache"> <meta name="viewport" content="initial-scale=1.0"> <style> #content { border:3px solid#aaa; background-color:#fff; margin:1.5em; padding:1.5em; font-family:Tahoma,Helvetica,Arial,sans-serif; font-size:1em; } h1 { font-size:1.3em; font-weight:bold; color:#196390; } b { font-weight:normal; color:#196390; } </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>Search Blocked</h1> <p> <b>User:</b> <user/> </p> <p>Your search results have been blocked because your search settings are not in accordance with company policy. In order to continue, please update your search settings so that Safe Search is set to the strictest setting. If you are currently logged into your account, please also lock Safe Search and try your search again.</p> <p> For more information, please refer to: <a href="<ssurl/>"> <ssurl/> </a> </p> <p id="java_off"> Please enable JavaScript in your browser.<br></p> <p><b>Please contact your system administrator if you believe this message is in error.</b></p> </div> </body> <script> // Grab the URL that's in the browser. var s_u = location.href; //bing // Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non greedy slash. Hopefully the first forward slash. var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u); if (b_a) { s_u = s_u + "&adlt=strict"; window.location.replace(s_u); document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!'; } //yahoo // Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non greedy slash. Hopefully the first forward slash. var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u); if (y_a) { s_u = s_u.replace(/&vm=p/ig,""); s_u = s_u + "&vm=r"; window.location.replace(s_u); document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!'; } document.getElementById("java_off").innerHTML = ' '; </script> </html>
  5. Import the edited URL Access Management safe search block page onto the firewall.
    1. Select
      Manage
      Configuration
      Security Services
      URL Access Management
      Response Pages
      .
    2. Click URL Access Management Safe Search Block Page. A dialog appears with a
      Choose File
      option.
    3. Select the safe search block page file you edited earlier and click
      Save
      .
    1. Save
      the custom URL category.
    2. Under URL Access Management Profiles, select the profile you configured earlier.
    3. Under Access Control, select the custom URL category you created earlier. It sits under Custom URL Categories section above Pre-Defined Categories. Then, set
      Site Access
      for the new category to
      allow
      .
    4. Save
      your changes.
  6. Because most search engines encrypt their search results, you must enable SSL Forward Proxy decryption so the firewall can inspect the search traffic and detect the safe search settings.
    Under the
    Services and URLs
    section of the Decryption policy rule, click
    Add URL Categories
    . Then, select the custom URL category you created earlier. New custom categories sit at the top of the list.
    Save
    the Decryption policy rule.
  7. Select
    Push Config
    to activate your changes.
  8. Verify the Safe Search Enforcement configuration.
    From a computer behind a firewall, open a browser and perform a search using Bing, Yahoo, or Yandex. Then, use one of the following methods to verify your configuration:
    • Examine the query string of the URL for safe search parameters. Safe Search Settings for Search Providers lists the safe search parameter appended to each search query URL.
    • Go to the safe search settings for a supported search engine and verify that the selected SafeSearch preference is the strictest level (
      Strict
      in most cases).

Recommended For You