>
    Force Strict Safe Search
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced URL Filtering
    3. URL Filtering Features
    4. Safe Search Enforcement
    5. Force Strict Safe Search
    Download PDF

    Advanced URL Filtering

    Force Strict Safe Search

    Table of Contents
    End-of-Life (EoL)

    Force Strict Safe Search

    Follow these steps to enable transparent safe search enforcement on your network.
    Where can I use this?
    What do I need?
    • Prisma Access
    • PAN-OS
    • Advanced URL Filtering license (or a legacy URL filtering license)
    Notes:
    • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
    • Prisma Access licenses usually include Advanced URL Filtering capabilities.
    You can provide a secure and seamless search experience for Bing and Yahoo end users by transparently enabling strict safe search. Instead of blocking search results when end users search without having enabled strict safe search, the firewall automatically turns on strict safe search and returns only strictly filtered search results. Schools and libraries, for example, can benefit from automatic enforcement that ensures a consistent learning experience.
    To activate transparent safe search enforcement, you’ll need to enable Safe Search Enforcement in a URL Filtering profile and replace text in the URL filtering safe search block page file with text provided in the following procedure. The replacement text contains JavaScript that appends search query URLs with strict safe search parameters for the search engine used to search.
    The URL filtering safe search block page does not display in the browser.
    After completing these steps, the firewall executes the JavaScript whenever an end user searches. For example, suppose a student’s Bing SafeSearch preference is set to
    Off
     when they research a concept likely to yield inappropriate results. Detecting the safe search preference, the firewall appends
    &adlt=strict
     to the search query URL. Then, the search engine displays appropriate results and the SafeSearch preference changes to
    Strict
    .

    Prisma Access

    If you’re using Panorama to manage Prisma Access:
    Toggle over to the
    PAN-OS
     tab and follow the guidance there.
    If you’re using Prisma Access Cloud Management, continue here.
    1. Enable Safe Search Enforcement in a URL Access Management profile.
      1. Select
        Manage
        Configuration
        Security Services
        URL Access Management
        .
      2. Under URL Access Management Profiles, select an existing profile or
        Add Profile
         to create a new one. Configuration options appear.
      3. Under
        Settings
        , select
        Safe Search Enforcement
        .
      4. Save
         the profile.
    2. (
      Optional
      ) Restrict the search engines that end users can access.
      1. Select
        Manage
        Configuration
        Security Services
        URL Access Management
        .
      2. Under
        Access Control
        ,
        Search
         ( ) for the
        search-engines
         category.
      3. Set Site Access for the
        search-engines
         category to
        block
        .
        In a later step, you’ll create a custom URL category (URL List type) with the search engines you want to allow.
      4. Save
         the profile.
    3. Apply the URL Access Management profile to Security policy rules that allow traffic from clients in the trust zone to the internet.
      To activate a URL Access Management profile (and any Security profile), add it to
      profile group
       and reference the profile group in a Security policy rule.
    4. Edit the URL Access Management safe search block page, replacing the existing code with JavaScript for rewriting search query URLs.
      1. Select
        Manage
        Configuration
        Security Services
        URL Access Management
        Response Pages
        .
      2. Export HTML Template
         for URL Access Management Block Page.
      3. Use an HTML editor and replace all of the existing block page text with the following text. Then, save the file.
        <html>
  <head>
    <title>Search Blocked</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta http-equiv="pragma" content="no-cache">
    <meta name="viewport" content="initial-scale=1.0">
    <style>
      #content {
      border:3px solid#aaa;
      background-color:#fff;
      margin:1.5em;
      padding:1.5em;
      font-family:Tahoma,Helvetica,Arial,sans-serif;
      font-size:1em;
      }
      h1 {
      font-size:1.3em;
      font-weight:bold;
      color:#196390;
      }
      b {
      font-weight:normal;
      color:#196390;
      }
    </style>
  </head>
  <body bgcolor="#e7e8e9">
    <div id="content">
      <h1>Search Blocked</h1>
      <p>
        <b>User:</b> 
        <user/>
      </p>
      <p>Your search results have been blocked because your search settings are not in accordance with company policy.  In order to continue, please update your search settings so that Safe Search is set to the strictest setting. If you are currently logged into your account, please also lock Safe Search and try your search again.</p>
      <p>
        For more information, please refer to: 
        <a href="<ssurl/>">
          <ssurl/>
        </a>
      </p>
      <p id="java_off"> Please enable JavaScript in your browser.<br></p>
      <p><b>Please contact your system administrator if you believe this message is in error.</b></p>
    </div>
  </body>
  <script>
    // Grab the URL that's in the browser.
    var s_u = location.href;
    //bing
    // Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non greedy slash. Hopefully the first forward slash.
    var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u);
    if (b_a) {
       s_u = s_u + "&adlt=strict";
        window.location.replace(s_u);
        document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
    }
    //yahoo   
    // Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non greedy slash. Hopefully the first forward slash.   
    var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u);    
    if (y_a) {
        s_u = s_u.replace(/&vm=p/ig,"");
        s_u = s_u + "&vm=r";
        window.location.replace(s_u);
        document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
    }   
    document.getElementById("java_off").innerHTML = ' ';
  </script>
</html>
    5. Import the edited URL Access Management safe search block page onto the firewall.
      1. Select
        Manage
        Configuration
        Security Services
        URL Access Management
        Response Pages
        .
      2. Click URL Access Management Safe Search Block Page. A dialog appears with a
        Choose File
         option.
      3. Select the safe search block page file you edited earlier and click
        Save
        .
    6. Create a custom URL category for the supported search engines.
      In the next step, you’ll configure the firewall to decrypt traffic to this custom category.
      1. Select
        Manage
        Configuration
        Security Services
        URL Access Management
        .
      2. Under
        Access Control
        , for Custom URL Categories,
        Add Category
        .
      3. Enter a
        Name
         for the category, such as
        SearchEngineDecryption
        .
      4. For
        Type
         of custom URL category, select
        URL List
        .
      5. Under
        Items
        ,
        Add
         the following entries to the URL list:
        • www.bing.*
        • search.yahoo.*
        • yandex.com.*
      6. Save
         the custom category.
      7. Configure Site Access for the new custom URL category.
        1. Under URL Access Management Profiles, select the profile you configured earlier.
        2. Under Access Control, select the new custom URL category. It appears in the Custom URL Categories section above External Dynamic URL Lists and Pre-Defined Categories.
        3. Set
          Site Access
           to
          allow
          .
        4. Save
           your changes.
    7. Because most search engines encrypt their search results, you must enable SSL Forward Proxy decryption so the firewall can inspect the search traffic and detect the safe search settings.
      Under the
      Services and URLs
       section of the Decryption policy rule, click
      Add URL Categories
      . Then, select the custom URL category you created earlier. New custom categories sit at the top of the list.
      Save
       the Decryption policy rule.
    8. Select
      Push Config
       to activate your changes.
    9. Verify the Safe Search Enforcement configuration.
      From a computer behind a firewall, open a browser and perform a search using Bing, Yahoo, or Yandex. Then, use one of the following methods to verify your configuration:
      • Examine the query string of the URL for safe search parameters. Safe Search Settings for Search Providers lists the safe search parameter appended to each search query URL.
      • Go to the safe search settings for a supported search engine and verify that the selected SafeSearch preference is the strictest level (
        Strict
         in most cases).

    PAN-OS

    Configure the strictest Bing and Yahoo SafeSearch settings for end users without requiring manual adjustment of the search engine settings.
    1. Make sure the firewall is running Content Release version 475 or later.
      1. Select
        Device
        Dynamic Updates
        .
      2. Check the
        Applications and Threats
         section to determine what update is currently running.
      3. If the firewall is not running the required update or later, click
        Check Now
         to retrieve a list of available updates.
      4. Locate the required update and click
        Download
        .
      5. After the download completes, click
        Install
        .
    2. Enable Safe Search Enforcement in a URL Filtering profile.
      1. Select
        Objects
        Security Profiles
        URL Filtering
        .
      2. Select an existing profile to modify or clone the default profile to create a new profile.
      3. On the
        URL Filtering Settings
         tab, select
        Safe Search Enforcement
        .
    3. (
      Optional
      ) Restrict the search engines that end users can access in the same URL Filtering profile.
      1. On the
        Categories
         tab,
        Search
         ( ) for the
        search-engines
         category.
      2. Set Site Access for the
        search-engines
         category to
        block
        .
        In a later step, you’ll create a custom URL category (URL List type) with the search engines you want to allow.
      3. Click
        OK
         to save the profile.
    4. Apply the URL Filtering profile to Security policy rules that allow traffic from clients in the trust zone to the internet.
      1. Select
        Policies
        Security
        . Then, click the rule to which you want to apply the URL Filtering profile.
      2. On the
        Actions
         tab, find Profile Setting. For
        Profile Type
        , select
        Profiles
        . A list of profiles appears.
      3. For the
        URL Filtering
         profile, select the profile you created earlier.
      4. Click
        OK
         to save the Security policy rule.
    5. Edit the URL filtering safe search block page, replacing the existing code with JavaScript for rewriting search query URLs.
      1. Select
        Device
        Response Pages
        URL Filtering Safe Search Block Page
        .
      2. Select
        Predefined
         and then click
        Export
         to save the file locally.
      3. Use an HTML editor and replace all of the existing block page text with the following text. Then, save the file.
        <html>
  <head>
    <title>Search Blocked</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta http-equiv="pragma" content="no-cache">
    <meta name="viewport" content="initial-scale=1.0">
    <style>
      #content {
      border:3px solid#aaa;
      background-color:#fff;
      margin:1.5em;
      padding:1.5em;
      font-family:Tahoma,Helvetica,Arial,sans-serif;
      font-size:1em;
      }
      h1 {
      font-size:1.3em;
      font-weight:bold;
      color:#196390;
      }
      b {
      font-weight:normal;
      color:#196390;
      }
    </style>
  </head>
  <body bgcolor="#e7e8e9">
    <div id="content">
      <h1>Search Blocked</h1>
      <p>
        <b>User:</b> 
        <user/>
      </p>
      <p>Your search results have been blocked because your search settings are not in accordance with company policy.  In order to continue, please update your search settings so that Safe Search is set to the strictest setting. If you are currently logged into your account, please also lock Safe Search and try your search again.</p>
      <p>
        For more information, please refer to: 
        <a href="<ssurl/>">
          <ssurl/>
        </a>
      </p>
      <p id="java_off"> Please enable JavaScript in your browser.<br></p>
      <p><b>Please contact your system administrator if you believe this message is in error.</b></p>
    </div>
  </body>
  <script>
    // Grab the URL that's in the browser.
    var s_u = location.href;
    //bing
    // Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non greedy slash. Hopefully the first forward slash.
    var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u);
    if (b_a) {
       s_u = s_u + "&adlt=strict";
        window.location.replace(s_u);
        document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
    }
    //yahoo   
    // Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non greedy slash. Hopefully the first forward slash.   
    var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u);    
    if (y_a) {
        s_u = s_u.replace(/&vm=p/ig,"");
        s_u = s_u + "&vm=r";
        window.location.replace(s_u);
        document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
    }   
    document.getElementById("java_off").innerHTML = ' ';
  </script>
</html>
    6. Import the edited URL filtering safe search block page onto the firewall.
      1. Select
        Device
        Response Pages
        URL Filtering Safe Search Block Page
        .
      2. Click
        Import
        . Then,
        Browse
         for the block page file or enter the path and filename in the
        Import File
         field.
      3. (
        Optional
        ) For
        Destination
        , select either the virtual system on which the login page will be used or
        shared
         to make it available to all virtual systems.
      4. Click
        OK
         to import the file.
    7. Create a custom URL category for the supported search engines.
      In the next step, you’ll configure the firewall to decrypt traffic to this custom category.
      1. Select
        Objects
        Custom Objects
        URL Category
         and
        Add
         a custom category.
      2. Enter a
        Name
         for the category, such as
        SearchEngineDecryption
        .
      3. Add
         the following entries to the
        Sites
         list:
        • www.bing.*
        • search.yahoo.*
        • yandex.com.*
      4. Click
        OK
         to save the custom URL category.
    8. Because most search engines encrypt their search results, you must enable SSL Forward Proxy decryption so the firewall can inspect the search traffic and detect the safe search settings.
      On the
      Service/URL Category
       tab of the Decryption policy rule,
      Add
       the custom URL category you created earlier. Then, click
      OK
      .
    9. Commit
       your changes.
    10. Verify the Safe Search Enforcement configuration.
      From a computer behind a firewall, open a browser and perform a search using Bing or Yahoo. Then, use one of the following methods to verify your configuration works as intended:
      • Examine the query string of the URL for safe search parameters. Safe Search Settings for Search Providers lists the safe search parameter appended to each search query URL.
      • Go to the Safe Search settings for the search engine and verify that the selected SafeSearch preference is the strictest level (
        Strict
         in the case of Bing).

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.