Advanced URL Filtering
Force Strict Safe Search
Table of Contents
End-of-Life (EoL)
Force Strict Safe Search
Follow these steps to enable transparent safe search enforcement on your
network.
Where can I use
this? | What do I need? |
---|---|
|
Notes:
|
You can provide a secure and seamless search
experience for Bing and Yahoo end users by transparently enabling
strict safe search. Instead of blocking search results when
end users search without having enabled strict safe search, the
firewall automatically turns on strict safe search and returns only
strictly filtered search results. Schools and libraries, for example,
can benefit from automatic enforcement that ensures a consistent
learning experience.
To activate transparent safe search enforcement,
you’ll need to enable Safe Search Enforcement in a URL Filtering
profile and replace text in the URL filtering safe search block
page file with text provided in the following procedure. The replacement
text contains JavaScript that appends search query URLs with strict safe
search parameters for the search engine used to search.
The
URL filtering safe search block page does not display in the browser.
After
completing these steps, the firewall executes the JavaScript whenever
an end user searches. For example, suppose a student’s Bing SafeSearch
preference is set to
Off
when they
research a concept likely to yield inappropriate results. Detecting
the safe search preference, the firewall appends &adlt=strict
to
the search query URL. Then, the search engine displays appropriate
results and the SafeSearch preference changes to Strict
. Prisma Access
If you’re using Panorama to manage
Prisma Access:
Toggle over to the
PAN-OS
tab
and follow the guidance there. If you’re using Prisma
Access Cloud Management, continue here.
- Enable Safe Search Enforcement in a URL Access Management profile.
- Select.ManageConfigurationSecurity ServicesURL Access Management
- Under URL Access Management Profiles, select an existing profile orAdd Profileto create a new one. Configuration options appear.
- UnderSettings, selectSafe Search Enforcement.
- Savethe profile.
- (Optional) Restrict the search engines that end users can access.
- Select.ManageConfigurationSecurity ServicesURL Access Management
- UnderAccess Control,Search(
) for the
search-enginescategory. - Set Site Access for thesearch-enginescategory toblock.In a later step, you’ll create a custom URL category (URL List type) with the search engines you want to allow.
- Savethe profile.
- Apply the URL Access Management profile to Security policy rules that allow traffic from clients in the trust zone to the internet.To activate a URL Access Management profile (and any Security profile), add it toprofile groupand reference the profile group in a Security policy rule.
- Edit the URL Access Management safe search block page, replacing the existing code with JavaScript for rewriting search query URLs.
- Select.ManageConfigurationSecurity ServicesURL Access ManagementResponse Pages
- Export HTML Templatefor URL Access Management Block Page.
- Use an HTML editor and replace all of the existing block page text with the following text. Then, save the file.<html> <head> <title>Search Blocked</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta http-equiv="pragma" content="no-cache"> <meta name="viewport" content="initial-scale=1.0"> <style> #content { border:3px solid#aaa; background-color:#fff; margin:1.5em; padding:1.5em; font-family:Tahoma,Helvetica,Arial,sans-serif; font-size:1em; } h1 { font-size:1.3em; font-weight:bold; color:#196390; } b { font-weight:normal; color:#196390; } </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>Search Blocked</h1> <p> <b>User:</b> <user/> </p> <p>Your search results have been blocked because your search settings are not in accordance with company policy. In order to continue, please update your search settings so that Safe Search is set to the strictest setting. If you are currently logged into your account, please also lock Safe Search and try your search again.</p> <p> For more information, please refer to: <a href="<ssurl/>"> <ssurl/> </a> </p> <p id="java_off"> Please enable JavaScript in your browser.<br></p> <p><b>Please contact your system administrator if you believe this message is in error.</b></p> </div> </body> <script> // Grab the URL that's in the browser. var s_u = location.href; //bing // Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non greedy slash. Hopefully the first forward slash. var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u); if (b_a) { s_u = s_u + "&adlt=strict"; window.location.replace(s_u); document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!'; } //yahoo // Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non greedy slash. Hopefully the first forward slash. var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u); if (y_a) { s_u = s_u.replace(/&vm=p/ig,""); s_u = s_u + "&vm=r"; window.location.replace(s_u); document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!'; } document.getElementById("java_off").innerHTML = ' '; </script> </html>
- Import the edited URL Access Management safe search block page onto the firewall.
- Select.ManageConfigurationSecurity ServicesURL Access ManagementResponse Pages
- Click URL Access Management Safe Search Block Page. A dialog appears with aChoose Fileoption.
- Select the safe search block page file you edited earlier and clickSave.
- Create a custom URL category for the supported search engines.In the next step, you’ll configure the firewall to decrypt traffic to this custom category.
- Select.ManageConfigurationSecurity ServicesURL Access Management
- UnderAccess Control, for Custom URL Categories,Add Category.
- Enter aNamefor the category, such asSearchEngineDecryption.
- ForTypeof custom URL category, selectURL List.
- UnderItems,Addthe following entries to the URL list:
- www.bing.*
- search.yahoo.*
- yandex.com.*
- Savethe custom category.
- Configure Site Access for the new custom URL category.
- Under URL Access Management Profiles, select the profile you configured earlier.
- Under Access Control, select the new custom URL category. It appears in the Custom URL Categories section above External Dynamic URL Lists and Pre-Defined Categories.
- SetSite Accesstoallow.
- Saveyour changes.
- Configure SSL Forward Proxy decryption.Because most search engines encrypt their search results, you must enable SSL Forward Proxy decryption so the firewall can inspect the search traffic and detect the safe search settings.Under theServices and URLssection of the Decryption policy rule, clickAdd URL Categories. Then, select the custom URL category you created earlier. New custom categories sit at the top of the list.Savethe Decryption policy rule.
- SelectPush Configto activate your changes.
- Verify the Safe Search Enforcement configuration.From a computer behind a firewall, open a browser and perform a search using Bing, Yahoo, or Yandex. Then, use one of the following methods to verify your configuration:
- Examine the query string of the URL for safe search parameters. Safe Search Settings for Search Providers lists the safe search parameter appended to each search query URL.
- Go to the safe search settings for a supported search engine and verify that the selected SafeSearch preference is the strictest level (Strictin most cases).
PAN-OS
Configure the strictest Bing and Yahoo SafeSearch settings
for end users without requiring manual adjustment of the search
engine settings.
- Make sure the firewall is running Content Release version 475 or later.
- Select.DeviceDynamic Updates
- Check theApplications and Threatssection to determine what update is currently running.
- If the firewall is not running the required update or later, clickCheck Nowto retrieve a list of available updates.
- Locate the required update and clickDownload.
- After the download completes, clickInstall.
- Enable Safe Search Enforcement in a URL Filtering profile.
- Select.ObjectsSecurity ProfilesURL Filtering
- Select an existing profile to modify or clone the default profile to create a new profile.
- On theURL Filtering Settingstab, selectSafe Search Enforcement.
- (Optional) Restrict the search engines that end users can access in the same URL Filtering profile.
- On theCategoriestab,Search(
) for the
search-enginescategory. - Set Site Access for thesearch-enginescategory toblock.In a later step, you’ll create a custom URL category (URL List type) with the search engines you want to allow.
- ClickOKto save the profile.
- Apply the URL Filtering profile to Security policy rules that allow traffic from clients in the trust zone to the internet.
- Select. Then, click the rule to which you want to apply the URL Filtering profile.PoliciesSecurity
- On theActionstab, find Profile Setting. ForProfile Type, selectProfiles. A list of profiles appears.
- For theURL Filteringprofile, select the profile you created earlier.
- ClickOKto save the Security policy rule.
- Edit the URL filtering safe search block page, replacing the existing code with JavaScript for rewriting search query URLs.
- Select.DeviceResponse PagesURL Filtering Safe Search Block Page
- SelectPredefinedand then clickExportto save the file locally.
- Use an HTML editor and replace all of the existing block page text with the following text. Then, save the file.<html> <head> <title>Search Blocked</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta http-equiv="pragma" content="no-cache"> <meta name="viewport" content="initial-scale=1.0"> <style> #content { border:3px solid#aaa; background-color:#fff; margin:1.5em; padding:1.5em; font-family:Tahoma,Helvetica,Arial,sans-serif; font-size:1em; } h1 { font-size:1.3em; font-weight:bold; color:#196390; } b { font-weight:normal; color:#196390; } </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>Search Blocked</h1> <p> <b>User:</b> <user/> </p> <p>Your search results have been blocked because your search settings are not in accordance with company policy. In order to continue, please update your search settings so that Safe Search is set to the strictest setting. If you are currently logged into your account, please also lock Safe Search and try your search again.</p> <p> For more information, please refer to: <a href="<ssurl/>"> <ssurl/> </a> </p> <p id="java_off"> Please enable JavaScript in your browser.<br></p> <p><b>Please contact your system administrator if you believe this message is in error.</b></p> </div> </body> <script> // Grab the URL that's in the browser. var s_u = location.href; //bing // Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non greedy slash. Hopefully the first forward slash. var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u); if (b_a) { s_u = s_u + "&adlt=strict"; window.location.replace(s_u); document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!'; } //yahoo // Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non greedy slash. Hopefully the first forward slash. var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u); if (y_a) { s_u = s_u.replace(/&vm=p/ig,""); s_u = s_u + "&vm=r"; window.location.replace(s_u); document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!'; } document.getElementById("java_off").innerHTML = ' '; </script> </html>
- Import the edited URL filtering safe search block page onto the firewall.
- Select.DeviceResponse PagesURL Filtering Safe Search Block Page
- ClickImport. Then,Browsefor the block page file or enter the path and filename in theImport Filefield.
- (Optional) ForDestination, select either the virtual system on which the login page will be used orsharedto make it available to all virtual systems.
- ClickOKto import the file.
- Create a custom URL category for the supported search engines.In the next step, you’ll configure the firewall to decrypt traffic to this custom category.
- SelectandObjectsCustom ObjectsURL CategoryAdda custom category.
- Enter aNamefor the category, such asSearchEngineDecryption.
- Addthe following entries to theSiteslist:
- www.bing.*
- search.yahoo.*
- yandex.com.*
- ClickOKto save the custom URL category.
- Configure SSL Forward Proxy decryption.Because most search engines encrypt their search results, you must enable SSL Forward Proxy decryption so the firewall can inspect the search traffic and detect the safe search settings.On theService/URL Categorytab of the Decryption policy rule,Addthe custom URL category you created earlier. Then, clickOK.
- Commityour changes.
- Verify the Safe Search Enforcement configuration.From a computer behind a firewall, open a browser and perform a search using Bing or Yahoo. Then, use one of the following methods to verify your configuration works as intended:
- Examine the query string of the URL for safe search parameters. Safe Search Settings for Search Providers lists the safe search parameter appended to each search query URL.
- Go to the Safe Search settings for the search engine and verify that the selected SafeSearch preference is the strictest level (Strictin the case of Bing).