PAN-OS & Panorama

Enable Safe Search Enforcement in a URL Filtering profile.
Select
Objects
Security Profiles
URL Filtering
.
Select an existing profile to modify or clone the default profile to create a new profile.
On the
URL Filtering Settings
tab, select
Safe Search Enforcement
.
(
Optional
) Restrict the search engines that end users can access in the same URL Filtering profile.
On the
Categories
tab,
Search
( ) for the
search-engines
category.
Set Site Access for the
search-engines
category to
block
.
In a later step, you’ll create a custom URL category (URL List type) with the search engines you want to allow.
Click
OK
to save the profile.
Apply the URL Filtering profile to Security policy rules that allow traffic from clients in the trust zone to the internet.
Select
Policies
Security
. Then, click the rule to which you want to apply the URL Filtering profile.
On the
Actions
tab, find Profile Setting. For
Profile Type
, select
Profiles
. A list of profiles appears.
For
URL Filtering
profile, select the profile you created earlier.
Click
OK
to save the Security policy rule.
Create a custom URL category for the supported search engines.
In the following step, you’ll specify that you want to decrypt traffic to the sites in the custom category.
Select
Objects
Custom Objects
URL Category
and
Add
a custom category.
Enter a
Name
for the category, such as
SearchEngineDecryption
.
Add
the following entries to the
Sites
list:
www.bing.*
search.yahoo.*
yandex.com.*
Click
OK
to save the custom category.
Configure Site Access for the new custom URL category.
Go to
Objects
Security Profiles
URL Filtering
and select the URL Filtering profile you configured earlier.
On the
Category
tab, select the new custom URL category. It appears in the Custom URL Categories section above External Dynamic URL Lists and Pre-defined Categories.
Set
Site Access
to
allow
.
Click
OK
to save your changes.
Configure SSL Forward Proxy decryption.
Because most search engines encrypt their search results, you must enable SSL Forward Proxy decryption so the firewall can inspect the search traffic and detect the safe search settings.
On the
Service/URL Category
tab of the Decryption policy rule,
Add
the custom URL category you created earlier. Then, click
OK
.
Commit
your changes.
Verify the Safe Search Enforcement configuration.
This verification step only works if you use block pages to enforce safe search. There is an alternative verification step if you enable safe search transparently.
From a computer behind the firewall, disable the strict search settings for a supported search provider. For example, on bing.com, click the
Preferences
icon on the Bing menu bar.

Set the
SafeSearch
option to
Moderate
or
Off
, and click
Save
.
Perform a Bing search (or search using another provider) to see if the URL Filtering Safe Search Block page displays instead of search results:

Use the link on the block page to update the safe search setting to the strictest setting (
Strict
in the case of Bing), and then click
Save
.
Perform a search again from Bing and verify that the filtered search results display instead of the block page.