Follow these steps to enable transparent safe search enforcement on your
network.
| Where can I use
this? | What do I need? |
|---|
- Prisma Access (Managed by Strata Cloud Manager)
- Prisma Access (Managed by Panorama)
- NGFW (Managed by Strata Cloud Manager)
- NGFW (Managed by PAN-OS or Panorama)
|
|
You can provide a secure and seamless search
experience for Bing and Yahoo end users by transparently enabling
strict safe search. Instead of
blocking search results when
end users search without having enabled strict safe search, the
firewall automatically turns on strict safe search and returns only
strictly filtered search results. Schools and libraries, for example,
can benefit from automatic enforcement that ensures a consistent
learning experience.
To activate transparent safe search enforcement,
you’ll need to enable Safe Search Enforcement in a URL Filtering
profile and replace text in the URL filtering safe search block
page file with text provided in the following procedure. The replacement
text contains JavaScript that appends search query URLs with strict safe
search parameters for the search engine used to search.
The
URL filtering safe search block page does not display in the browser.
After
completing these steps, the firewall executes the JavaScript whenever
an end user searches. For example, suppose a student’s Bing SafeSearch
preference is set to Off when they
research a concept likely to yield inappropriate results. Detecting
the safe search preference, the firewall appends &adlt=strict to
the search query URL. Then, the search engine displays appropriate
results and the SafeSearch preference changes to Strict.
Force Strict Safe Search (Strata Cloud Manager)
If you’re using Panorama to manage Prisma Access:
Toggle over to the PAN-OS & Panorama tab
and follow the guidance there.
If you’re using Strata Cloud Manager, continue here.
Enable Safe Search Enforcement in a URL Access Management
profile.
Select .
Under URL Access Management Profiles, select an existing profile
or
Add Profile to create a new one. Configuration options
appear.
Under
Settings, select
Safe Search
Enforcement.
Save the profile.
(
Optional) Restrict the search engines that
end users can access.
Select .
Under
Access Control,
Search (
) for the
search-engines category.
Set Site Access for the
search-engines category
to
block.
Save the profile.
Apply the URL Access Management profile to Security policy
rules that allow traffic from clients in the trust zone to the internet.
Edit the URL Access Management safe search block page, replacing
the existing code with JavaScript for rewriting search query URLs.
Select .
Export HTML Template for URL Access
Management Block Page.
Use an HTML editor and replace all of the existing
block page text with the following text. Then, save the file.
<html>
<head>
<title>Search Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="pragma" content="no-cache">
<meta name="viewport" content="initial-scale=1.0">
<style>
#content {
border:3px solid#aaa;
background-color:#fff;
margin:1.5em;
padding:1.5em;
font-family:Tahoma,Helvetica,Arial,sans-serif;
font-size:1em;
}
h1 {
font-size:1.3em;
font-weight:bold;
color:#196390;
}
b {
font-weight:normal;
color:#196390;
}
</style>
</head>
<body bgcolor="#e7e8e9">
<div id="content">
<h1>Search Blocked</h1>
<p>
<b>User:</b>
<user/>
</p>
<p>Your search results have been blocked because your search settings are not in accordance with company policy. In order to continue, please update your search settings so that Safe Search is set to the strictest setting. If you are currently logged into your account, please also lock Safe Search and try your search again.</p>
<p>
For more information, please refer to:
<a href="<ssurl/>">
<ssurl/>
</a>
</p>
<p id="java_off"> Please enable JavaScript in your browser.<br></p>
<p><b>Please contact your system administrator if you believe this message is in error.</b></p>
</div>
</body>
<script>
// Grab the URL that's in the browser.
var s_u = location.href;
//bing
// Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non greedy slash. Hopefully the first forward slash.
var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u);
if (b_a) {
s_u = s_u + "&adlt=strict";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
}
//yahoo
// Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non greedy slash. Hopefully the first forward slash.
var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u);
if (y_a) {
s_u = s_u.replace(/&vm=p/ig,"");
s_u = s_u + "&vm=r";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
}
document.getElementById("java_off").innerHTML = ' ';
</script>
</html>
Import the edited URL Access Management safe search block page
onto the firewall.
Select .
Click URL Access Management Safe Search Block Page.
A dialog appears with a
Choose File option.
Select the safe search block page file you edited
earlier and click
Save.
Create a custom URL
category for the supported search engines.
In the next step, you’ll configure the firewall to decrypt
traffic to this custom category.
Select .
Under
Access Control, for Custom
URL Categories,
Add Category.
Enter a
Name for the category,
such as
SearchEngineDecryption.
For
Type of custom URL category, select
URL
List.
Under
Items,
Add the
following entries to the URL list:
www.bing.*
search.yahoo.*
yandex.com.*
Save the custom category.
Configure Site Access for the new custom URL category.
Under URL Access Management Profiles, select the profile
you configured earlier.
Under Access Control, select the new custom URL category.
It appears in the Custom URL Categories section above External Dynamic
URL Lists and Pre-Defined Categories.
- Set Site Access to allow.
- Save your changes.
Configure SSL Forward Proxy decryption.
Because most search engines encrypt their search results,
you must enable SSL Forward Proxy decryption so the firewall can
inspect the search traffic and detect the safe search settings.
Under
the Services and URLs section of the Decryption policy
rule, click Add URL Categories. Then, select
the custom URL category you created earlier. New custom categories
sit at the top of the list.
Save the
Decryption policy rule.
Select
Push Config to activate
your changes.
Verify the Safe Search Enforcement configuration.
From a computer behind a firewall, open a browser and perform
a search using Bing, Yahoo, or Yandex. Then, use one of the following
methods to verify your configuration:
Force Strict Safe Search (PAN-OS & Panorama)
Configure the strictest Bing and Yahoo SafeSearch settings
for end users without requiring manual adjustment of the search
engine settings.
Make sure the firewall is running Content Release
version 475 or later.
Select .
Check the
Applications and Threats section
to determine what update is currently running.
If the firewall is not running the required update
or later, click
Check Now to retrieve a list
of available updates.
Locate the required update and click
Download.
After the download completes, click
Install.
Enable Safe Search Enforcement in a URL Filtering profile.
Select .
Select an existing profile to modify or clone the
default profile to create a new profile.
On the
URL Filtering Settings tab, select
Safe
Search Enforcement.
(
Optional) Restrict the search engines that
end users can access in the same URL Filtering profile.
On the
Categories tab,
Search (
) for the
search-engines category.
Set Site Access for the
search-engines category
to
block.
Click
OK to save the profile.
Apply the URL Filtering profile to Security policy rules
that allow traffic from clients in the trust zone to the internet.
Select . Then, click the rule
to which you want to apply the URL Filtering profile.
On the
Actions tab, find Profile
Setting. For
Profile Type, select
Profiles.
A list of profiles appears.
For the
URL Filtering profile,
select the profile you created earlier.
Click
OK to save the Security
policy rule.
Edit the URL filtering safe search block page, replacing
the existing code with JavaScript for rewriting search query URLs.
Select .
Select
Predefined and then
click
Export to save the file locally.
Use an HTML editor and replace all of the existing
block page text with the following text. Then, save the file.
<html>
<head>
<title>Search Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="pragma" content="no-cache">
<meta name="viewport" content="initial-scale=1.0">
<style>
#content {
border:3px solid#aaa;
background-color:#fff;
margin:1.5em;
padding:1.5em;
font-family:Tahoma,Helvetica,Arial,sans-serif;
font-size:1em;
}
h1 {
font-size:1.3em;
font-weight:bold;
color:#196390;
}
b {
font-weight:normal;
color:#196390;
}
</style>
</head>
<body bgcolor="#e7e8e9">
<div id="content">
<h1>Search Blocked</h1>
<p>
<b>User:</b>
<user/>
</p>
<p>Your search results have been blocked because your search settings are not in accordance with company policy. In order to continue, please update your search settings so that Safe Search is set to the strictest setting. If you are currently logged into your account, please also lock Safe Search and try your search again.</p>
<p>
For more information, please refer to:
<a href="<ssurl/>">
<ssurl/>
</a>
</p>
<p id="java_off"> Please enable JavaScript in your browser.<br></p>
<p><b>Please contact your system administrator if you believe this message is in error.</b></p>
</div>
</body>
<script>
// Grab the URL that's in the browser.
var s_u = location.href;
//bing
// Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non greedy slash. Hopefully the first forward slash.
var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u);
if (b_a) {
s_u = s_u + "&adlt=strict";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
}
//yahoo
// Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non greedy slash. Hopefully the first forward slash.
var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u);
if (y_a) {
s_u = s_u.replace(/&vm=p/ig,"");
s_u = s_u + "&vm=r";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
}
document.getElementById("java_off").innerHTML = ' ';
</script>
</html>
Import the edited URL filtering safe search block page
onto the firewall.
Select .
Click
Import. Then,
Browse for
the block page file or enter the path and filename in the
Import
File field.
(
Optional) For
Destination, select
either the virtual system on which the login page will be used or
shared to
make it available to all virtual systems.
Click
OK to import the file.
Create a custom URL category for
the supported search engines.
In the next step, you’ll configure the firewall to decrypt
traffic to this custom category.
Select and
Add a
custom category.
Enter a
Name for the category,
such as
SearchEngineDecryption.
Add the following entries to
the
Sites list:
www.bing.*
search.yahoo.*
yandex.com.*
Click
OK to save the custom
URL category.
Configure SSL Forward Proxy decryption.
Because most search engines encrypt their search results,
you must enable SSL Forward Proxy decryption so the firewall can
inspect the search traffic and detect the safe search settings.
On
the Service/URL Category tab of the Decryption policy
rule, Add the custom URL category you created
earlier. Then, click OK.
Commit your changes.
Verify the Safe Search Enforcement configuration.
From a computer behind a firewall, open a browser and perform
a search using Bing or Yahoo. Then, use one of the following methods
to verify your configuration works as intended:
