Transparently Enable Safe Search for Users
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
End-of-Life (EoL)
Transparently Enable Safe Search for Users
Enforce the strict filtering of Google, Yahoo, and Bing
search results without having your users manually configure the
search engines’ settings.
If you want to enforce filtering of search
query results with the strictest safe search filters, but you don’t
want your end users to have to manually configure the settings,
you can enable transparent safe search enforcement as follows. This
functionality is supported on Google, Yahoo, and Bing search engines
only and requires Content Release version 475 or later.
- Make sure the firewall is running Content Release version 475 or later.
- Select.DeviceDynamic Updates
- Check theApplications and Threatssection to determine what update is currently running.
- If the firewall is not running the required update or later, clickCheck Nowto retrieve a list of available updates.
- Locate the required update and clickDownload.
- After the download completes, clickInstall.
- Enable Safe Search Enforcement in the URL Filtering profile.
- Select.ObjectsSecurity ProfilesURL Filtering
- Select an existing profile to modify, or clone the default profile to create a new one.
- On theSettingstab, select theSafe Search Enforcementcheck box to enable it.
- (Optional) Allow access to specific search engines only:
- On theCategoriestab, set thesearch-enginescategory toblock.
- For each search engine that you want end users to be able to access, enter the web address in theAllow Listtext box. For example, to allow users access to Google and Bing searches only, you would enter the following:www.google.comwww.bing.com
- Configure other settings as necessary to:
- ClickOKto save the profile.
- Add the URL Filtering profile to the Security policy rule that allows traffic from clients in the trust zone to the Internet.
- Selectand select a rule to which to apply the URL Filtering profile that you just enabled for Safe Search Enforcement.PoliciesSecurity
- On theActionstab, select theURL Filteringprofile.
- ClickOKto save the Security policy rule.
- (Recommended) Block Bing search traffic running over SSL.Because the Bing SSL search engine does not adhere to the safe search settings, for full safe search enforcement, you must deny all Bing sessions that run over SSL.
- Add a custom URL category for Bing:
- SelectandObjectsCustom ObjectsURL CategoryAdda custom category.
- Enter aNamefor the category, such as EnableBingSafeSearch.
- Addthe following to the Sites list:www.bing.com/images/*www.bing.com/videos/*
- ClickOKto save the custom URL category object.
- Create another URL Filtering profile to block the custom category you just created:
- Select.ObjectsSecurity ProfilesURL Filtering
- Adda new profile and give it a descriptiveName.
- Locate the custom category you just created in the Category list and set it toblock.
- ClickOKto save the URL Filtering profile.
- Adda Security policy rule to block Bing SSL traffic:
- SelectandPoliciesSecurityAdda policy rule that allows traffic from your trust zone to the Internet.
- On theActionstab, attach the URL Filtering profile you just created to block the custom Bing category.
- On theService/URL CategorytabAddaNew Serviceand give it a descriptiveName, such as bingssl.
- SelectTCPas theProtocol, set theDestination Portto443.
- ClickOKto save the rule.
- Use theMoveoptions to ensure that this rule is below the rule that has the URL Filtering profile with safe search enforcement enabled.
- Edit the URL Filtering Safe Search Block Page, replacing the existing code with the JavaScript for rewriting search query URLs to enforce safe search transparently.
- Select.DeviceResponse PagesURL Filtering Safe Search Block Page
- SelectPredefinedand then clickExportto save the file locally.
- Use an HTML editor and replace all of the existing block page text with the following text and then save the file.<html> <head> <title>Search Blocked</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta http-equiv="pragma" content="no-cache"> <meta name="viewport" content="initial-scale=1.0"> <style> #content { border:3px solid#aaa; background-color:#fff; margin:1.5em; padding:1.5em; font-family:Tahoma,Helvetica,Arial,sans-serif; font-size:1em; } h1 { font-size:1.3em; font-weight:bold; color:#196390; } b { font-weight:normal; color:#196390; } </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>Search Blocked</h1> <p> <b>User:</b> <user/> </p> <p>Your search results have been blocked because your search settings are not in accordance with company policy. In order to continue, please update your search settings so that Safe Search is set to the strictest setting. If you are currently logged into your account, please also lock Safe Search and try your search again.</p> <p> For more information, please refer to: <a href="<ssurl/>"> <ssurl/> </a> </p> <p id="java_off"> Please enable JavaScript in your browser.<br></p> <p><b>Please contact your system administrator if you believe this message is in error.</b></p> </div> </body> <script> // Grab the URL that's in the browser. var s_u = location.href; //bing // Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non greedy slash. Hopefully the first forward slash. var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u); if (b_a) { s_u = s_u + "&adlt=strict"; window.location.replace(s_u); document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!'; } //google // Matches the forward slashes in the beginning, anything, then ".google." then anything followed by a non greedy slash. Hopefully the first forward slash. var g_a = /^.*\/\/(.+\.google\..+?)\//.exec(s_u); if (g_a) { s_u = s_u.replace(/&safe=off/ig,""); s_u = s_u + "&safe=active"; window.location.replace(s_u); document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!'; } //yahoo // Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non greedy slash. Hopefully the first forward slash. var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u); if (y_a) { s_u = s_u.replace(/&vm=p/ig,""); s_u = s_u + "&vm=r"; window.location.replace(s_u); document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!'; } document.getElementById("java_off").innerHTML = ' '; </script> </html>
- Import the edited URL Filtering Safe Search Block page onto the firewall.
- To import the edited block page, select.DeviceResponse PagesURL Filtering Safe Search Block Page
- ClickImportand then enter the path and filename in theImport Filefield orBrowseto locate the file.
- (Optional) Select the virtual system on which this login page will be used from theDestinationdrop-down or selectsharedto make it available to all virtual systems.
- ClickOKto import the file.
- Enable SSL Forward Proxy decryption.Because most search engines encrypt their search results, you must enable SSL Forward Proxy decryption so that the firewall can inspect the search traffic and detect the safe search settings.
- Add a custom URL category for the search sites:
- SelectandObjectsCustom ObjectsURL CategoryAdda custom category.
- Enter aNamefor the category, such as SearchEngineDecryption.
- Addthe following to the Sites list:www.bing.*www.google.*search.yahoo.*
- ClickOKto save the custom URL category object.
- Follow the steps to Configure SSL Forward Proxy.
- On theService/URL Categorytab in the Decryption policy rule,Addthe custom URL category you just created and then clickOK.
- Save the configuration.ClickCommit.