Transparently Enable Safe Search for Users

Make sure the firewall is running Content Release version 475 or later.
Select
Device
Dynamic Updates
.
Check the
Applications and Threats
section to determine what update is currently running.
If the firewall is not running the required update or later, click
Check Now
to retrieve a list of available updates.
Locate the required update and click
Download
.
After the download completes, click
Install
.
Enable Safe Search Enforcement in the URL Filtering profile.
Select
Objects
Security Profiles
URL Filtering
.
Select an existing profile to modify, or clone the default profile to create a new one.
On the
Settings
tab, select the
Safe Search Enforcement
check box to enable it.
(
Optional
) Allow access to specific search engines only:
On the
Categories
tab, set the
search-engines
category to
block
.
For each search engine that you want end users to be able to access, enter the web address in the
Allow List
text box. For example, to allow users access to Google and Bing searches only, you would enter the following:
www.google.com
www.bing.com
Configure other settings as necessary to:
Define site access for each URL category.
Define block and allow lists to specify websites that should always be blocked or allowed, regardless of URL category.
Click
OK
to save the profile.
Add the URL Filtering profile to the Security policy rule that allows traffic from clients in the trust zone to the Internet.
Select
Policies
Security
and select a rule to which to apply the URL Filtering profile that you just enabled for Safe Search Enforcement.
On the
Actions
tab, select the
URL Filtering
profile.
Click
OK
to save the Security policy rule.
(
Recommended
) Block Bing search traffic running over SSL.
Because the Bing SSL search engine does not adhere to the safe search settings, for full safe search enforcement, you must deny all Bing sessions that run over SSL.
Add a custom URL category for Bing:
Select
Objects
Custom Objects
URL Category
and
Add
a custom category.
Enter a
Name
for the category, such as EnableBingSafeSearch.
Add
the following to the Sites list:
www.bing.com/images/*
www.bing.com/videos/*
Click
OK
to save the custom URL category object.
Create another URL Filtering profile to block the custom category you just created:
Select
Objects
Security Profiles
URL Filtering
.
Add
a new profile and give it a descriptive
Name
.
Locate the custom category you just created in the Category list and set it to
block
.
Click
OK
to save the URL Filtering profile.
Add
a Security policy rule to block Bing SSL traffic:
Select
Policies
Security
and
Add
a policy rule that allows traffic from your trust zone to the Internet.
On the
Actions
tab, attach the URL Filtering profile you just created to block the custom Bing category.
On the
Service/URL Category
tab
Add
a
New Service
and give it a descriptive
Name
, such as bingssl.
Select
TCP
as the
Protocol
, set the
Destination Port
to
443
.
Click
OK
to save the rule.
Use the
Move
options to ensure that this rule is below the rule that has the URL Filtering profile with safe search enforcement enabled.
Edit the URL Filtering Safe Search Block Page, replacing the existing code with the JavaScript for rewriting search query URLs to enforce safe search transparently.
Select

Device

Response Pages

URL Filtering Safe Search Block Page

.

Select

Predefined

and then click

Export

to save the file locally.

Use an HTML editor and replace all of the existing block page text with the following text and then save the file.

<html>
  <head>
    <title>Search Blocked</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta http-equiv="pragma" content="no-cache">
    <meta name="viewport" content="initial-scale=1.0">
    <style>
      #content {
      border:3px solid#aaa;
      background-color:#fff;
      margin:1.5em;
      padding:1.5em;
      font-family:Tahoma,Helvetica,Arial,sans-serif;
      font-size:1em;
      }
      h1 {
      font-size:1.3em;
      font-weight:bold;
      color:#196390;
      }
      b {
      font-weight:normal;
      color:#196390;
      }
    </style>
  </head>
  <body bgcolor="#e7e8e9">
    <div id="content">
      <h1>Search Blocked</h1>
      <p>
        <b>User:</b> 
        <user/>
      </p>
      <p>Your search results have been blocked because your search settings are not in accordance with company policy.  In order to continue, please update your search settings so that Safe Search is set to the strictest setting. If you are currently logged into your account, please also lock Safe Search and try your search again.</p>
      <p>
        For more information, please refer to: 
        <a href="<ssurl/>">
          <ssurl/>
        </a>
      </p>
      <p id="java_off"> Please enable JavaScript in your browser.<br></p>
      <p><b>Please contact your system administrator if you believe this message is in error.</b></p>
    </div>
  </body>
  <script>
    // Grab the URL that's in the browser.
    var s_u = location.href;
    //bing
    // Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non greedy slash. Hopefully the first forward slash.
    var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u);
    if (b_a) {
       s_u = s_u + "&adlt=strict";
        window.location.replace(s_u);
        document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
    }
    //google 
    // Matches the forward slashes in the beginning, anything, then ".google." then anything followed by a non greedy slash. Hopefully the first forward slash.    
    var g_a = /^.*\/\/(.+\.google\..+?)\//.exec(s_u);    
    if (g_a) {
        s_u = s_u.replace(/&safe=off/ig,"");
        s_u = s_u + "&safe=active";
        window.location.replace(s_u);
        document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';    }    
    //yahoo   
    // Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non greedy slash. Hopefully the first forward slash.   
    var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u);    
    if (y_a) {
        s_u = s_u.replace(/&vm=p/ig,"");
        s_u = s_u + "&vm=r";
        window.location.replace(s_u);
        document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
    }   
    document.getElementById("java_off").innerHTML = ' ';
  </script>
</html>
Import the edited URL Filtering Safe Search Block page onto the firewall.
To import the edited block page, select
Device
Response Pages
URL Filtering Safe Search Block Page
.
Click
Import
and then enter the path and filename in the
Import File
field or
Browse
to locate the file.
(
Optional
) Select the virtual system on which this login page will be used from the
Destination
drop-down or select
shared
to make it available to all virtual systems.
Click
OK
to import the file.
Enable SSL Forward Proxy decryption.
Because most search engines encrypt their search results, you must enable SSL Forward Proxy decryption so that the firewall can inspect the search traffic and detect the safe search settings.
Add a custom URL category for the search sites:
Select
Objects
Custom Objects
URL Category
and
Add
a custom category.
Enter a
Name
for the category, such as SearchEngineDecryption.
Add
the following to the Sites list:
www.bing.*
www.google.*
search.yahoo.*
Click
OK
to save the custom URL category object.
Follow the steps to Configure SSL Forward Proxy.
On the
Service/URL Category
tab in the Decryption policy rule,
Add
the custom URL category you just created and then click
OK
.
Save the configuration.
Click
Commit
.