Transparently Enable Safe Search for Users

1. Make sure the firewall is running Content Release version 475 or later.
   1. Select DeviceDynamic Updates.
   2. Check the Applications and Threats section to determine what update is currently running.
   3. If the firewall is not running the required update or later, click Check Now to retrieve a list of available updates.
   4. Locate the required update and click Download.
   5. After the download completes, click Install.
2. Enable Safe Search Enforcement in the URL Filtering profile.
   1. Select ObjectsSecurity ProfilesURL Filtering.
   2. Select an existing profile to modify, or clone the default profile to create a new one.
   3. On the Settings tab, select the Safe Search Enforcement check box to enable it.
   4. (Optional) Allow access to specific search engines only:
      1. On the Categories tab, set the search-engines category to block.
      2. For each search engine that you want end users to be able to access, enter the web address in the Allow List text box. For example, to allow users access to Google and Bing searches only, you would enter the following:
         www.google.com
         www.bing.com
   5. Configure other settings as necessary to:
      • Define site access for each URL category.
      • Define block and allow lists to specify websites that should always be blocked or allowed, regardless of URL category.
   6. Click OK to save the profile.
3. Add the URL Filtering profile to the Security policy rule that allows traffic from clients in the trust zone to the Internet.
   1. Select PoliciesSecurity and select a rule to which to apply the URL Filtering profile that you just enabled for Safe Search Enforcement.
   2. On the Actions tab, select the URL Filtering profile.
   3. Click OK to save the Security policy rule.
4. (Recommended) Block Bing search traffic running over SSL.
   Because the Bing SSL search engine does not adhere to the safe search settings, for full safe search enforcement, you must deny all Bing sessions that run over SSL.
   1. Add a custom URL category for Bing:
      1. Select ObjectsCustom ObjectsURL Category and Add a custom category.
      2. Enter a Name for the category, such as EnableBingSafeSearch.
      3. Add the following to the Sites list:
         www.bing.com/images/*
         www.bing.com/videos/*
      4. Click OK to save the custom URL category object.
   2. Create another URL Filtering profile to block the custom category you just created:
      1. Select ObjectsSecurity ProfilesURL Filtering.
      2. Add a new profile and give it a descriptive Name.
      3. Locate the custom category you just created in the Category list and set it to block.
      4. Click OK to save the URL Filtering profile.
   3. Add a Security policy rule to block Bing SSL traffic:
      1. Select PoliciesSecurity and Add a policy rule that allows traffic from your trust zone to the Internet.
      2. On the Actions tab, attach the URL Filtering profile you just created to block the custom Bing category.
      3. On the Service/URL Category tab Add a New Service and give it a descriptive Name, such as bingssl.
      4. Select TCP as the Protocol, set the Destination Port to 443.
      5. Click OK to save the rule.
      6. Use the Move options to ensure that this rule is below the rule that has the URL Filtering profile with safe search enforcement enabled.
5. Edit the URL Filtering Safe Search Block Page, replacing the existing code with the JavaScript for rewriting search query URLs to enforce safe search transparently.
   1. Select DeviceResponse PagesURL Filtering Safe Search Block Page.
   2. Select Predefined and then click Export to save the file locally.
   3. Use an HTML editor and replace all of the existing block page text with the following text and then save the file.

      <html>
        <head>
          <title>Search Blocked</title>
          <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
          <meta http-equiv="pragma" content="no-cache">
          <meta name="viewport" content="initial-scale=1.0">
          <style>
            #content {
            border:3px solid#aaa;
            background-color:#fff;
            margin:1.5em;
            padding:1.5em;
            font-family:Tahoma,Helvetica,Arial,sans-serif;
            font-size:1em;
            }
            h1 {
            font-size:1.3em;
            font-weight:bold;
            color:#196390;
            }
            b {
            font-weight:normal;
            color:#196390;
            }
          </style>
        </head>
        <body bgcolor="#e7e8e9">
          <div id="content">
            <h1>Search Blocked</h1>
            <p>
              <b>User:</b> 
              <user/>
            </p>
            <p>Your search results have been blocked because your search settings are not in accordance with company policy.  In order to continue, please update your search settings so that Safe Search is set to the strictest setting. If you are currently logged into your account, please also lock Safe Search and try your search again.</p>
            <p>
              For more information, please refer to: 
              <a href="<ssurl/>">
                <ssurl/>
              </a>
            </p>
            <p id="java_off"> Please enable JavaScript in your browser.<br></p>
            <p><b>Please contact your system administrator if you believe this message is in error.</b></p>
          </div>
        </body>
        <script>
          // Grab the URL that's in the browser.
          var s_u = location.href;
          //bing
          // Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non greedy slash. Hopefully the first forward slash.
          var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u);
          if (b_a) {
             s_u = s_u + "&adlt=strict";
              window.location.replace(s_u);
              document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
          }
          //google 
          // Matches the forward slashes in the beginning, anything, then ".google." then anything followed by a non greedy slash. Hopefully the first forward slash.    
          var g_a = /^.*\/\/(.+\.google\..+?)\//.exec(s_u);    
          if (g_a) {
              s_u = s_u.replace(/&safe=off/ig,"");
              s_u = s_u + "&safe=active";
              window.location.replace(s_u);
              document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';    }    
          //yahoo   
          // Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non greedy slash. Hopefully the first forward slash.   
          var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u);    
          if (y_a) {
              s_u = s_u.replace(/&vm=p/ig,"");
              s_u = s_u + "&vm=r";
              window.location.replace(s_u);
              document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
          }   
          document.getElementById("java_off").innerHTML = ' ';
        </script>
      </html>

6. Import the edited URL Filtering Safe Search Block page onto the firewall.
   1. To import the edited block page, select DeviceResponse PagesURL Filtering Safe Search Block Page.
   2. Click Import and then enter the path and filename in the Import File field or Browse to locate the file.
   3. (Optional) Select the virtual system on which this login page will be used from the Destination drop-down or select shared to make it available to all virtual systems.
   4. Click OK to import the file.
7. Enable SSL Forward Proxy decryption.
   Because most search engines encrypt their search results, you must enable SSL Forward Proxy decryption so that the firewall can inspect the search traffic and detect the safe search settings.
   1. Add a custom URL category for the search sites:
      1. Select ObjectsCustom ObjectsURL Category and Add a custom category.
      2. Enter a Name for the category, such as SearchEngineDecryption.
      3. Add the following to the Sites list:
         www.bing.*
         www.google.*
         search.yahoo.*
      4. Click OK to save the custom URL category object.
   2. Follow the steps to Configure SSL Forward Proxy.
   3. On the Service/URL Category tab in the Decryption policy rule, Add the custom URL category you just created and then click OK.
8. Save the configuration.
   Click Commit.