Safe Search Enforcement

Many search engines have a safe search setting that filters out adult images and videos in search query return traffic. On the firewall, you can Enable Safe Search Enforcement so that the firewall will block search results if the end user is not using the strictest safe search settings in the search query. The firewall can enforce safe search for the following search providers: Google, Yahoo, Bing, Yandex, and YouTube. This is a best-effort setting and is not guaranteed by the search providers to work with every website.
To use this feature you must enable the
Safe Search Enforcement
option in a URL filtering profile and attach it to a security policy rule.The firewall will then block any matching search query return traffic that is not using the strictest safe search settings. There are two methods for blocking the search results:
  • Block Search Results that are not Using Strict Safe Search Settings—When an end user attempts to perform a search without first enabling the strictest safe search settings, the firewall blocks the search query results and displays the URL Filtering Safe Search Block Page. By default, this page will provide a URL to the search provider settings for configuring safe search.
  • Enable Transparent Safe Search Enforcement—When an end user attempts to perform a search without first enabling the strict safe search settings, the firewall blocks the search results with an HTTP 503 status code and redirects the search query to a URL that includes the safe search parameters. You enable this functionality by importing a new URL Filtering Safe Search Block Page containing the JavaScript for rewriting the search URL to include the strict safe search parameters. In this configuration, users will not see the block page, but will instead be automatically redirected to a search query that enforces the strictest safe search options. This safe search enforcement method requires content release version 475 or later and is only supported for Google, Yahoo, and Bing searches.
Also, because most search providers now use SSL to return search results, you must also configure a Decryption policy rule for the search traffic to enable the firewall to inspect the search traffic and enforce safe search.
Safe search enforcement enhancements and support for new search providers is periodically added in content releases. This information is detailed in the Application and Threat Content Release Notes. How sites are judged to be safe or unsafe is performed by each search provider, not by Palo Alto Networks.
Safe search settings differ by search provider as detailed in Table 1.
Search Provider Safe Search Settings
Search Provider
Safe Search Setting Description
Google/YouTube
Offers safe search on individual computers or network-wide through Google’s safe search virtual IP address:
Safe Search Enforcement for Google Searches on Individual Computers
In the Google Search Settings, the
Filter explicit results
setting enables safe search functionality. When enabled, the setting is stored in a browser cookie as
FF=
and passed to the server each time the user performs a Google search.
Appending
safe=active
to a Google search query URL also enables the strictest safe search settings.
Safe Search Enforcement for Google and YouTube Searches using a Virtual IP Address
Google provides servers thatLock SafeSearch (forcesafesearch.google.com) settings in every Google and YouTube search. By adding a DNS entry for
www.google.com
and
www.youtube.com
(and other relevant Google and YouTube country subdomains) that includes a CNAME record pointing to
forcesafesearch.google.com
to your DNS server configuration, you can ensure that all users on your network are using strict safe search settings every time they perform a Google or YouTube search. Keep in mind, however, that this solution is not compatible with Safe Search Enforcement on the firewall. Therefore, if you are using this option to force safe search on Google, the best practice is to block access to other search engines on the firewall by creating custom URL categories and adding them to the block list in the URL filtering profile.
If you plan to use the Google Lock SafeSearch solution, consider configuring DNS Proxy (
Network
DNS Proxy
) and setting the inheritance source as the Layer 3 interface on which the firewall receives DNS settings from service provider via DHCP. You would configure the DNS proxy with
Static Entries
for www.google.com and www.youtube.com, using the local IP address for the forcesafesearch.google.com server.
Yahoo
Offers safe search on individual computers only. The Yahoo Search Preferences includes three SafeSearch settings:
Strict
,
Moderate
, or
Off
. When enabled, the setting is stored in a browser cookie as
vm=
and passed to the server each time the user performs a Yahoo search.
Appending
vm=r
to a Yahoo search query URL also enables the strictest safe search settings.
When performing a search on Yahoo Japan (yahoo.co.jp) while logged into a Yahoo account, end users must also enable the
SafeSearch
Lock
option.
Bing
Offers safe search on individual computers or through their Bing in the Classroom program. The Bing Settings include three SafeSearch settings:
Strict
,
Moderate
, or
Off
. When enabled, the setting is stored in a browser cookie as
adlt=
and passed to the server each time the user performs a Bing search.
Appending
adlt=strict
to a Bing search query URL also enables the strictest safe search settings.
The Bing SSL search engine does not enforce the safe search URL parameters and you should therefore consider blocking Bing over SSL for full safe search enforcement.
Table: Search Provider Safe Search Settings

Recommended For You