Block Search Results when Strict Safe Search is not Enabled

By default, when you enable safe search enforcement, when a user attempts to perform a search without using the strictest safe search settings, the firewall will block the search query results and display the URL Filtering Safe Search Block Page. This page provides a link to the search settings page for the corresponding search provider so that the end user can enable the safe search settings. If you plan to use this default method for enforcing safe search, you should communicate the policy to your end users prior to deploying the policy. See for details on how each search provider implements safe search. The default URL Filtering Safe Search Block Page provides a link to the search settings for the corresponding search provider. You can optionally Customize the URL Filtering Response Pages.
Alternatively, to enable safe search enforcement so that it is transparent to your end users, configure the firewall to Transparently Enable Safe Search for Users.
  1. Enable Safe Search Enforcement in the URL Filtering profile.
    1. Select
      Objects
      Security Profiles
      URL Filtering
      .
    2. Select an existing profile to modify, or clone the default profile to create a new profile.
    3. On the
      Settings
      tab, select the
      Safe Search Enforcement
      check box to enable it.
    4. (
      Optional
      ) Restrict users to specific search engines:
      1. On the
        Categories
        tab, set the
        search-engines
        category to
        block
        .
      2. For each search engine that you want end users to be able to access, enter the web address in the
        Allow List
        text box. For example, to allow users access to Google and Bing searches only, you would enter the following:
        www.google.com
        www.bing.com
    5. Click
      OK
      to save the profile.
  2. Add the URL Filtering profile to the security policy rule that allows traffic from clients in the trust zone to the Internet.
    1. Select
      Policies
      Security
      and select a rule to which to apply the URL filtering profile that you just enabled for Safe Search Enforcement.
    2. On the
      Actions
      tab, select the
      URL Filtering
      profile.
    3. Click
      OK
      to save the security policy rule.
  3. Enable SSL Forward Proxy decryption.
    Because most search engines encrypt their search results, you must enable SSL forward proxy decryption so that the firewall can inspect the search traffic and detect the safe search settings.
    1. Add a custom URL category for the search sites:
      1. Select
        Objects
        Custom Objects
        URL Category
        and
        Add
        a custom category.
      2. Enter a
        Name
        for the category, such as SearchEngineDecryption.
      3. Add
        the following to the Sites list:
        www.bing.*
        www.google.*
        search.yahoo.*
      4. Click
        OK
        to save the custom URL category object.
    2. Follow the steps to Configure SSL Forward Proxy.
    3. On the
      Service/URL Category
      tab in the Decryption policy rule,
      Add
      the custom URL category you just created and then click
      OK
      .
  4. (
    Recommended
    ) Block Bing search traffic running over SSL.
    Because the Bing SSL search engine does not adhere to the safe search settings, for full safe search enforcement, you must deny all Bing sessions that run over SSL.
    1. Add a custom URL category for Bing:
      1. Select
        Objects
        Custom Objects
        URL Category
        and
        Add
        a custom category.
      2. Enter a
        Name
        for the category, such as EnableBingSafeSearch.
      3. Add
        the following to the Sites list:
        www.bing.com/images/*
        www.bing.com/videos/*
      4. Click
        OK
        to save the custom URL category object.
    2. Create another URL filtering profile to block the custom category you just created:
      1. Select
        Objects
        Security Profiles
        URL Filtering
        .
      2. Add
        a new profile and give it a descriptive
        Name
        .
      3. Locate the custom category in the Category list and set it to
        block
        .
      4. Click
        OK
        to save the URL filtering profile.
    3. Add a security policy rule to block Bing SSL traffic:
      1. Select
        Policies
        Security
        and
        Add
        a policy rule that allows traffic from your trust zone to the Internet.
      2. On the
        Actions
        tab, attach the URL filtering profile you just created to block the custom Bing category.
      3. On the
        Service/URL Category
        tab
        Add
        a
        New Service
        and give it a descriptive
        Name
        , such as bingssl.
      4. Select
        TCP
        as the
        Protocol
        and set the
        Destination Port
        to
        443
        .
      5. Click
        OK
        to save the rule.
      6. Use the
        Move
        options to ensure that this rule is below the rule that has the URL filtering profile with safe search enforcement enabled.
  5. Save the configuration.
    Click
    Commit
    .
  6. Verify the Safe Search Enforcement configuration.
    This verification step only works if you are using block pages to enforce safe search. If you are using transparent safe search enforcement, the firewall block page will invoke a URL rewrite with the safe search parameters in the query string.
    1. From a computer that is behind the firewall, disable the strict search settings for one of the supported search providers. For example, on bing.com, click the
      Preferences
      icon on the Bing menu bar.
      safe-search-pref-icon.png
    2. Set the
      SafeSearch
      option to
      Moderate
      or
      Off
      and click
      Save
      .
    3. Perform a Bing search and verify that the URL Filtering Safe Search Block page displays instead of the search results:
      safe-search-block-page.png
    4. Use the link in the block page to go to the search settings for the search provider and set the safe search setting back to the strictest setting (
      Strict
      in the case of Bing) and then click
      Save
      .
    5. Perform a search again from Bing and verify that the filtered search results display instead of the block page.

Related Documentation