Transparently Enable Safe Search for Users

If you want to enforce filtering of search query results with the strictest safe search filters, but you don’t want your end users to have to manually configure the settings, you can enable transparent safe search enforcement as follows. This functionality is supported on Google, Yahoo, and Bing search engines only and requires Content Release version 475 or later.
  1. Make sure the firewall is running Content Release version 475 or later.
    1. Select
      Device
      Dynamic Updates
      .
    2. Check the
      Applications and Threats
      section to determine what update is currently running.
    3. If the firewall is not running the required update or later, click
      Check Now
      to retrieve a list of available updates.
    4. Locate the required update and click
      Download
      .
    5. After the download completes, click
      Install
      .
  2. Enable Safe Search Enforcement in the URL Filtering profile.
    1. Select
      Objects
      Security Profiles
      URL Filtering
      .
    2. Select an existing profile to modify, or clone the default profile to create a new one.
    3. On the
      Settings
      tab, select the
      Safe Search Enforcement
      check box to enable it.
    4. (
      Optional
      ) Allow access to specific search engines only:
      1. On the
        Categories
        tab, set the
        search-engines
        category to
        block
        .
      2. For each search engine that you want end users to be able to access, enter the web address in the
        Allow List
        text box. For example, to allow users access to Google and Bing searches only, you would enter the following:
        www.google.com
        www.bing.com
    5. Click
      OK
      to save the profile.
  3. Add the URL Filtering profile to the security policy rule that allows traffic from clients in the trust zone to the Internet.
    1. Select
      Policies
      Security
      and select a rule to which to apply the URL filtering profile that you just enabled for Safe Search Enforcement.
    2. On the
      Actions
      tab, select the
      URL Filtering
      profile.
    3. Click
      OK
      to save the security policy rule.
  4. (
    Recommended
    ) Block Bing search traffic running over SSL.
    Because the Bing SSL search engine does not adhere to the safe search settings, for full safe search enforcement, you must deny all Bing sessions that run over SSL.
    1. Add a custom URL category for Bing:
      1. Select
        Objects
        Custom Objects
        URL Category
        and
        Add
        a custom category.
      2. Enter a
        Name
        for the category, such as EnableBingSafeSearch.
      3. Add
        the following to the Sites list:
        www.bing.com/images/*
        www.bing.com/videos/*
      4. Click
        OK
        to save the custom URL category object.
    2. Create another URL filtering profile to block the custom category you just created:
      1. Select
        Objects
        Security Profiles
        URL Filtering
        .
      2. Add
        a new profile and give it a descriptive
        Name
        .
      3. Locate the custom category you just created in the Category list and set it to
        block
        .
      4. Click
        OK
        to save the URL filtering profile.
    3. Add
      a security policy rule to block Bing SSL traffic:
      1. Select
        Policies
        Security
        and
        Add
        a policy rule that allows traffic from your trust zone to the Internet.
      2. On the
        Actions
        tab, attach the URL filtering profile you just created to block the custom Bing category.
      3. On the
        Service/URL Category
        tab
        Add
        a
        New Service
        and give it a descriptive
        Name
        , such as bingssl.
      4. Select
        TCP
        as the
        Protocol
        , set the
        Destination Port
        to
        443
        .
      5. Click
        OK
        to save the rule.
      6. Use the
        Move
        options to ensure that this rule is below the rule that has the URL filtering profile with safe search enforcement enabled.
  5. Edit the URL Filtering Safe Search Block Page, replacing the existing code with the JavaScript for rewriting search query URLs to enforce safe search transparently.
    1. Select
      Device
      Response Pages
      URL Filtering Safe Search Block Page
      .
    2. Select
      Predefined
      and then click
      Export
      to save the file locally.
    3. Use an HTML editor and replace all of the existing block page text with the following text and then save the file.
      <html> <head> <title>Search Blocked</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta http-equiv="pragma" content="no-cache"> <meta name="viewport" content="initial-scale=1.0"> <style> #content { border:3px solid#aaa; background-color:#fff; margin:1.5em; padding:1.5em; font-family:Tahoma,Helvetica,Arial,sans-serif; font-size:1em; } h1 { font-size:1.3em; font-weight:bold; color:#196390; } b { font-weight:normal; color:#196390; } </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>Search Blocked</h1> <p> <b>User:</b> <user/> </p> <p>Your search results have been blocked because your search settings are not in accordance with company policy. In order to continue, please update your search settings so that Safe Search is set to the strictest setting. If you are currently logged into your account, please also lock Safe Search and try your search again.</p> <p> For more information, please refer to: <a href="<ssurl/>"> <ssurl/> </a> </p> <p id="java_off"> Please enable JavaScript in your browser.<br></p> <p><b>Please contact your system administrator if you believe this message is in error.</b></p> </div> </body> <script> // Grab the URL that's in the browser. var s_u = location.href; //bing // Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non greedy slash. Hopefully the first forward slash. var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u); if (b_a) { s_u = s_u + "&adlt=strict"; window.location.replace(s_u); document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!'; } //google // Matches the forward slashes in the beginning, anything, then ".google." then anything followed by a non greedy slash. Hopefully the first forward slash. var g_a = /^.*\/\/(.+\.google\..+?)\//.exec(s_u); if (g_a) { s_u = s_u.replace(/&safe=off/ig,""); s_u = s_u + "&safe=active"; window.location.replace(s_u); document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!'; } //yahoo // Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non greedy slash. Hopefully the first forward slash. var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u); if (y_a) { s_u = s_u.replace(/&vm=p/ig,""); s_u = s_u + "&vm=r"; window.location.replace(s_u); document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!'; } document.getElementById("java_off").innerHTML = ' '; </script> </html>
  6. Import the edited URL Filtering Safe Search Block page onto the firewall.
    1. To import the edited block page, select
      Device
      Response Pages
      URL Filtering Safe Search Block Page
      .
    2. Click
      Import
      and then enter the path and filename in the
      Import File
      field or
      Browse
      to locate the file.
    3. (
      Optional
      ) Select the virtual system on which this login page will be used from the
      Destination
      drop-down or select
      shared
      to make it available to all virtual systems.
    4. Click
      OK
      to import the file.
  7. Enable SSL Forward Proxy decryption.
    Because most search engines encrypt their search results, you must enable SSL forward proxy decryption so that the firewall can inspect the search traffic and detect the safe search settings.
    1. Add a custom URL category for the search sites:
      1. Select
        Objects
        Custom Objects
        URL Category
        and
        Add
        a custom category.
      2. Enter a
        Name
        for the category, such as SearchEngineDecryption.
      3. Add
        the following to the Sites list:
        www.bing.*
        www.google.*
        search.yahoo.*
      4. Click
        OK
        to save the custom URL category object.
    2. Follow the steps to Configure SSL Forward Proxy.
    3. On the
      Service/URL Category
      tab in the Decryption policy rule,
      Add
      the custom URL category you just created and then click
      OK
      .
  8. Save the configuration.
    Click
    Commit
    .

Related Documentation