Safe Search Enforcement
Many search engines have a safe search setting that filters out adult images and videos in search query return traffic. On the firewall, you can Enable Safe Search Enforcement so that the firewall will block search results if the end user is not using the strictest safe search settings in the search query. The firewall can enforce safe search for the following search providers: Google, Yahoo, Bing, Yandex, and YouTube. This is a best-effort setting and is not guaranteed by the search providers to work with every website.
To use this feature you must enable the Safe Search Enforcement option in a URL filtering profile and attach it to a security policy. The firewall will then block any matching search query return traffic that is not using the strictest safe search settings. There are two methods for blocking the search results:
Block Search Results that are not Using Strict Safe Search Settings —When an end user attempts to perform a search without first enabling the strictest safe search settings, the firewall blocks the search query results and displays the URL Filtering Safe Search Block Page. By default, this page will provide a URL to the search provider settings for configuring safe search. Enable Transparent Safe Search Enforcement —When an end user attempts to perform a search without first enabling the strict safe search settings, the firewall blocks the search results with an HTTP 503 status code and redirects the search query to a URL that includes the safe search parameters. You enable this functionality by importing a new URL Filtering Safe Search Block Page containing the Javascript for rewriting the search URL to include the strict safe search parameters. In this configuration, users will not see the block page, but will instead be automatically redirected to a search query that enforces the strictest safe search options. This safe search enforcement method requires Content Release version 475 or later and is only supported for Google, Yahoo, and Bing searches.
Also, because most search providers now use SSL to return search results, you must also configure a Decryption policy for the search traffic to enable the firewall to inspect the search traffic and enforce safe search.
Safe search enforcement enhancements and support for new search providers is periodically added in content releases. This information is detailed in the Application and Threat Content Release Notes. How sites are judged to be safe or unsafe is performed by each search provider, not by Palo Alto Networks.
Safe search settings differ by search provider as detailed in Table: Search Provider Safe Search Settings.
Table: Search Provider Safe Search Settings
Search Provider Safe Search Setting Description
Google/YouTube Offers safe search on individual computers or network-wide through Google’s safe search virtual IP address: Safe Search Enforcement for Google Searches on Individual Computers In the Google Search Settings, the Filter explicit results setting enables safe search functionality. When enabled, the setting is stored in a browser cookie as FF= and passed to the server each time the user performs a Google search. Appending safe=active to a Google search query URL also enables the strictest safe search settings. Safe Search Enforcement for Google and YouTube Searches using a Virtual IP Address Alternatively, Google provides servers that Lock SafeSearch (forcesafesearch.google.com) settings in every Google and YouTube search. By adding a DNS entry for www.google.com and www.youtube.com (and other relevant Google and YouTube country subdomains) that includes a CNAME record pointing to forcesafesearch.google.com to your DNS server configuration, you can ensure that all users on your network are using strict safe search settings every time they perform a Google or YouTube search. Keep in mind, however, that this solution is not compatible with Safe Search Enforcement on the firewall. Therefore, if you are using this option to force safe search on Google, the best practice is to block access to other search engines on the firewall by creating custom URL categories and adding them to the block list in the URL filtering profile. If you plan to use the Google Lock SafeSearch solution, consider configuring DNS Proxy ( Network > DNS Proxy) and setting the inheritance source as the Layer 3 interface on which the firewall receives DNS settings from service provider via DHCP. You would configure the DNS proxy with Static Entries for www.google.com and www.youtube.com, using the local IP address for the forcesafesearch.google.com server.
Yahoo Offers safe search on individual computers only. The Yahoo Search Preferences include three SafeSearch settings: Strict, Moderate, or Off. When enabled, the setting is stored in a browser cookie as vm= and passed to the server each time the user performs a Yahoo search. Appending vm=r to a Yahoo search query URL also enables the strictest safe search settings. When performing a search on Yahoo Japan (yahoo.co.jp) while logged into a Yahoo account, end users must also enable the SafeSearch Lock option.
Bing Offers safe search on individual computers or through their Bing in the Classroom program. The Bing Settings include three SafeSearch settings: Strict, Moderate, or Off. When enabled, the setting is stored in a browser cookie as adlt= and passed to the server each time the user performs a Bing search. Appending adlt=strict to a Bing search query URL also enables the strictest safe search settings. The Bing SSL search engine does not enforce the safe search URL parameters and you should therefore should consider blocking Bing over SSL for full safe search enforcement.

Related Documentation