https://live.paloaltonetworks.com/t5/general-topics/redirects-for-youtube-with-safe-search-enforcement/m-p/69216#M40206 <P>I have been working to enable Safe Search Enforcement for all of our users, but was having issues due YouTube being blocked. Since I couldn't find a solution anywhere else, I created a bit of code to update the user's cookies to put YouTube into Restricted Mode and send them along their way - basically with the following code:</P> <PRE><CODE> var expiration = new Date(); expiration.setTime(expiration.getTime()+(12*60*60*1000)); document.cookie = "PREF=f2=8000000&amp;f5=30&amp;f4=4000000; expires=" + expiration.toGMTString() + "; path=/;";</CODE></PRE> <P>&nbsp;</P> <P>It's a bit hacked together (I'm sure there's some edge cases I'll have missed), but I figure it might come in handy for someone. A full writeup is at <A href="http://www.eugenemdavis.net/forcing-youtube-restricted-mode-javascript.html" target="_blank">http://www.eugenemdavis.net/forcing-youtube-restricted-mode-javascript.html</A></P> <P>&nbsp;</P> <P>Let me know if there is a better solution floating around out there.</P> <P>&nbsp;</P> Tue, 08 Dec 2015 21:03:22 GMT edavis33 2015-12-08T21:03:22Z https://live.paloaltonetworks.com/t5/general-topics/redirects-for-youtube-with-safe-search-enforcement/m-p/69216#M40206 <P>I have been working to enable Safe Search Enforcement for all of our users, but was having issues due YouTube being blocked. Since I couldn't find a solution anywhere else, I created a bit of code to update the user's cookies to put YouTube into Restricted Mode and send them along their way - basically with the following code:</P> <PRE><CODE> var expiration = new Date(); expiration.setTime(expiration.getTime()+(12*60*60*1000)); document.cookie = "PREF=f2=8000000&amp;f5=30&amp;f4=4000000; expires=" + expiration.toGMTString() + "; path=/;";</CODE></PRE> <P>&nbsp;</P> <P>It's a bit hacked together (I'm sure there's some edge cases I'll have missed), but I figure it might come in handy for someone. A full writeup is at <A href="http://www.eugenemdavis.net/forcing-youtube-restricted-mode-javascript.html" target="_blank">http://www.eugenemdavis.net/forcing-youtube-restricted-mode-javascript.html</A></P> <P>&nbsp;</P> <P>Let me know if there is a better solution floating around out there.</P> <P>&nbsp;</P> Tue, 08 Dec 2015 21:03:22 GMT https://live.paloaltonetworks.com/t5/general-topics/redirects-for-youtube-with-safe-search-enforcement/m-p/69216#M40206 edavis33 2015-12-08T21:03:22Z https://live.paloaltonetworks.com/t5/general-topics/redirects-for-youtube-with-safe-search-enforcement/m-p/69252#M40232 <P>It should not be a Palo Alto settings but with dns you can solve it.</P> <P>More info here: <A href="https://support.google.com/websearch/answer/186669?hl=en" target="_blank">https://support.google.com/websearch/answer/186669?hl=en</A></P> <P>I expect the same solution from bing and yahoo too. It is the simpliest one and does not require any java-script and in case of https ssl decription...</P> <P>&nbsp;</P> <P>If you use dns-proxy in your firewall you can create static dns entries for google domains like <A href="http://www.google.com" target="_blank">www.google.com</A> or <A href="http://www.google.co.uk" target="_blank">www.google.co.uk</A> ect.. that give the IP back in dns reply from forcesafesearch.google.com.</P> <P>searching through this IP will give only filtered search result for google and for youtube (for youtube it is maybe to strong filtered...).</P> <P>&nbsp;</P> <P>Example from CLI:</P> <P>set network dns-proxy yourdnsproxy static-entries google.com address 216.239.38.120<BR />set network dns-proxy yourdnsproxy static-entries google.com domain <A href="http://www.google.com" target="_blank">www.google.com</A></P> <P>set network dns-proxy yourdnsproxy static-entries google.com address 216.239.38.120<BR />set network dns-proxy yourdnsproxy static-entries google.com domain <A href="http://www.google.co.uk" target="_blank">www.google.co.uk</A></P> <P>...</P> <P>full list of google domains:</P> <P><A href="https://www.google.com/supported_domains" target="_blank">https://www.google.com/supported_domains</A></P> <P>&nbsp;</P> <P>The next steps that are required is to block public DNS access since they give other IPs for google domains through DNS.</P> <P>Example:</P> <P>set rulebase security rules "Block Public DNS" from SourceZone<BR />set rulebase security rules "Block Public DNS" to UntrustedZone<BR />set rulebase security rules "Block Public DNS" source YourSource-Net<BR />set rulebase security rules "Block Public DNS" destination any<BR />set rulebase security rules "Block Public DNS" category any<BR />set rulebase security rules "Block Public DNS" application dns<BR />set rulebase security rules "Block Public DNS" service application-default<BR />set rulebase security rules "Block Public DNS" action deny</P> <P>&nbsp;</P> <P>and block every other google IPs if the url containst <A href="http://www.google.com" target="_blank">www.google.com</A> or other <A href="http://www.google.xx" target="_blank">www.google.xx</A> domains but not the 216.239.38.120 destination IP:</P> <P>Example from CLI:</P> <P>set profiles custom-url-category GoogleSearchURLs list [ <A href="http://www.google.com" target="_blank">www.google.com</A> <A href="http://www.google.com.tr" target="_blank">www.google.com.tr</A> <A href="http://www.google.at" target="_blank">www.google.at</A> ...]</P> <P>&nbsp;</P> <P>set address forcesafesearch.google.com ip-netmask 216.239.38.120<BR />set address forcesafesearch.google.com description forcesafesearch.google.com</P> <P>&nbsp;</P> <P>set rulebase security rules Google-Allow from SourceZone<BR />set rulebase security rules Google-Allow to UntrustedZone<BR />set rulebase security rules Google-Allow source YourSource-Net<BR />set rulebase security rules Google-Allow destination forcesafesearch.google.com<BR />set rulebase security rules Google-Allow category any<BR />set rulebase security rules Google-Allow application any<BR />set rulebase security rules Google-Allow service [ service-http service-https ]<BR />set rulebase security rules Google-Allow action allow<BR />set rulebase security rules Google-Allow description "forcesafesearch.google.com access"<BR /><BR />set rulebase security rules GoogleDomain-Block from SourceZone<BR />set rulebase security rules GoogleDomain-Block to UntrustedZone<BR />set rulebase security rules GoogleDomain-Block source YourSource-Net<BR />set rulebase security rules GoogleDomain-Block destination any<BR />set rulebase security rules GoogleDomain-Block category GoogleSearchURLs<BR />set rulebase security rules GoogleDomain-Block application any<BR />set rulebase security rules GoogleDomain-Block service [ service-http service-https ]<BR />set rulebase security rules GoogleDomain-Block action deny<BR />set rulebase security rules GoogleDomain-Block description "block google domains"</P> <P>&nbsp;</P> <P>I have tested it and worked. but for youtube as I see it is too hard, whatever you search in the result you will see only fairy tales <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> from Walt Disney..?</P> Wed, 09 Dec 2015 10:28:36 GMT https://live.paloaltonetworks.com/t5/general-topics/redirects-for-youtube-with-safe-search-enforcement/m-p/69252#M40232 AkosD 2015-12-09T10:28:36Z https://live.paloaltonetworks.com/t5/general-topics/redirects-for-youtube-with-safe-search-enforcement/m-p/69444#M40302 <P>Unfortuately neither Yahoo nor Bing appear to support this approach (i.e. having a safe search only domain/IP) - and using it for Google doesn't stop Palo Alto from rewriting the URL (it seems Palo Alto's Safe Search detection isn't compatiable).</P> Mon, 14 Dec 2015 14:57:39 GMT https://live.paloaltonetworks.com/t5/general-topics/redirects-for-youtube-with-safe-search-enforcement/m-p/69444#M40302 edavis33 2015-12-14T14:57:39Z