Safe Search Best Practices with Palo Alto Networks

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L3 Networker



Safe Search Best Practices

I’d like to first level set on what Safe Search is and why this feature may be extremely useful for certain situations, in particular the education space (K-12).  Safe Search essentially filters out adult images, videos and content in search query returns.  This prevents end users within a school's network from accidentally or purposely searching for inappropriate adult content. 


Safe Search functionality is search engine based.  Currently, the Palo Alto Networks NGFW supports Safe Search enforcement from,,, and search engines.


Transparent Experience

It is always best to not change user behavior as people are creatures of habit.  Thus, you don’t want to ask your end users “to enable and use the Safe Search function.”  Being able to transparently enforce Safe Search without users having to do anything different is the ideal solution. 


Another benefit of transparent Safe Search is that endpoints not issued by your organization will be forced to use Safe Search when on the organization’s network.  Again, this is transparent to the end user. 


Our recommendation is to use Transparent Safe Search redirect for all users utilizing organization issued devices.  Transparent Safe Search will automatically enforce filtering of search query results with the strictest Safe Search filters.  This does not require user behavior change.  Users can still go to,,, or and search as they always have.  Their user experience does not change at all, just the query results, as they are devoid of adult or potentially harmful content from the respective search engines.


NOTE: As part of utilizing Transparent Safe Search redirect, the firewall requires that all search sessions be decrypted. Decrypting also provides the important additional benefits of alerts, reporting and generally additional visibility into user activities, content, threats, file types, etc. 


Transparent Safe Search simply redirects the search from the standard search engine to its respective Safe Search engine for Safe Search results. 

What in reality happens is this:

  • User goes to and searches for xyz
  • The Palo Alto NGFW’s policy indicates that Safe Search is being enforced
    • Normally with standard Safe Search enforcement the user would be directed to a block page indicating that the search was blocked due to policy. To continue, the user would need to enable Safe Search manually on their browser and search again.  This would most likely generate helpdesk calls for assistance.
    • With Transparent Safe Search redirect enabled, the user is still redirected to the “block page.” But the block page has been modified and automatically re-searches the original “xyz” string in Safe Search mode.  This is all transparent to the user. 
      • The results are then presented to the user in a standard search results format.


Alternative Solution

An alternative solution to enforce Safe Search is via DNS.  This would leverage CNAME entries on the local DNS servers in conjunction with a security policy on the firewall to tightly control DNS traffic.  


Safe Search enforcement via DNS would NOT require SSL decryption.  Some organizations see this as an advantage as they do not want to decrypt traffic.   As a best practice, we recommend decrypting at the very least suspicious URL categories.  Some of these categories include (but are not limited to): insufficient-content, online-storage-and-backup, etc. (please see our Best Practices Guide for additional information.)  Without SSL decryption for these suspect categories, users may accidently access malicious payloads.


Hybrid Solution

As a best practice, we recommend that most traffic being traversed with organization issued devices be decrypted (sans Financial Services, Government, and Health and Medicine categories).  There are times however that users will bring their own devices in.  Because of a lack of control and access to these devices, they will receive SSL certificate warnings due to decryption required by Transparent Safe Search redirect.  Our suggestion would be to run a hybrid Safe Search setup. 


For all organizational issued devices, utilize Transparent Safe Search redirect. For devices brought in by users, enforce the alternate solution, Safe Search via DNS. 



Q: Are all search engines supported?

A: No, currently only yahoo, google, yandex and bing search engines are supported. This is not limited to only .com, but also other TLDs for the respective search engines.  Such as,, etc. 


Q: What if the end user already knows the adult content URL and enters the URL into their browser without a search result?

A:  Because this bypasses any search engine query, Safe Search will not be able to do any type of search enforcement. However, because you have URL Filtering running on your Palo Alto Networks Firewall, you should block adult content via policy settings.  Transparent Safe Search allows you to enforce Safe Search to sanitize search results.  It does not provide access control to actual URLs. 


Q: What about Safe Search for YouTube searches?

A: Safe Search works for YouTube as well. However, Transparent Safe Search redirect is not currently supported.  You can use a hybrid method to enforce Safe Search to transparently redirect general search engine queries and DNS for YouTube searches. 


Overall, Transparent Safe Search is recommended for organizations that have a requirement to block inappropriate content searches by their users.  The advantages of Transparent Safe Search are that users’ search experience does not change, while allowing the organization to enforce Safe Search policies to protect the organization and users from adult or potentially harmful content regardless if they are utilizing devices issued by the organization or have brought their own in.  Not having to alter user behavior is a great advantage for easing helpdesk loads and protecting everyone from harmful content. 


References Links:

  • 325 Subscriptions
Register or Sign-in