Force Safe Search without SSL decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Force Safe Search without SSL decryption

L3 Networker

We are a K-12 school district.  SSL decryption is not in the cards, at least for the time being.  From what I read, enabling safe search enforcement in URL filtering profile will not work properly without having implemented SSL decryption

 

If that's correct, is a DNS proxy the way to go, as described here:

 

https://support.google.com/websearch/answer/186669?hl=en

 

 

Thanks

 

21 REPLIES 21

Couldn't one block the "search" category though, and allow google as an exception?

 

I agree this is not the ideal way to control this.  We are not looking for ideal, at this point. 

Personally I wonder about the extra load imposed by SSL decryption, at least on our PA-500 devices (with memory upgrade).  They are already soo slow, I'd hate to see them becoming even slower, if that is possible.  

> Couldn't one block the "search" category though, and allow google as an exception?

 

Probably not, because like Google the services are much more than just search. You could cover many examples, but someone logged into live.com to view their hotmail account would likely be able to do a bing search from inside their email. The user isn't on a search site, and they didn't make a new connection to bing. 

 

I'd say start with the DNS method you linked in the first post on this thread, and push for decryption as a more full solution later.

 

Cheers

L4 Transporter

so technically SSL decryption is not required to turn on SAFE SEARCH

 

that being said if the browser returns search results(most do) inside ssl then yes you need a decryption policy

 

otherwise you can enable safe search directly on the PC....GPO

 

meanwhile there are some PAN alternatives

 

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/url-filtering/safe-search-enforcemen...

 

 

another thing Ive done for K-12 is blacklist everything and then only whitelist approved sites

 

if google search is approved then you need to find a control for that site

I've setup a DNS Proxy at one of the primary sites.  I created a bunch of static entries for google.ca, *.google.ca, etc pointing to 216.239.38.120.  As interface I assigned the proxy to the LAN interface.  

 

If I test on a windows client, after running ipconfig /flushdns, client still gets an answer from one of our internal DNS server (at the DC), not from the local PA proxy.

 

show dns-proxy statistics all confirmed that the proxy received zero requests.  I think I'm missing something else.  Do I need to setup a proxy rule?  I thought only a DNS proxy and some static entries were needed for this to work.

 

 

If possible, you should make those changes on your internal DNS server - so that any requests for those domains get pointed to the safe-search IP address.  

 

Your other option(s) are: point your internal DNS servers to use the firewall's DNS proxy address as their upstream DNS server, and/or point your clients DNS entries directly at the firewall's DNS proxy address.  

 

The reason there aren't any hits to the DNS proxy is that nobody (internal DNS and/or client/endpoint) is pointed at the DNS proxy for DNS resolution.  

Thank you, that worked.  Don't know why I was expecting it to work without changing the client's DNS settings... 🙂  I'm checking if boss is happy with safe search for all, before touching our DNS servers.

  • 7287 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!