Force Safe Search without SSL decryption

cancel
Showing results for 
Search instead for 
Did you mean: 

Force Safe Search without SSL decryption

L3 Networker

We are a K-12 school district.  SSL decryption is not in the cards, at least for the time being.  From what I read, enabling safe search enforcement in URL filtering profile will not work properly without having implemented SSL decryption

 

If that's correct, is a DNS proxy the way to go, as described here:

 

https://support.google.com/websearch/answer/186669?hl=en

 

 

Thanks

 

1 ACCEPTED SOLUTION

Accepted Solutions

If possible, you should make those changes on your internal DNS server - so that any requests for those domains get pointed to the safe-search IP address.  

 

Your other option(s) are: point your internal DNS servers to use the firewall's DNS proxy address as their upstream DNS server, and/or point your clients DNS entries directly at the firewall's DNS proxy address.  

 

The reason there aren't any hits to the DNS proxy is that nobody (internal DNS and/or client/endpoint) is pointed at the DNS proxy for DNS resolution.  

View solution in original post

21 REPLIES 21

L4 Transporter

@LucaMarchiori

Because most search engines encrypt their search results, you must enable SSL forward proxy decryption so that the firewall can inspect the search traffic and detect the safe search settings.

 

https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/content-inspection-feature...

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/url-filtering/safe-search-enforcemen...

https://researchcenter.paloaltonetworks.com/2015/01/firewall-pro-tip-enforce-safe-search-without-blo...

 

I don't think DNS Proxy will resolve this challenge for you, at least not based on my own experience.

 

I hope this helps.

Hi Willian,

 

I might be wrong, but I don't see us implementing SSL decryption anytime soon, due to a number of factors.   Could you please elaborate a little, when you say that in your experience DNS-Proxy route is not going to resolve this? 

 

We are not looking for a fool-proof solution at this time, more like at having something in place, rather than nothing.

Did you find user were able to circumvent this easily, or it just plain didn't work?

 

Thanks,

Luca

What are you trying to protect from in your K-12 network?

In short, we are trying to avoid kids getting inappropriate results from google search.  This was sparked from one complaint at an elementary site, even though we are blocking adult categories with URL filtering.

 

In my mind this is about enforcing a browser setting, and as such should be handled on the device side (GPO, MDM, etc).  Nevertheless, I've being asked if anything could be accomplished with our PA firewall.

 

 

So..."Content Filtering" should be able to get you what you need (URL Profiles.)  However I thought I heard not doing SSL decryption you can bypass that filtering control by using Google's translation services.  

 

Let me do some searching real quick.

Yes, if you're unable to use SSL decryption in order to enforce safe-search and if you don't have an endpoint-specific solution (GPO/MDM), then I would recommend leveraging google's DNS-based safe-search configuration as you posted in your original question.  

We are already doing URL filtering for the usual inappropriate categories.  Somehow this kid managed to get explicit pics on the browser, supposedly by using search function.  Unfortunately this was reported as an anecdote, without any technical details.  I took at face value.

 

If I click on the link you provided I get:

 

An invalid set of parameters has been specified in the url.

Hi,

 

So, the DNS Proxy solution should be working OK?  I'm going to setup a test site, and see what I come up with.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!