This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Force Safe Search without SSL decryption
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Force Safe Search without SSL decryption
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-12-2017 09:32 AM
We are a K-12 school district. SSL decryption is not in the cards, at least for the time being. From what I read, enabling safe search enforcement in URL filtering profile will not work properly without having implemented SSL decryption
If that's correct, is a DNS proxy the way to go, as described here:
https://support.google.com/websearch/answer/186669?hl=en
Thanks
1 ACCEPTED SOLUTION
Accepted Solutions
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-14-2017 02:22 PM
If possible, you should make those changes on your internal DNS server - so that any requests for those domains get pointed to the safe-search IP address.
Your other option(s) are: point your internal DNS servers to use the firewall's DNS proxy address as their upstream DNS server, and/or point your clients DNS entries directly at the firewall's DNS proxy address.
The reason there aren't any hits to the DNS proxy is that nobody (internal DNS and/or client/endpoint) is pointed at the DNS proxy for DNS resolution.
21 REPLIES 21
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-12-2017 10:16 AM
Because most search engines encrypt their search results, you must enable SSL forward proxy decryption so that the firewall can inspect the search traffic and detect the safe search settings.
I don't think DNS Proxy will resolve this challenge for you, at least not based on my own experience.
I hope this helps.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-12-2017 11:30 AM
Hi Willian,
I might be wrong, but I don't see us implementing SSL decryption anytime soon, due to a number of factors. Could you please elaborate a little, when you say that in your experience DNS-Proxy route is not going to resolve this?
We are not looking for a fool-proof solution at this time, more like at having something in place, rather than nothing.
Did you find user were able to circumvent this easily, or it just plain didn't work?
Thanks,
Luca
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-12-2017 02:26 PM
What are you trying to protect from in your K-12 network?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-12-2017 02:38 PM
In short, we are trying to avoid kids getting inappropriate results from google search. This was sparked from one complaint at an elementary site, even though we are blocking adult categories with URL filtering.
In my mind this is about enforcing a browser setting, and as such should be handled on the device side (GPO, MDM, etc). Nevertheless, I've being asked if anything could be accomplished with our PA firewall.
Related Content
- QRadar integration error: Failed to execute qradar-searches command (EDITED). in Cortex XSOAR Discussions
- backing up running-config.xml or set cli config-output-format set in Panorama Discussions
- Searching for multiple hashes on cortex XDR in Cortex XDR Discussions
- File search based on Host in Cortex XDR Discussions
- Allowed SSL traffic reporting as policy-deny in Next-Generation Firewall Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks