12-08-2015 01:03 PM
I have been working to enable Safe Search Enforcement for all of our users, but was having issues due YouTube being blocked. Since I couldn't find a solution anywhere else, I created a bit of code to update the user's cookies to put YouTube into Restricted Mode and send them along their way - basically with the following code:
var expiration = new Date();
expiration.setTime(expiration.getTime()+(12*60*60*1000));
document.cookie = "PREF=f2=8000000&f5=30&f4=4000000; expires=" + expiration.toGMTString() + "; path=/;";
It's a bit hacked together (I'm sure there's some edge cases I'll have missed), but I figure it might come in handy for someone. A full writeup is at http://www.eugenemdavis.net/forcing-youtube-restricted-mode-javascript.html
Let me know if there is a better solution floating around out there.
12-09-2015 02:28 AM
It should not be a Palo Alto settings but with dns you can solve it.
More info here: https://support.google.com/websearch/answer/186669?hl=en
I expect the same solution from bing and yahoo too. It is the simpliest one and does not require any java-script and in case of https ssl decription...
If you use dns-proxy in your firewall you can create static dns entries for google domains like www.google.com or www.google.co.uk ect.. that give the IP back in dns reply from forcesafesearch.google.com.
searching through this IP will give only filtered search result for google and for youtube (for youtube it is maybe to strong filtered...).
Example from CLI:
set network dns-proxy yourdnsproxy static-entries google.com address 216.239.38.120
set network dns-proxy yourdnsproxy static-entries google.com domain www.google.com
set network dns-proxy yourdnsproxy static-entries google.com address 216.239.38.120
set network dns-proxy yourdnsproxy static-entries google.com domain www.google.co.uk
...
full list of google domains:
https://www.google.com/supported_domains
The next steps that are required is to block public DNS access since they give other IPs for google domains through DNS.
Example:
set rulebase security rules "Block Public DNS" from SourceZone
set rulebase security rules "Block Public DNS" to UntrustedZone
set rulebase security rules "Block Public DNS" source YourSource-Net
set rulebase security rules "Block Public DNS" destination any
set rulebase security rules "Block Public DNS" category any
set rulebase security rules "Block Public DNS" application dns
set rulebase security rules "Block Public DNS" service application-default
set rulebase security rules "Block Public DNS" action deny
and block every other google IPs if the url containst www.google.com or other www.google.xx domains but not the 216.239.38.120 destination IP:
Example from CLI:
set profiles custom-url-category GoogleSearchURLs list [ www.google.com www.google.com.tr www.google.at ...]
set address forcesafesearch.google.com ip-netmask 216.239.38.120
set address forcesafesearch.google.com description forcesafesearch.google.com
set rulebase security rules Google-Allow from SourceZone
set rulebase security rules Google-Allow to UntrustedZone
set rulebase security rules Google-Allow source YourSource-Net
set rulebase security rules Google-Allow destination forcesafesearch.google.com
set rulebase security rules Google-Allow category any
set rulebase security rules Google-Allow application any
set rulebase security rules Google-Allow service [ service-http service-https ]
set rulebase security rules Google-Allow action allow
set rulebase security rules Google-Allow description "forcesafesearch.google.com access"
set rulebase security rules GoogleDomain-Block from SourceZone
set rulebase security rules GoogleDomain-Block to UntrustedZone
set rulebase security rules GoogleDomain-Block source YourSource-Net
set rulebase security rules GoogleDomain-Block destination any
set rulebase security rules GoogleDomain-Block category GoogleSearchURLs
set rulebase security rules GoogleDomain-Block application any
set rulebase security rules GoogleDomain-Block service [ service-http service-https ]
set rulebase security rules GoogleDomain-Block action deny
set rulebase security rules GoogleDomain-Block description "block google domains"
I have tested it and worked. but for youtube as I see it is too hard, whatever you search in the result you will see only fairy tales 🙂 from Walt Disney..?
12-14-2015 06:57 AM
Unfortuately neither Yahoo nor Bing appear to support this approach (i.e. having a safe search only domain/IP) - and using it for Google doesn't stop Palo Alto from rewriting the URL (it seems Palo Alto's Safe Search detection isn't compatiable).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
