This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Redirects for YouTube with Safe Search Enforcement

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Redirects for YouTube with Safe Search Enforcement

edavis33
L1 Bithead

‎12-08-2015 01:03 PM

I have been working to enable Safe Search Enforcement for all of our users, but was having issues due YouTube being blocked. Since I couldn't find a solution anywhere else, I created a bit of code to update the user's cookies to put YouTube into Restricted Mode and send them along their way - basically with the following code:

    var expiration = new Date();
    expiration.setTime(expiration.getTime()+(12*60*60*1000));
    document.cookie = "PREF=f2=8000000&f5=30&f4=4000000; expires=" + expiration.toGMTString() + "; path=/;";

 

It's a bit hacked together (I'm sure there's some edge cases I'll have missed), but I figure it might come in handy for someone. A full writeup is at http://www.eugenemdavis.net/forcing-youtube-restricted-mode-javascript.html

 

Let me know if there is a better solution floating around out there.

 

0 Likes Likes
2 REPLIES 2

AkosD
L0 Member

‎12-09-2015 02:28 AM

It should not be a Palo Alto settings but with dns you can solve it.

More info here: https://support.google.com/websearch/answer/186669?hl=en

I expect the same solution from bing and yahoo too. It is the simpliest one and does not require any java-script and in case of https ssl decription...

 

If you use dns-proxy in your firewall you can create static dns entries for google domains like www.google.com or www.google.co.uk ect.. that give the IP back in dns reply from forcesafesearch.google.com.

searching through this IP will give only filtered search result for google and for youtube (for youtube it is maybe to strong filtered...).

 

Example from CLI:

set network dns-proxy yourdnsproxy static-entries google.com address 216.239.38.120
set network dns-proxy yourdnsproxy static-entries google.com domain www.google.com

set network dns-proxy yourdnsproxy static-entries google.com address 216.239.38.120
set network dns-proxy yourdnsproxy static-entries google.com domain www.google.co.uk

...

full list of google domains:

https://www.google.com/supported_domains

 

The next steps that are required is to block public DNS access since they give other IPs for google domains through DNS.

Example:

set rulebase security rules "Block Public DNS" from SourceZone
set rulebase security rules "Block Public DNS" to UntrustedZone
set rulebase security rules "Block Public DNS" source YourSource-Net
set rulebase security rules "Block Public DNS" destination any
set rulebase security rules "Block Public DNS" category any
set rulebase security rules "Block Public DNS" application dns
set rulebase security rules "Block Public DNS" service application-default
set rulebase security rules "Block Public DNS" action deny

 

and block every other google IPs if the url containst www.google.com or other www.google.xx domains but not the 216.239.38.120 destination IP:

Example from CLI:

set profiles custom-url-category GoogleSearchURLs list [ www.google.com www.google.com.tr www.google.at ...]

 

set address forcesafesearch.google.com ip-netmask 216.239.38.120
set address forcesafesearch.google.com description forcesafesearch.google.com

 

set rulebase security rules Google-Allow from SourceZone
set rulebase security rules Google-Allow to UntrustedZone
set rulebase security rules Google-Allow source YourSource-Net
set rulebase security rules Google-Allow destination forcesafesearch.google.com
set rulebase security rules Google-Allow category any
set rulebase security rules Google-Allow application any
set rulebase security rules Google-Allow service [ service-http service-https ]
set rulebase security rules Google-Allow action allow
set rulebase security rules Google-Allow description "forcesafesearch.google.com access"

set rulebase security rules GoogleDomain-Block from SourceZone
set rulebase security rules GoogleDomain-Block to UntrustedZone
set rulebase security rules GoogleDomain-Block source YourSource-Net
set rulebase security rules GoogleDomain-Block destination any
set rulebase security rules GoogleDomain-Block category GoogleSearchURLs
set rulebase security rules GoogleDomain-Block application any
set rulebase security rules GoogleDomain-Block service [ service-http service-https ]
set rulebase security rules GoogleDomain-Block action deny
set rulebase security rules GoogleDomain-Block description "block google domains"

 

I have tested it and worked. but for youtube as I see it is too hard, whatever you search in the result you will see only fairy tales 🙂 from Walt Disney..?

0 Likes Likes

edavis33
L1 Bithead
In response to AkosD

‎12-14-2015 06:57 AM

Unfortuately neither Yahoo nor Bing appear to support this approach (i.e. having a safe search only domain/IP) - and using it for Google doesn't stop Palo Alto from rewriting the URL (it seems Palo Alto's Safe Search detection isn't compatiable).

0 Likes Likes
  • 2705 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks