Web: Configuring the Safe Search Function

Networking Requirements

As shown in Figure 1, the FW serves as the enterprise gateway at the border of the enterprise network. The enterprise attempts to regulate employees' Internet access behavior and forcibly enable safe search on their search requests.

Figure 1 Configuring the safe search function

Configuration Roadmap

Set interface IP addresses and assign the interfaces to security zones.
Create the URL filtering profile profile_safe_search and enable the safe search function.
Configure the security policy and reference the URL filtering profile profile_safe_search.
Configure SSL-encrypted traffic detection to decrypt HTTPS traffic.
- Configure the SSL decryption certificate and import and install the SSL decryption certificate to the intranet PC.
- Optional: Import the CA certificate of the certificate authority trusted by the enterprise and specify the imported CA certificate as the server CA certificate. The FW checks whether the server certificate is trusted based on the server CA certificate.
  Note that over 100 common server CA certificates have been preset on the FW by default, which can be used to verify most server certificates. Generally, these default CA certificates are enough and you do not need to import other CA certificates. In some cases, however, if the preset CA certificates cannot verify the peer server certificates, you need to import other CA certificates. This section describes how to import a CA certificate as a configuration step.
- Configure the detection profile and SSL-encrypted traffic detection policy.
Configure the TCP proxy policy.

Procedure

Configure interface IP addresses and security zones.
1. Choose Network > Interface.
2. Click of GE0/0/1 and set the parameters as follows.
  
  Zone
  
  untrust
  
  IPv4
  
  IP Address
  
  1.1.1.1/24
3. Click OK.
4. According to the previous steps, add GE0/0/2 to the Trust zone.
  
  Set the parameters as follows for interface GE0/0/2 and use default values for other parameters:
  
  Zone
  
  trust
  
  IPv4
  
  IP Address
  
  10.3.0.1/24
Create the URL filtering profile profile_safe_search and enable the safe search function.
1. Choose Object > Security Profiles > URL Filtering.
2. Click Add and set the parameters as follows.
  
  Name
  
  profile_safe_search
  
  Default Action
  
  Permit
  
  URL Filtering Level
  
  Medium
  
  Safe search
  
  Enable
  
  Action Mode
  
  Strictly
3. Click OK.
Configure the security policy and reference the URL filtering profile profile_safe_search.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add Security Policy and set the parameters as follows.
  
  Name
  
  secpolicy-trust2untrust
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Source Address/Region
  
  10.3.0.1/24
  
  Service
  
  HTTP and HTTPS
  
  Action
  
  Permit
  
  URL filtering
  
  profile_safe_search
3. Click OK.

Zone	untrust
IPv4
IP Address	1.1.1.1/24

Zone	trust
IPv4
IP Address	10.3.0.1/24

Name	profile_safe_search
Default Action	Permit
URL Filtering Level	Medium
Safe search	Enable
Action Mode	Strictly

Name	secpolicy-trust2untrust
Source Zone	trust
Destination Zone	untrust
Source Address/Region	10.3.0.1/24
Service	HTTP and HTTPS
Action	Permit
URL filtering	profile_safe_search

Configure SSL-encrypted traffic detection.

Configure an SSL decryption certificate and import and install the SSL decryption certificate on an intranet PC.

Choose Object > Certificates > SSL Decryption Certificate.

Click the SSL Decryption Certificate tab. Click Add and configure an SSL decryption certificate as follows.

Certificate Name	ssl-server-ca
FQDN	www.example.com Identity information of FW , which is used to identify the certificate applicant and uniquely identifies the FW on the network, the FW can be resolved into an IP address.
Country/Area	China(CN) Code of the country to which the FW belongs, CN indicates China.
Locality	Trust-Network Location of the FW, to better identify the certificate owner, the location of the FW can customized.

Click OK.
Click of the SSL decryption certificate and download the SSL decryption certificate to the administrator PC.

File Format

Export files in PKCS12 format

Password/Confirm Password

Hello@123

The password specified here is used to protect the key file in the certificate. You are required to enter this password when you install the certificate later.
Click OK.
Send the certificate file that you export to the intranet user and require the user to install the certificate on the PC and trust it. For how to install the trusted certificate, see Installing an SSL Decryption Certificate on a Client. If the certificate is not installed, normal access may be blocked.

Optional: Import the CA certificates of the certificate authorities that the enterprise trusts. Specify the CA certificate used by the FW to verify the server certificate.
1. Choose Object > Certificates > CA Certificates.
2. Click Upload to import a CA certificate.
  
  Upload Type
  
  Local Upload
  
  Certificate File
  
  server_ca.cer
3. Click OK.
4. Choose Object > Certificates > SSL decryption certificate and click the Server CA Certificate tab.
5. Click Add and select the CA certificate that has been imported into the FW.
6. Click OK.
Configure the detection profile and SSL-encrypted traffic detection policy.
1. Choose Policy > Encrypted Traffic Detection > Detection Profile.
2. Click Add in Detection Profile and set parameters as follows.
  
  Name
  
  Profile_safesearch
  
  Type
  
  Outbound
3. Click OK.
4. Click Add in Detection Policy and set parameters as follows.
  
  Name
  
  Policy_safesearch
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Source Address
  
  10.3.0.1/24
  
  Service
  
  https
  
  Action
  
  Decrypt
  
  Detection Profile
  
  Profile_safesearch
5. Click OK.

Configure the TCP proxy.

For HTTP search requests, you need to configure a TCP proxy policy.
1. Choose Policy > Proxy Policy.
2. Click Add and set the parameters as follows.
  
  Name
  
  proxy-safesearch
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Source Address
  
  10.3.0.1/24
  
  Service
  
  http
  
  Action
  
  TCP proxy
3. Click OK.
Click Save on the upper right of the web page, and click OK in the dialog box that is displayed.
Click Commit on the upper right of the web page and click OK in the dialog box that is displayed.

File Format	Export files in PKCS12 format
Password/Confirm Password	Hello@123

Upload Type	Local Upload
Certificate File	server_ca.cer

Name	Profile_safesearch
Type	Outbound

Name	Policy_safesearch
Source Zone	trust
Destination Zone	untrust
Source Address	10.3.0.1/24
Service	https
Action	Decrypt
Detection Profile	Profile_safesearch

Name	proxy-safesearch
Source Zone	trust
Destination Zone	untrust
Source Address	10.3.0.1/24
Service	http
Action	TCP proxy

Verification

If employees use search engines Bing, Google, Yahoo, Yandex, and YouTube to search for sexual and porn content, the search results are filtered. Sexual or potentially offensive content was significantly reduced.
According to the URL log (Monitor > Log > URL Log), the results of employees' search requests are filtered by search engines after the device adds the safe search parameter to the search request. Log information with the rule type being Safe search in the URL filtering profile is matched. For example:

Configuration Scripts

# 
 app-proxy built-in-ca trust filename ssl-server-ca
 app-proxy ca trust filename server_ca.cer
#                       
pki entity ssl-server-ca     
 common-name ssl-server-ca   
 fqdn www.example.com
 locality Trust Network
 country CN
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
profile type url-filter name profile_safe_search
 category pre-defined control-level medium
 safe-search enable
#
security-policy
 rule name secpolicy-trust2untrust
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.1 mask 255.255.255.0
  service http
  service https
  profile url-filter profile_safe_search
  action permit
#
proxy-policy
 rule name proxy-safesearch
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.1 mask 255.255.255.0
  service http
  action tcp-proxy
#
profile type decryption name Profile_safesearch
  detect type outbound
#
decryption-policy
 rule name Policy_safesearch
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.1 mask 255.255.255.0
  service https
  action decrypt profile Profile_safesearch
#
return