How to Configure Web Filtering with Safe Search
Learn about our safe search enhancement for Unified Threat Management (UTM) Web filtering solutions to enforce the safest Web browsing mode available, by default.
Safe Search Enhancement for Web Filtering Overview
Benefits of Safe Search Enhancement for Web Filtering
Provides the safest Web browsing mode available, by default.
Protects the HTTPS-based search engine cache. This protection is a key security feature requirement for organizations with multiple Web users in educational, financial, health-care, banking, and corporate segments. In a campus or branch, enabling a default safe search solution for all users and blocking the search engine cache provides secure and comfortable Web browsing.
Features of Safe Search Enhancement for Web Filtering
You use UTM Web filtering to manage Web browsing by preventing access to inappropriate Web content. To do this, you use the following Web filtering solutions:
Redirect Web filtering
Local Web filtering
Enhanced Web Filtering (EWF)
We've enhanced the safe search functionality for these UTM Web filtering solutions to provide an extremely safe search environment for the Web user. Table 1 describes the features of the safe search enhancement.
Table 1: Safe Search Enhancement Features
Safe Search Feature
Default safe search
By enabling the safe search enhancement feature, you enforce the safest Web browsing mode available by default on the well-known search engines. Doing so helps those users that are not using the strictest safe search settings.
If you enable the safe search feature on your security device, it enforces the search service to the strictest mode by URL query rewriting, which is transparent to you. For example, when you do a search request on the search engines Google, Bing, Yahoo, or Yandex, the safe search feature rewrites the requested URLs to the safest search URLs.
Here're a few examples of requested and converted URLs:
Blocking search engine cache
By blocking the search engine cache on the well-known search engines, you can hide your Web-browsing activities from other users if you are a part of an organization that has multiple Web users in educational, financial, health-care, banking, and corporate segments.
To block the search engine cache, you configure a general URL block pattern and category for the search engine cache service.
You can disable the safe search option at the Web filtering-level and profile-level configurations. See juniper-local, websense-redirect, and juniper-enhanced.
Limitations of Safe Search Enhancement for Web Filtering
For HTTP safe search enhancement, you must enable stream mode by enabling the http-reassemble option at the [edit security utm default-configuration web-filtering] hierarchy level. If you don't enable stream mode, you can't use the safe search feature. As a result, the system sends an HTTP 302 redirect message to the user.
For HTTPS safe search enhancement, you must enable the SSL proxy service on the security policy. If SSL proxy bypasses the HTTPS traffic, then the safe search feature also bypasses the HTTPS traffic.
Configure Web Filtering with Safe Search
Use this example to configure UTM Web filtering solutions and verify the safe search enhancement for UTM Web filtering.
This example uses the following hardware and software components:
An SRX Series device
Junos OS Release 20.2R1
Before you begin:
Make sure you understand how to use Web filtering to manage Web browsing. See Web Filtering Overview.
Configure a Root CA Certificate. See Configuring a Root CA Certificate.
In this example, you configure the following policies and Web filtering profiles on your security device:
Web filtering profiles
After you've configured the policies and profiles, you generate the Web filtering statistics and verify the performance of the safe search enhancement.
Figure 1 shows the basic UTM Web filtering topology. When you enable your security device with the safe search feature, the device rewrites the search requests from the user to the safest search mode of the search engines. The cloud engine or the local engine performs Web filtering on the search requests before forwarding to the Internet or external webserver.
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure UTM Web filtering:
- Configure UTM Web filetring solution.[edit security utm]user@host# default-configuration web-filtering type juniper-enhanceduser@host# default-configuration web-filtering http-reassembleuser@host# default-configuration web-filtering juniper-enhanced default log-and-permituser@host# feature-profile web-filtering juniper-enhanced profile ewf_my_profile1 category Enhanced_Search_Engines_and_Portals action log-and-permituser@host# feature-profile web-filtering juniper-enhanced profile ewf_my_profile1 default log-and-permituser@host# utm-policy utmpolicy1 web-filtering http-profile ewf_my_profile1
- Configure the security policies to control HTTP or HTTPS
traffic from the trust zone to the Internet zone.[edit security policies]user@host# from-zone trust to-zone internet policy sec_policy match source-address anyuser@host# from-zone trust to-zone internet policy sec_policy match destination-address anyuser@host# from-zone trust to-zone internet policy sec_policy match application junos-pinguser@host# from-zone trust to-zone internet policy sec_policy match application junos-httpuser@host# from-zone trust to-zone internet policy sec_policy then permit application-services utm-policy utmpolicy1user@host# default-policy deny-all
- Configure security zones.[edit security zones security-zone]user@host# trust host-inbound-traffic system-services alluser@host# trust host-inbound-traffic protocols alluser@host# trust interfaces xe-5/0/0.0user@host# internet host-inbound-traffic system-services alluser@host# internet host-inbound-traffic protocols alluser@host# internet interfaces xe-5/0/2.0
- Configure interfaces.[edit interfaces]user@host# xe-5/0/0 unit 0 family inet address 192.0.2.254/24user@host# xe-5/0/2 unit 0 family inet address 203.0.113.254/24
From configuration mode, confirm your configuration by entering the show security policies, show security utm, and show interfaces commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the feature on your device, enter commit from configuration mode.
Verify Safe Search Function
Verify that the safe search feature is enabled for UTM Web filtering solutions.
From operational mode, enter the show security utm web-filtering statistics command to view the Web filtering statistics. In the output, the Safe-search redirect and Safe-search rewrite fields display the enhanced safe search redirect and rewrite statistics.
user@host> show security utm web-filtering statistics
UTM web-filtering statistics: Total requests: 0 white list hit: 0 Black list hit: 0 No license permit: 0 Queries to server: 0 Server reply permit: 0 Server reply block: 0 Server reply quarantine: 0 Server reply quarantine block: 0 Server reply quarantine permit: 0 Custom category permit: 0 Custom category block: 0 Custom category quarantine: 0 Custom category qurantine block: 0 Custom category quarantine permit: 0 Site reputation permit: 0 Site reputation block: 0 Site reputation quarantine: 0 Site reputation quarantine block: 0 Site reputation quarantine permit: 0 Site reputation by Category 0 Site reputation by Global 0 Cache hit permit: 0 Cache hit block: 0 Cache hit quarantine: 0 Cache hit quarantine block: 0 Cache hit quarantine permit: 0 Safe-search redirect: 0 +Safe-search rewrite: 0 SNI pre-check queries to server: 0 SNI pre-check server responses: 0 Web-filtering sessions in total: 64000 Web-filtering sessions in use: 0 Fallback: log-and-permit block Default 0 0 Timeout 0 0 Connectivity 0 0 Too-many-requests 0 0
The output displays that the safe search feature is enabled and there are no safe search redirects and safe search rewrites.
Now that you’ve learned about safe search enhancement for Web filtering, you'll be interested to know how to disable the safe search function. Check out juniper-local, websense-redirect, and juniper-enhanced for more information.