[Fresh From the Press: Latest KB's] Sophos XG Firewall: How to enforce SafeSearch

Hi Community,

The XG Firewall has the ability to enforce SafeSearch and other features that some websites provide. The XG does not perform the SafeSearch, it only ensures that the website’s feature is turned on and cannot be bypassed.

More configuration options and enforcement granularity for SearchSearch and YouTube has been added in SFOS v17.5.

Version support

  • v16.5 and prior: Web > General Settings > Enforce SafeSearch uses header method to enforce SafeSearch (requires HTTPS scanning).
  • v17.0 and v17.1: Web > General Settings > Enforce SafeSearch uses DNS method to enforce Google/Bing SafeSearch and YouTube restricted mode (does not require HTTPS scanning).
  • v17.5: Web > Policies > [Edit a Policy] Enforce SafeSearch and Enforce YouTube restrictions are configured separately and per policy.
    • Note: In v17.5 and later, it is not possible to enforce SafeSearch in the “Allow All” policy because it is not editable. In order to enforce SafeSearch, please create a new custom Allow All policy, edit the SafeSearch setting, and select that in your firewall rule

Please refer to the full KB article here.

  • Hi Flo,

    I don't quite understand you article? I am running v17.5 beta-2 and can edit the exisiting policy as per the screenshot below. Is this because I imported a backup from v17.1.3?

     

    Ian

     

  • In reply to rfcat_vk:

    That is correct, Ian.  That matches the article section "Changing settings in v17.5".

     

    I worked on this KB and struggled a little bit over whether it should focus on SafeSearch in all versions and the differences, or should focus on SafeSearch in 17.5 with a note about how it worked previously.  I ended up with describing everything and that might have made it less clear.

    Please let me know where the confusion is so that we can improve the article.

  • In reply to Michael Dunn:

    Hi Michael,

    I am trying to understand what the note about v17.5 and later means. My impression is that you cannot edit existing policies but I can, that is my confusion?

    Ian

  • In reply to rfcat_vk:

    When you change a firewall rule, you can select a Web Policy called "Allow All".

    When you go to Web > Policies you cannot even see the policy "Allow All".  It is a special policy that you can select but you cannot edit, and in fact cannot even see the details of.

    In 17.5 the Allow All policy has SafeSearch turned off.

     

    In 17.1 anybody who had the global SafeSearch on and is using the Allow All policy would experience SafeSearch being on.

    In 17.5 using the Allow All policy would experience SafeSearch being off.

    Therefore some customers who upgrade will have a change in experience.

  • In reply to Michael Dunn:

    (unofficial release notes)

     

    Web Protection - Safe Search Enforcement

     

    Enforcement of search engine Safe Search and additional image filters is now configurable per-web policy and is no longer a global option. The settings have been moved from Web > General Settings into the additional options that are available when editing a web policy. In addition, configuration for YouTube restrictions have been broken out into a separate option.

     

    Product behaviour will be preserved on upgrade by automatically migrating the existing global settings to all existing web policies.

    Before upgrade - Web > General settings

    After upgrade - Web > Policies > Edit web policy

    Enforce SafeSearch

    Enforce additional image filters

    Enforce SafeSearch

    Enforce additional image filters

    Enforce YouTube restrictions

    Enabled

    Enabled

    Enabled

    On

    Enabled - Strict

    Enabled

    Disabled

    Enabled

    Off

    Enabled - Strict

    Disabled

    Disabled

    Disabled

    Off

    Disabled

     

    The exceptions to this are the following built-in, uneditable policies:

    Policy name

    Enforce SafeSearch

    Enforce additional image filters

    Enforce YouTube restrictions

    Allow All

    Disabled

    Off

    Disabled

    Deny All

    Disabled

    Off

    Disabled

    *** Filter

    Enabled

    Off

    Enabled - Moderate

  • In reply to Michael Dunn:

    Now I understand. I had added the 'allow all' to my policy when I created it so all is understood.

    Thank you

    Ian