Palo Alto Networks - Bing Safe Search Options

Safe Search allows administrators to block explicit content. This especially important in educational institutions (i.e. K-12). Palo Alto Networks offers multiple ways to enforce this feature. However, each of these options require implementing SSL Forward Proxy, as most search engines now leverage SSL. That being said, Bing does not adhere to the safe search settings over SSL, so it is recommended in the Palo Alto Networks documentation to disable SSL for Bing searches. For some organizations, this may not be a viable option. Luckily, Bing currently offers a DNS method that can be leveraged to ensure that safe search is enforced over SSL. It is recommended to leverage SSL Forward Proxy on the Palo Alto Networks firewall in conjunction with this method so that you have full control and visibility into user searches. Below are the DNS Proxy configuration steps for the firewall if public DNS servers are in use in the environment. Keep in mind that the same objective can be accomplished via an internally managed DNS server, outside of the firewall configuration.

Navigate to Network -> DNS Proxy. Define your servers and the interfaces on which you would like to leverage DNS Proxy.

In the Static Entries tab, define specific FQDNs that you would like to map to specific IP addresses. As you will see below, Bing has an IP specified to enforce Safe Search (you can do an nslookup to verify the current IP that maps to restrict.bing.com).

Navigate to Device -> Setup -> Services -> Service Route Configuration, and select DNS. Verify the interface that is assigned. In my case, it is my trust interface.

Navigate to Policies -> Security. Create a security policy that only allows DNS for the source address specified in the Service Route Configuration. This will ensure that an end user will not be able to enter other DNS servers and successfully bypass your static entries. We are explicitly allowing only the firewall, and all else is denied (assuming you don't have an "allow all" policy configured below this rule).

Upon testing you will find that safe search is enforced. It should be noted that as part of my configuration I have followed Palo Alto Networks best practice of blocking all search engines except for Google, Bing, and Yahoo, so that I can be more granular with how users on my networks are performing searches. This step is optional, but I recommend it because it will make things easier to control.