How To Enforce Safe Search for Google, Bing and resticted mode for You tube in AOS


All the internet search providers have now switched to using HTTPS (encrypted) for all communications to their engines, it is no longer possible to look into the clear text of the request from the client and alter the request to force the search engines to return content and images suitable for display at work or in schools.

When the search results are displayed the pages for images and videos frequently have thumbnail pictures which could be unsafe for children or the work place.

It is not possible to block these thumbnail images or videos as these are returned directly from google over the encrypted channel - but clicking on them would then launch to the website which can be blocked by conventional firewalls or content firewalls.

So the aim of this article is to inform how to force the search providers not to send these thumbnail images in the first place - this is called Safe Search.

It is possible to manually configure each client to enable 'Safe Search' but for obvious reason this is not workable when there are thousands of devices, and what about the BYOD devices - configuring these is something which is just not possible.


So Google recognize this is a significant issue and have come up with another way which is to change any request to 'google' to get a DNS response forcing the client to traffic to does exaclty  what it says always returns safe search content.

Google has over 190 DNS TLDs so each one has to redirected.


Google have also implemented the same for You Tube - forcing it to 'restricted mode' - (note same VIP as

Bing have also followed suit and they have a Safe Search VIP -

Yahoo as far as I can tell do not support DNS mapping to a Safe Search VIP.



Although the controller does not have a DNS server and its not possible to re-write DNS requests forcing to the safesearch VIP's, It is possible to listen to these DNS requests and responses and then use an ACL to look for the destination IP addresses.

The solution is to configure netdestinations and then to apply these destinations to ACL rules which can then destination NAT to the 'Safe Search' VIP.


Google =


You Tube =


Bing =





The configuration requires that the controller has the PEFNG license installed.


From the WebUI create the following 'Destinations'




You Tube




Then create a policy and create the following rules



Then apply this policy to the users authenticated role.



Example from the CLI;


netdestination Bing-SafeSearch
netdestination Google-SafeSearch
  name *.google.
netdestination YouTube-restricted

ip access-list session SafeSearch
  any   alias YouTube-restricted any  dst-nat ip
  any   alias Google-SafeSearch any  dst-nat ip
  any   alias Bing-SafeSearch any  dst-nat ip

user-role authenticated
 access-list session global-sacl
 access-list session apprf-authenticated-sacl
 access-list session SafeSearch
 access-list session ra-guard
 access-list session allowall
 access-list session v6-allowall




To verify the configuration it is possible to view the DNS name to IP mapping on the controller and viewing the session table it is possible to see the destination NAT sessions.


(Aruba3200) #show firewall dns-names

FW DNS names
Name                      Id  InUse  List
----                      --  -----  ----
*.google.                 13  1    9   1             7   1       1   1           6   1        3   1              12  1  10  1           2   1   8   1        11  1              5   1   4   1

(Aruba3200) #

(Aruba3200) #show datapath session table

Datapath Session Table Entries

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- --------------- 17   53    64288  0/0     0    0   0   tunnel 10   1    1          242        FI 17   64288 53     0/0     6    0   1   tunnel 10   1    1          61         FCI  6    49411 443    0/0     0    0   0   tunnel 10   2    72         7650       NC   6    49412 443    0/0     0    0   0   tunnel 10   1    21         2104       NC 6    443   49411  0/0     0    0   0   tunnel 10   2    60         34224      S 6    443   49412  0/0     0    0   0   tunnel 10   1    17         5776       S

(Aruba3200) #

We can see that DNS requests are marked for Deep inspection (I) and data going to google is being Destination NAT'd (N)

Version history
Revision #:
2 of 2
Last update:
‎01-27-2016 02:37 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: