How do I enforce safesearch?

Ok, a few months ago, I had tech support remotted in and they were helping me figure out an issue. I asked him about setting up safesearch and he just did it for me. Took him not long.

A few days ago, I did something stupid. I recently updated my password for watchguard and I had the old password in the password field and the new password just as a note.

Well, I saw that and I'm thinking I need to just move that password to the password field. So, I did that. I overwrote the old password. (All my passwords are auto generated.)

Well, a little later, I made a change to the firebox that messed it all up. I decided, I'll roll back to my old backup. That's where I went wrong. As soon as I did that, it restored my old password. Now I was locked out of the watchguard. I couldn't get back in.

So, I started over with a brand new config. I cannot figure out how to enforce safe search. I've followed a few different tutorials. I remember him saying that you can't see inside of https so I had to set it to inspect and inspect it with http. I set the http to use safe search and then told https to point to that policy. But, once I did that, I started getting errors with certs. I watched a youtube video and they explained the cert error.

But, basically the video said I need to install the cert on all of my PCs to get rid of that error. I did not have to do that the last time. However support configured it, I didn't need to do anything to my clients.


  • Options

    Looks like you should start saving copies of your configs, beyond a backup, so that you can easily recover to an earlier config without restoring a backup.

    You can do this manually using the Web UI.
    You can make this happen automatically using WSM Policy Manger: File -> Save -> Always create a backup

    The only way that I see to implement Safesearch is on the HTTP proxy action, and thus to enable Safesearch for a HTTPS site is to do Inspect for that site, which does require the firewall cert to be installed on the web browsers being used by your client devices.

    From the docs:
    "To enforce SafeSearch for some sites that require HTTPS connections (such as Google and YouTube), you must use an HTTPS Proxy policy with content inspection enabled. To enable SafeSearch for decrypted HTTPS content, in the proxy action for the HTTPS-Client Proxy policy, select an HTTP-Client proxy action with SafeSearch enabled."

    HTTP Request: General Settings

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    There isn't a way to enforce safesearch via the firewall's proxy without having to use content inspection.

    It is possible to do so via DNSWatch (which uses a DNS cname to do this) or via your own DNS server if you're running one internally. See
    This method does not require you enable content inspection.

    -James Carson
    WatchGuard Customer Support

  • Options

    So, I do save my configs. I just did something really stupid. I've been saving my config a ton. But then I was getting paranoid about my admin password. So, I changed it. I use a random password generator. My old password was a random password. I changed my password. A little later, I made a change and it messed up the config. I hadn't made a backup since changing my password like 10 minutes earlier. Well, then I rolled back and I can't login to the firebox with that backup because I don't know the password.

  • Options

    I do want to enable content inspection. I tried and it's not working. I watched how watchguard did it. He just redirected on the https rule to the http rule and enabled safe search. He must've done something more. Because that's not working for me.

  • Options

    Do you have Inspect enabled on the HTTPS proxy action for the domain that you want to have SafeSearch implemented?

    If you have saved configs, then you can review them and potentially reload them using WSM Policy Manager. You really can't review them using the Web UI without loading the config into the firewall.

Sign In to comment.