Sophos XG - How to Block Searches and URLs with Specific Keywords

This article describes how to use Sophos XG to block searches that contain specific keywords, such as 'Wallpapers', 'VPNs' or 'Bypass Firewall'.

Using Sophos XG's Web Categories to block internet content makes sense for categories such as 'Adult Content' or 'Gambling' that are obviously inappropriate in most organizations, but other Web Categories are not as easily defined as inappropriate or time-wasting.

For example, school students can waste many hours looking for new wallpapers for their mobile devices and laptops using the image search feature on Google (or any search engine). Even if the school has enforced SafeSearch this only blocks access to inappropriate images. Wallpaper images are often served from sites categorised by Sophos XG as Photo Galleries, and a school may be reluctant to block the entire category as it is useful to art and photography students (and potentially many others).

In these cases, you need something more specific than a category or website block, and this is where blocking by keywords can be useful.

Blocking Content Using Keywords in Sophos XG

There are two ways to block content by keyword in Sophos XG:

1. Block if the keyword is present in URLs using custom Web Categories.
2. Block if the keyword is present in the content of a page using Content Filters.

This article takes you through the first option of blocking keywords present in URLs.

For information on the second option, please see Sophos' KB article on Blocking content using a list of terms. You can also use this feature to simply log the pages and keywords, and use Fastvue Sophos Reporter to send alerts when the keyword occurs in the content of a page (see our video on Receiving Alerts On Keywords Within Visited Web Pages)

Blocking Keywords in URLs with Sophos XG

In this context, Sophos XG does not look to see if the keyword is present in the content of a web page, rather it just checks if that keyword exists in the URL.

Note: A webpage may consist of many different URLs such as the images on the page, videos, scripts, fonts etc.

First, it is important to understand some of the limitations of blocking keywords in URLs.

Limitations blocking keywords in URLs

The main and obvious limitation with blocking content using keywords in URLs, is that if the URL of a website or page does not include the keyword exactly, then the content will not be blocked.

To continue with the school wallpaper example, here are two URL's: one in English and one in French. Content from both could be found doing a search for wallpapers on a Google image search, but the French version will not be blocked.

• https://imagelibrabry.com/wallpapers/page1 - this would be blocked
• https://imagelibrary.fr/fonddecran/page1 - this would not be blocked

The other side of the problem is that you could potentially be blocking content that should be allowed for others. For example, when you search for home renovation wall paint, you could get blocked going to

• https://homeimprovements.com/paint-and-**wallpaper**/page1

The keywords also have to be literal matches and cannot contain any special characters such as wild card values or regex.  This is a bit of a limitation for both inclusion or exclusion.

How to Block Searches using Keywords with Sophos XG

Let's go through an example of configuring Sophos XG to block searches on Google when the search contains the keyword 'wallpaper'. The behavior we want to achieve is:

1. If someone searches for 'wallpaper', the search is blocked.
2. Google SafeSearch is still enforced for other searches.
3. Other URLs that include the word wallpaper are allowed (such as home improvement websites).

First, a quick rundown of the Sophos XG features involved. Sophos XG allows access and enforces restriction with the following:

• Firewall Rules linked to a TLS Inspection Rule and a Web Access Policy
• Web Access Policies contain User Activities that can use Web Categories
• Web Categories are made up of Domains and Keywords

Note: The steps that follow were written with Sophos XG Firewall SFVH (SFOS 18.0.4 MR-4)  in March 2021 and are subject to change in future versions.

Step 1. Create a Custom Category with the keyword list

1. Navigate to Protect | Web | Categories and click the Add button.
2. Specify a Name,  Classification and add the keyword(s). I suggest adding some basic variations such as plurals and common language variations used in your organization.

Step 2. Create a Custom User Activity group

1. Navigate to Protect | Web | User Activities and click the Add button.
2. Specify a Name and add the custom Category created in the previous step.

Step 3. Create a new Web Policy

1. Navigate to Protect | Web | Policies, click the Add Policy button and give the policy a name.
2. Click the Add rule button and add a Block HTTP rule for the Custom User Activity created earlier
3. Change the Default action rule to Allow HTTP (we will restrict this in the firewall rules)
4. Since we are going to apply this rule to search engines, it is a good place to check Enforce Safe Search as an Additional Setting of the web policy.

Step 4. Create a Firewall Rule

To make all of this work we need a Firewall rule that matches Google searches and then applies our web policy.

1. Navigate to Protect | Rules and Policies | Firewall Rules and click the Add Firewall Rule button.
2. In the Destination Networks section, search for and add the Google domains.
3. Under Security Features | Web Filtering section, select your Restricted Search policy that you created earlier as the Web policy.
4. Check Block QUIC protocol (Why? See our article on How Google’s QUIC Protocol Impacts Network Security and Reporting).
5. Check Use web proxy instead of DPI Engine (You need to use the Web proxy method since enforcing SafeSearch is not possible using the DPI engine).
6. Check Decrypt HTTPS during web proxy filtering.

Testing

Now that you've created a Custom Category containing your keywords, used it in Web Policy that also enforces SafeSearch, and applied that policy to a firewall rule that kicks in for Google domains, it is time to test!

Open Google in your favorite browser and search for "wallpaper". You'll see that you are blocked:

Search for something else such as 'higher education' and you will see that it is allowed.

Finally, search for home improvements/wall covering and you will notice when you click through to those sites, you will be allowed access to pages that contain the keyword 'wallpaper'.

Monitoring Search Terms

The key to knowing what keywords to block is to keep an eye on the sort of searches being performed. Fastvue Sophos Reporter makes it easy to report on and be alerted to suspicious searches, or all searches used in your organization. Since most web journeys start with a search, it is a good indicator of what a user's intended browsing is.

1. In Fastvue Sophos Reporter, go to Reports | Overview Report | Internet Usage
2. Select your desired date range and click Run Report (or Schedule Report)
3. Go to the Safeguarding | Search Terms section. By default, this shows Suspicious Searches, but you can show all of them by clicking the All Searches button.

To get started with Fastvue Sophos Reporter, download the free 30-day trial.

Conclusion

Blocking content using just 'keywords' on their own has some limitations in both application and practicality, but can be extremely useful in specific circumstances, such as blocking searches, when used correctly in combination with other Sophos XG filtering mechanisms.

You can now apply the above process with other keywords to prevent specific situations in your organization, such as searches for 'VPNs' or 'Bypass firewall' that could potentially result in those pesky students (or employees!) getting around your Sophos rules and policies altogether.

Let us know how you're using keyword blocks in the comments!