by
Etienne Liebetrau
This article describes how to use Sophos XG to block searches that contain specific keywords, such as 'Wallpapers', 'VPNs' or 'Bypass Firewall'.
Using Sophos XG's Web Categories to block internet content makes sense for categories such as 'Adult Content' or 'Gambling' that are obviously inappropriate in most organizations, but other Web Categories are not as easily defined as inappropriate or time-wasting.
For example, school students can waste many hours looking for new wallpapers for their mobile devices and laptops using the image search feature on Google (or any search engine). Even if the school has enforced SafeSearch this only blocks access to inappropriate images. Wallpaper images are often served from sites categorised by Sophos XG as Photo Galleries, and a school may be reluctant to block the entire category as it is useful to art and photography students (and potentially many others).
In these cases, you need something more specific than a category or website block, and this is where blocking by keywords can be useful.
There are two ways to block content by keyword in Sophos XG:
This article takes you through the first option of blocking keywords present in URLs.
For information on the second option, please see Sophos' KB article on Blocking content using a list of terms. You can also use this feature to simply log the pages and keywords, and use Fastvue Sophos Reporter to send alerts when the keyword occurs in the content of a page (see our video on Receiving Alerts On Keywords Within Visited Web Pages)
In this context, Sophos XG does not look to see if the keyword is present in the content of a web page, rather it just checks if that keyword exists in the URL.
Note: A webpage may consist of many different URLs such as the images on the page, videos, scripts, fonts etc.
First, it is important to understand some of the limitations of blocking keywords in URLs.
The main and obvious limitation with blocking content using keywords in URLs, is that if the URL of a website or page does not include the keyword exactly, then the content will not be blocked.
To continue with the school wallpaper example, here are two URL's: one in English and one in French. Content from both could be found doing a search for wallpapers on a Google image search, but the French version will not be blocked.
The other side of the problem is that you could potentially be blocking content that should be allowed for others. For example, when you search for home renovation wall paint, you could get blocked going to
The keywords also have to be literal matches and cannot contain any special characters such as wild card values or regex. This is a bit of a limitation for both inclusion or exclusion.
Let's go through an example of configuring Sophos XG to block searches on Google when the search contains the keyword 'wallpaper'. The behavior we want to achieve is:
First, a quick rundown of the Sophos XG features involved. Sophos XG allows access and enforces restriction with the following:
Note: The steps that follow were written with Sophos XG Firewall SFVH (SFOS 18.0.4 MR-4) in March 2021 and are subject to change in future versions.
To make all of this work we need a Firewall rule that matches Google searches and then applies our web policy.
Now that you've created a Custom Category containing your keywords, used it in Web Policy that also enforces SafeSearch, and applied that policy to a firewall rule that kicks in for Google domains, it is time to test!
Open Google in your favorite browser and search for "wallpaper". You'll see that you are blocked:
Search for something else such as 'higher education' and you will see that it is allowed.
Finally, search for home improvements/wall covering and you will notice when you click through to those sites, you will be allowed access to pages that contain the keyword 'wallpaper'.
The key to knowing what keywords to block is to keep an eye on the sort of searches being performed. Fastvue Sophos Reporter makes it easy to report on and be alerted to suspicious searches, or all searches used in your organization. Since most web journeys start with a search, it is a good indicator of what a user's intended browsing is.
To get started with Fastvue Sophos Reporter, download the free 30-day trial.
Blocking content using just 'keywords' on their own has some limitations in both application and practicality, but can be extremely useful in specific circumstances, such as blocking searches, when used correctly in combination with other Sophos XG filtering mechanisms.
You can now apply the above process with other keywords to prevent specific situations in your organization, such as searches for 'VPNs' or 'Bypass firewall' that could potentially result in those pesky students (or employees!) getting around your Sophos rules and policies altogether.
Let us know how you're using keyword blocks in the comments!
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
How to Enable Dark Mode in Fortinet FortiGate (FortiOS 7.0)
Using Sophos XG's XStream DPI Engine While Enforcing SafeSearch and YouTube Restrictions