Restricting Content for Internet Traffic

This article explains how to use the Content Restrictions feature to restrict and block users from searching for explicit Internet content.

Configuring the Internet Policy Content

You can configure an Internet Content Restrictions policy to define how the Cato Cloud manages Internet search engines and YouTube content. The DNS server in the Cato Cloud creates a CNAME (canonical name) record for these conditions to redirect the appropriate Internet traffic:

  • Google search engine routes to

  • Bing search engine routes to

  • Strict YouTube policy routes to

  • Moderate YouTube policy routes to

When the Content Restrictions feature is enabled, the appropriate SafeSearch settings for the Google, Bing, or YouTube search engines are applied to the Internet or YouTube search. For example, if a user searched for nudity, the search engine SafeSearch filter removes all the results that are explicit. The search engine only shows websites with no explicit content. However, if a user browsed directly to, the connection to the website doesn't use the search engine and isn't restricted.


If you believe that content is classified incorrectly, please contact the appropriate Internet search engine or YouTube.


Note: You can use the Internet firewall to block specific websites or categories. For more information, see What is the Cato Internet Firewall?.

To configure the Content Restrictions policy for your account:

  1. From the navigation pane, click Security > Content Restrictions.

  2. Select each Search Engine that is included in the Content Restrictions policy.

  3. If you are including YouTube in the policy, configure the settings for the YouTube content restrictions:

    1. To enforce the content policy for YouTube, select YouTube content restrictions.

    2. In Restrictions Level, select to enforce Moderate or Strict content restrictions.

  4. Click Save.

Best Practices for Content Restrictions

When you implement Content Restrictions, it's possible that cached data in servers and user devices may prevent the traffic redirection required for enforcing the restrictions. We therefore recommend the following best practices when you first configure the restrictions:

  • If your environment has internal DNS servers, clear the DNS cache on the servers
  • Clear all cached DNS data on user devices, and clear all browser caches and cookies

Using the Explicit Content Restriction Policy with Secure DNS

Internet browsers include an option to use DNS over HTTPS (DoH) as an additional security measure. When DoH is enabled for a browser, then it bypasses the SafeSearch settings in the Content Restrictions policy. This means that even if the Content Restrictions feature is enabled for your account, it doesn't apply to browsers that are using DoH for secure DNS.

Each browser has different DoH settings:

  • Is DoH enabled by default for the browser?

  • Some browsers (such as Chrome and Firefox) automatically disable DoH when they detect that the computer is managed by an organization

For accounts that enable the Content Restrictions feature, we recommend that you review the browsers that are used in your organization and the specific DoH settings.

Was this article helpful?

0 out of 0 found this helpful


  • Comment author
    Mark Crowle-Groves

    Guide is out of date. Security page no longer says Content Policy and in fact says Content Restrictions 

  • Comment author
    Yaakov Simon


    Thanks so much for your help! We updated the article and screenshot.


Add your comment