IC Knowledge Base
Home » Categories » Security & Firewalls » Fortigate UTM

How to configure DNS based FortiGuard web filtering with FortiOS v5.4

Article ID: 114 | Rating: Unrated | Last Updated: Wed, Aug 2, 2017 at 12:51 PM

Products

FortiGate v5.4

Description

This article provides a sample configuration for DNS based FortiGuard web filtering.

In FortiOS v5.2 the DNS web filtering is one option of ‘Web Filter’ profile.  In FortiOS v5.4 this feature has moved to separate ‘DNS Filter’ security profile.

The use of this feature is straightforward:

  • Create and configure ‘DNS Filter’ profile
  • Create and configure firewall policy
  • Assign the profile to the firewall policy

FortiOS intercepts DNS requests from clients to DNS servers and asks FortiGuard servers for rating.

It is recommended to filter client’s DNS requests only and not the DNS requests from client internal DNS servers.

Technical Note: How to configure DNS based FortiGuard web filtering with FortiOS v5.4

Network topology
Internet w/ DNS servers  ===  (wan1)[FG100D](lan)  ===  PCs in LAN


Configure DNS filter

 

Gui-Config

 

 

Technical Note: How to configure DNS based FortiGuard web filtering with FortiOS v5.4

CLI
config dnsfilter profile
    edit "filter_users"
        config ftgd-dns
            config filters
                edit 1
                    set category 83
                    set action block
                next
                edit 2
                    set category 5
                    set action block
                next
                edit 3
                    set category 1
                    set action block
                next
                edit 4
                    set category 6
                    set action block
                next

                 … truncated …

                      edit 29
                next
            end
        end
    next
end

 

 

Technical Note: How to configure DNS based FortiGuard web filtering with FortiOS v5.4

Configure firewall policies

 

 

Technical Note: How to configure DNS based FortiGuard web filtering with FortiOS v5.4

config firewall policy
    edit 1
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "LAN"
        set dstaddr "myDNS1" "myDNS2"
        set action accept
        set schedule "always"
        set service "DNS"
        set utm-status enable
        set dnsfilter-profile "filter_users"
        set profile-protocol-options "default"
        set nat enable
    next
    edit 2
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "LAN"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
        set nat enable
    next
end

To troubleshoot use the following command:
diag debug enable
diag debug application dnsproxy -1

When finished, disable debug with:
diag debug reset
diag debug disable

 
Posted by: - Wed, Aug 2, 2017 at 12:51 PM. This article has been viewed 6103 times.
Filed Under: Fortigate UTM
0 (0)
Article Rating (No Votes)
Rate this article
Attached Files
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Name
Email
Security Code Security Code
Related Articles RSS Feed
FortiGate MAC host check on SSL VPN
Viewed 6817 times since Fri, Aug 31, 2018
Technical Note: Custom NTP server configuration
Viewed 3910 times since Fri, Aug 11, 2017
Fortigate Phase 2 Keep Alive
Viewed 2859 times since Thu, Jul 26, 2018
Fortigate DC Replication RPC port 135 Session-Helper
Viewed 5859 times since Wed, Dec 6, 2017
Fortigate Hairpin NAT
Viewed 10957 times since Fri, Aug 4, 2017
Full (Deep) SSL Inspection - Avoid certificate errors
Viewed 6528 times since Thu, Jul 26, 2018
Fortigate SSL/TLS Handshake fails
Viewed 7303 times since Wed, Dec 6, 2017
Technical Note: Error ’Unable to establish the VPN connection. The VPN server may be unreachable. (-5)’ on FortiClient with SSL VPN
Viewed 42242 times since Mon, Aug 7, 2017
Technical Note: DNS resolution not working when DNS Server configured to ’Same as Interface IP’
Viewed 8933 times since Wed, Aug 9, 2017
Internet Central Limited, Innovation Centre 2, Keele Science Park, Keele, Staffordshire ST5 5NH
Registered Office: Ivy House Foundry, Hanley, Stoke-on-Trent, ST1 3NR
Registered in England: Reg No. 03079542 VAT Reg No. GB 278 923 705
Contact Us |Terms & Conditions |Legal, Privacy and Cookies
All prices exclude VAT E.&O.E © 2015 Internet Central

All trademarks and logos appearing on the site are the property of their respective owners