Blocking DNS requests to known Botnet C&C addresses
A new FortiGuard database contains a list of known Botnet C&C addresses. This database is updated
dynamically and stored on the FortiGate. This database is covered by FortiGuard web filter licensing, so you must have a FortiGuard web filtering license to use this feature.
When you block DNS requests to known Botnet C&C addresses, using IPS, DNS lookups are checked against the Botnet C&C database. All matching DNS lookups are blocked. Matching uses a reverse prefix match, so all sub- domains are also blocked.
To enable blocking of DNS requests to known Botnet C&C addresses, go to Security Profiles > DNS Filter, and enable Block DNS requests to known botnet C&C.
Static URL filter
The DNS inspection profile static URL filter allows you to block, exempt, or monitor DNS requests by using IPS to look inside DNS packets and match the domain being looked up with the domains on the static URL filter list. If there is a match the DNS request can be blocked, exempted, monitored, or allowed.
If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site. If exempted, access to the site is allowed even if another method is used to block it.
DNS–based web filtering
This feature is similar to the FortiGuard DNS web filtering available in FortiOS 5.2. You can configure DNS web filtering to allow, block, or monitor access to web content according to FortiGuard categories. When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups. DNS lookup requests sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard category of the web page.
If that FortiGuard category is set to block, the result of the DNS lookup is not returned to the requester. If the category is set to redirect, then the address returned to the requester points at a FortiGuard redirect page.
You can also allow access or monitor access based on FortiGuard category.
Rename webfilter-sdns-server-ip and webfilter-sdns-server-port:
config system fortiguard
set sdns-server-ip x.x.x.x set sdns-server-port 53
Configure DNS URL filter:
config dnsfilter urlfilter edit 1
set name “url1″ set comment ”
config entries edit 1
set url “www.google.com” set type simple
set action block set status enable
next edit 2
set url “www.yahoo.com” set type simple
set action monitor set status enable
next edit 3
set url “www.foritnet.com” set type simple
set action allow set status enable
Configure DNS filter profile:
config dnsfilter profile edit “dns_profile1″
set comment ” config urlfilter
set urlfilter-table 1
config ftgd-dns config filters
set category 49 set action block set log enable
next edit 2
set category 71
set action monitor set log enable
set log-all-url disable set block-action redirect set redirect-portal 0.0.0.0 set block-botnet enable
Configure DNS profile in a firewall policy:
config firewall policy edit 1
set srcintf “any” set dstintf “any” set srcaddr “all” set dstaddr “all” set action accept
set schedule “always” set service “FTP”
set utm-status enable
set dnsfilter-profile “dns_profile1” set profile-protocol-options “default” set nat enable
Configure DNS profile in profile group:
config firewall profile-group edit “pgrp1”
set dnsfilter-profile “dns_profile1” set profile-protocol-options “default”
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!