Category Archives: FortiGate

Email filtering

Leave a reply

Email filtering

The FortiGate Email Filter can be configured to do AntiSpam and file-type based filtering. To enable email filtering, create a profile using either the CLI or GUI, then use this profile in the firewall policy.

To configure the email filter profile in the CLI:

config emailfilter profile edit “ProfileName” set options ?  
bannedword Content block.
spambwl Black/white list.
spamfsip Email IP address FortiGuard AntiSpam black list check.
spamfssubmit Add FortiGuard AntiSpam spam submission text.
spamfschksum Email checksum FortiGuard AntiSpam check.
spamfsurl Email content URL FortiGuard AntiSpam check.
spamhelodns Email helo/ehlo domain DNS check.
spamraddrdns Email return address DNS check.
spamrbl Email DNSBL & ORBL check.
spamhdrcheck Email mime header check.
spamfsphish Email content phishing URL FortiGuard AntiSpam check.

These options can be reorganized according to the source of the decision:

  • Local options: The FortiGate qualifies the email based on local conditions like BWL, bannedwords, or DNS checks (with the use of FortiGuard service).
bannedword Content block.
spambwl Black/white list.
spamhelodns Email helo/ehlo domain DNS check.
spamraddrdns Email return address DNS check.
spamhdrcheck Email mime header check.
  • FortiGuard-based options: The FortiGate qualifies the email based on score or verdict returned from the FortiGuard service.
spamfsip Email IP address FortiGuard AntiSpam black list check.
spamfssubmit Add FortiGuard AntiSpam spam submission text.
spamfschksum Email checksum FortiGuard AntiSpam check.
spamfsurl Email content URL FortiGuard AntiSpam check.
spamfsphish Email content phishing URL FortiGuard AntiSpam check.
  • Third-party options: The FortiGate qualifies the email based on information from a third-party source (like ORB list). spamrbl Email DNSBL & ORBL check.

Local and FortiGuard black/white lists can be enabled and combined in a single profile. When combined, the Local black/white list has a higher priority than the FortiGuard’s black list during a decision making process.

For example: If a client’s IP address is black listed in FortiGuard servers, but the admin wants to override this decision and allow the IP to pass through the filter, they can define the IP address or subnet in a BWL with the clear action. Because the information coming from the Local BWL has a higher priority than the FortiGuard service, the email will be considered clean.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Use FortiGate as a DNS server

Leave a reply

Use FortiGate as a DNS server

You can configure and use FortiGate as a DNS server in your network. When you enable DNS Service on a specific interface, FortiGate will listen for DNS Service on that interface.

Depending on the configuration, DNS Service on FortiGate can work in three modes: Recursive, Non-Recursive, or Forward to System DNS (server). For details on how to configure DNS Service on FortiGate, see the FortiGate System Configuration Guide.

You can apply a DNS Filter profile to Recursive Mode and Forward to System DNS Mode. This is the same as FortiGate working as a transparent DNS Proxy for DNS relay traffic.

To configure DNS Service on FortiGate using GUI:

  1. Go to Network > DNS Servers.
  2. In the DNS Service on Interface, click Create New and select an Interface.

The Recursive and Non-Recursive Mode is available only after you configure the DNS database.

To configure DNS Service on FortiGate using CLI:

config system dns-server edit “port10”  <<<==== Enable DNS Serive on Interface set mode forward-only

set dnsfilter-profile “demo”  <<<==== apply DNS Filter Profile for the service

next

end

Sample configuration

In this example, FortiGate port 10 is enabled as a DNS Service with the DNS Filter profile “demo”. Suppose port 10 has an IP address 10.1.100.5 and DNS Filter profile “demo” is set to block category 52 (Information Technology), then from your internal network PC, use a command line tool such as dig or nslookup to do a DNS query. For example:

# dig @10.1.100.5 www.fortinet.com <<<====Specify FortiGate interface address as DNS Server

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52809 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; www.fortinet.com.           IN     A

;; ANSWER SECTION:

www.fortinet.com.      60     IN    A     208.91.112.55  <<<==== DNS Filter profile will filter the relay DNS traffic based on profile configuration. It blocked with redirect portal IP

;; Received 50 B

;; Time 2019-04-08 14:36:34 PDT

;; From 10.1.100.5@53(UDP) in 13.6 ms


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

DNS translation

Leave a reply

DNS translation

Using this feature, you can translate a DNS resolved IP address to another IP address you specify.

For example, website A has a public address 1.2.3.4. However, when your internal network users visit this website, you want them to connect to an internal host, say, 192.168.3.4. In this case, you can use DNS translation to translate the DNS resolved address 1.2.3.4 to 192.168.3.4. Reverse use of DNS translation is also applicable, for example, if you want public DNS query of your internal server to get a public IP address, then you can translate a DNS resolved private IP to a public IP address.

Sample configuration

This example configuration forces the DNS Filter profile to translate 93.184.216.34 (www.example.com) to 192.168.3.4. So when internal network users do DNS query for www.example.com, they do not get the original www.example.com IP of 93.184.216.34. It will be replaced with 192.168.3.4.

To configure DNS translation on GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter profile.
  2. Enable DNS Translation and click Create New.
  3. Enter the Original Destination (the domain’s original IP address), the Translated Destination IP address, and the Network Mask (in most cases, it’s 255.255.255.255).

To configure DNS translation on CLI:

config dnsfilter profile edit “demo” set comment ” … config dns-translation  <<<==== edit 1 set src 93.184.216.34 set dst 192.168.3.4

set netmask 255.255.255.255

next

end set redirect-portal 0.0.0.0 set redirect-portal6 ::

set youtube-restrict strict

next

end

To check DNS translation using a command line tool before DNS translation:

# dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27030

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:        
;; www.example.com.

;; ANSWER SECTION:

   IN  A  
www.example.com.

;; AUTHORITY SECTION:

  33946 IN  A 93.184.216.34
example.com.  18578 IN  NS  b.iana-servers.net.
example.com.  18578 IN  NS  a.iana-servers.net.

;; Received 97 B

;; Time 2019-04-08 10:47:26 PDT

;; From 172.16.95.16@53(UDP) in 0.5 ms

To check DNS translation using a command line tool after DNS translation:

# dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62060

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:        
;; www.example.com.

;; ANSWER SECTION:

   IN  A  
www.example.com. into 192.168.3.4

;; AUTHORITY SECTION:

  32491 IN  A 192.168.3.4  <<<==== resolved IP translated
example.com.  17123 IN  NS  b.iana-servers.net.
example.com.  17123 IN  NS  a.iana-servers.net.

;; Received 97 B

;; Time 2019-04-08 11:11:41 PDT

;; From 172.16.95.16@53(UDP) in 0.5 ms

How DNS translation network mask work

The following is an example of DNS translation and result.

config dns-translation edit 1

set src 93.184.216.34

set dst 1.2.3.4

set netmask 255.255.224.0 next

end

# dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 6736

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 2; ADDITIONAL: 0

;; QUESTION SECTION:        
;; www.example.com.

;; ANSWER SECTION:

   IN  A  
www.example.com.

;; AUTHORITY SECTION:

  29322 IN  A 1.2.24.34
example.com.  13954 IN  NS  a.iana-servers.net.
example.com.  13954 IN  NS  b.iana-servers.net.

;; Received 97 B

;; Time 2019-04-08 12:04:30 PDT

;; From 172.16.95.16@53(UDP) in 2.0 ms

  • AND src(Orginal IP) with negative netmask (93.184.216.34 & ~255.255.224.0)

01011101.10111000.11011000.00100010 93.184.216.34 <– ip

00000000.00000000.00011111.11111111 ~255.255.224.0 <– ~netmask

——————————————————– &

00000000.00000000.00011000.00100010 0.0.24.34 <- right bits

  • AND dst(Translated IP) with netmask

00000001.00000010.00000011.00000100 1.2.3.4 <- dst

11111111.11111111.11100000.00000000 255.255.224.0 <- netmask

——————————————————– & 00000001.00000010.00000000.00000000 1.2.0.0 <- left bits

  • Final step 2 bitwise-OR 3:

00000000.00000000.00011000.00100010 0.0.24.34

00000001.00000010.00000000.00000000 1.2.0.0

——————————————————– | 00000001.00000010.00011000.00100010 1.2.24.34


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Local domain filter

Leave a reply

Local domain filter

In addition to FortiGuard’s category-based domain filter, you can also can define your own local static domain filter to allow or block specific domains.

To configure DNS local domain filter on GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. In the Static Domain Filter section, enable Domain Filter.
  3. Click Create New to create your local domain filter entries.

To configure DNS local domain filter on CLI:

config dnsfilter domain-filter edit 1 set name “demo” set comment ” config entries edit 1 set domain “www.fortinet.com”

set type simple set action allow set status enable

next edit 2 set domain “*.example.com” set type wildcard set action block set status enable

next edit 3 set domain “google” set type regex set action monitor set status enable

next

end

next

end

To check the DNS local domain filter log in the GUI:

  1. Go to Log & Report > DNS Query to view the DNS query log.

Since the local domain list “google” action is Monitor, it’s blocked by FortiGuard category-based domain filter.

To check the DNS local domain filter log in the CLI:

7: date=2019-04-05 time=15:37:06 logid=”1501054803″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554503826 policyid=1 sessionid=69132 srcipp=10.1.100.18 srcport=49832 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=4612 qname=”www.google.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”208.91.112.55″ msg=”Domain belongs to a denied category in policy” action=”redirect” cat=41 catdesc=”Search Engines and Portals”

8: date=2019-04-05 time=15:37:06 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503826 policyid=1 sessionid=69132 srcipp=10.1.100.18 srcport=49832 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=4612 qname=”www.google.com” qtype=”A” qtypeval=1 qclass=”IN”

9: date=2019-04-05 time=15:36:59 logid=”1501054400″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554503818 policyid=1 sessionid=69121 srcipp=10.1.100.18 srcport=40659 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24730 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked because it is in the domain-filter list” action=”redirect” domainfilteridx=1 domainfilterlist=”demo”

10: date=2019-04-05 time=15:36:59 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503818 policyid=1 sessionid=69121 srcipp=10.1.100.18 srcport=40659 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24730 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

11: date=2019-04-05 time=15:36:51 logid=”1501054401″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”information” vd=”vdom1″ eventtime=1554503810 policyid=1 sessionid=69118 srcipp=10.1.100.18 srcport=33461 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=53801 qname=”www.fortinet.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”13.56.55.78, 54.183.57.55″ msg=”Domain was allowed because it is in the domain-filter list” action=”pass” domainfilteridx=1 domainfilterlist=”demo”

12: date=2019-04-05 time=15:36:51 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503810 policyid=1 sessionid=69118 srcipp=10.1.100.18 srcport=33461 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=53801 qname=”www.fortinet.com” qtype=”A” qtypeval=1 qclass=”IN”

Sequence and priority

In DNS Filter, local domain filter has a higher priority than FortiGuard category-based domain filter.

A DNS query is scanned and matched with local domain filter first. If an entry matches and the local filter entry’s action is block, then that DNS query is blocked or redirected.

If local domain filter list has no match, then the FortiGuard category-based domain filter is used. If a DNS query domain name rating belongs to the block category, this query is blocked or redirected. If the FortiGuard category-based filter has no match, then the original resolved IP address is returned to the client DNS resolver.

The local domain filter action can be Block, Allow, or Monitor. If the local domain filter action is Allow and an entry matches, it will skip the FortiGuard category-based domain filter and directly return to client DNS resolver. If the local domain filter action is Monitor and an entry matches, it will go to FortiGuard category-based domain filter scanning and matching.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

DNS safe search

Leave a reply

DNS safe search

Enable DNS Filter safe search so that FortiGate responds with the search engine’s children and school safe domain or IP address. Users might not be aware of this filter. Explicit contents are filtered by the search engine itself. This feature isn’t 100% accurate but it can help you avoid explicit and inappropriate search results.

This feature currently supports Google, Bing, and YouTube.

To configure DNS Filter Safe Search on GUI:

  1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
  2. Enable Enforce ‘Safe search’ on Google, Bing, YouTube.
  3. For Restrict YouTube Access, select Strict or Moderate.

To configure DNS Filter Safe Search on CLI:

config dnsfilter profile edit “demo” config ftgd-dns set options error-allow config filters edit 2 set category 2

next

end

end set log-all-domain enable set block-botnet enable

set safe-search enable <<<==== DNS Filter Safe Search option

next

end

Sample

To see an example of how this works, enable this option. Then from your internal network PC, use a command line tool such as dig or nslookup to do a DNS query on www.bing.com. For example:

# dig www.bing.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568

;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; www.bing.com.

;; ANSWER SECTION:

    IN  A  
www.bing.com. 103 IN  CNAME strict.bing.com. <<<====
strict.bing.com.  103 IN  A 204.79.197.220

;; Received 67 B

;; Time 2019-04-05 14:34:52 PDT

;; From 172.16.95.16@53(UDP) in 196.0 ms

The DNS query for www.bing.com returns with a CNAME strict.bing.com, and A record for the CNAME. The user’s web browser then connects to this address with the same search engine UI but any explicit content search is filtered out. Check the DNS Filter log for the message DNS Safe Search enforced.

To check the DNS Filter Safe Search log in the CLI:

1: date=2019-04-05 time=14:34:53 logid=”1501054804″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1554500093 policyid=1 sessionid=65955 srcipp=10.1.100.18 srcport=36575 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=59573 qname=”www.bing.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”204.79.197.220″ msg=”DNS Safe Search enforced” action=”pass” sscname=”strict.bing.com” cat=41 catdesc=”Search Engines and Portals”

2: date=2019-04-05 time=14:34:53 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554500092 policyid=1 sessionid=65955 srcipp=10.1.100.18 srcport=36575 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=59573 qname=”www.bing.com” qtype=”A” qtypeval=1 qclass=”IN”

Additional information

For each search engine’s safe search specifications, see its specification page:


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

External Resources for DNS filter

Leave a reply

External Resources for DNS filter

Introduction

External Resources is a new feature introduced in FortiOS 6.0. It provides a capability to dynamically import an external blacklist into an HTTP server. This feature enables FortiGate to retrieve a dynamic URL/Domain Name/IP

Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as Web Filter’s remote categories, DNS filter’s remote categories, policy address objects, or antivirus profile’s malware definitions. If external resources are updated, FortiGate objects are also updated dynamically.

External Resource is divided into four types:

l URL list (Type=category) l Domain Name List (Type=domain) l IP Address list (Type=address) l Malware hash list (Type=malware)

Remote categories and external IP block list

The DNS Filter profile can use two types of external resources: domain type and address type. Domain type resources file is a domain name list and address type resources file is an IP address list.

When a domain type external resource is configured, it is treated as a Remote Category in DNS Filter profile. If the domain name in DNS Query matches the entry in this external resource file, it is treated as the Remote Category and follows the action configured for this category in DNS Filter profile.

When an address type external resource is configured, it can be enabled as external-ip-blocklist in DNS Filter profile. If DNS resolved IP address in DNS response matches the entry in the external-ip-blocklist, this DNS Query is blocked by DNS Filter.

External Resources file format

File format requirements for External Resources file:

  • The file is in plain text format with each URL list/IP Address/Domain Name occupying one line.
  • The file is limited to 10 MB, and each line is limited to 128 KB (128 X 1024 entries). Line length limit is 4 KB characters.
  • The entry limit also follows the table size limitation defined by CMDB per model.
  • The External Resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
  • The External Resources type as category (URL list) and domain (Domain Name list) share the category number

range 192-221 (total of 30 categories).

  • There is no duplicated entry validation for External Resources file (entry inside each file or inside different files).

For Domain Name list (Type=domain):

  • Simple wildcard is allowed in domain name list, from example: *.test.com. l IDN (International Domain Name) is supported.

For IP Address list (Type=address):

  • IP address can be single IP address, subnet address, or address range, for example, 192.168.1.1, 192.168.10.0/24,192.168.100.1-192.168.100.254. l An address can be IPv4 or IPv6 address, for Type=address, IPv6 address does not need to be in [ ] format.

Configure External Resources from CLI

You can use CLI to configure External Resources files in an external HTTP server. Under Global, configure the External Resources file location and specify the resource type. DNS Filter can use domain type and address type external resources.

In the following example, configure a file “Ext-Resource-Type-as-Domain-1.txt” as type domain and it will be treated in DNS Filter as Remote Category name as “Ext-Resource-Type-as-Domain-1” and category-id 194. Configure another external resource file “Ext-Resource-Type-as-Address-1.txt” as type address, and this address object name is “ExtResource-Type-as-Address-1”:

config system external-resource edit “Ext-Resource-Type-as-Domain-1” set type domain <<<==== set category 194 <<<====

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Domain-1.txt” set refresh-rate 1

next

edit “Ext-Resource-Type-as-Address-1″ set status enable set type address <<<==== set username ” set password set comments ”

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Address-

1.txt” set refresh-rate 1

next

end

In each VDOM, domain type external resource can be used in DNS Filter as Remote Category. In the above example, Domain Name list in “Ext-Resource-Type-as-Domain-1.txt” file is treated as remote category (category-id 194). IP address list in “Ext-Resource-Type-as-Address-1.txt” file can be applied in DNS Filter as external-ip-blocklist. If DNS resolved IP address matches any entry in the list in that file, the DNS query is blocked. You should configure the action for this remote category and enable “external-ip-block-list” in a DNS Filter profile and apply it in the policy:

config dnsfilter profile edit “default” set comment “Default dns filtering.” config ftgd-dns config filters edit 1 set category 194 <<<==== domain list in Ext-Resource-Type-as-Domain-1.txt

treated as remote category 194

set action block

next edit 2 set category 12

next edit 3 next

end

end

set block-botnet enable

set external-ip-blocklist “Ext-Resource-Type-as-Address-1” <<<==== IP address in “ExtResource-Type-as-Address-1” file. next

end

config firewall policy edit 1 set name “DNSFilter” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set logtraffic all set dnsfilter-profile “default” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

next

end

Configure External Resources from GUI

To configure, edit, or view the entries for external resources from GUI:

  1. Go to Global > Security Fabric > Fabric Connectors.
  2. Click Create New and in the Threat Feeds section, select Domain Name or IP Address.
  3. Enter the Resource Name, URL, location of the resource file, resource authentication credentials, and Refresh Rate; and click OK to finish the Threat Feeds configuration.
  4. When the configuration is complete, double-click the Threat Feeds Object you just configured to open the Edit page; then click View Entries to view the entry list in the external resources file.
  5. Go to VDOM > DNS Filter and open a DNS filter profile. The configured external resources displays and you can apply it in each DNS Filter Profile: remote category or external IP block lists.

Log Example

Remote categories

In VDOM > Log & Report > DNS Query, some domains that match the Remote Category list are rated as Remote

Category, overriding their original domain rating.

CLI Example:

1: date=2019-01-18 time=13:49:12 logid=”1501054802″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1547848151 policyid=1 sessionid=82998 srcipp=10.1.100.18 srcport=42985 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=38234 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msg=”Domain is monitored” action=”pass” cat=196 catdesc=”Ext-Resource-Type-as-Domain-3″

2: date=2019-01-18 time=13:49:12 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1547848151 policyid=1 sessionid=82998 srcipp=10.1.100.18 srcport=42985 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=38234 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

External-IP-Block-Lists

You can use Address Type external resources as external-ip-blocklist in DNS Filter Profile. If DNS Query resolved IP Address matches the entry in the external-ip-blocklist, this DNS query is blocked.

CLI Example:

1: date=2019-01-18 time=13:50:53 logid=”1501054400″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1547848253 policyid=1 sessionid=83206 srcipp=10.1.100.18 srcport=47281 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=7501 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked because it is in the domain-filter list” action=”redirect” domainfilteridx=0 domainfilterlist=”Ext-ResourceType-as-Address-1″

2: date=2019-01-18 time=13:50:53 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1547848253 policyid=1 sessionid=83206 srcipp=10.1.100.18 srcport=47281 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=7501 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Botnet C&C IPDB blocking

Leave a reply

Botnet C&C IPDB blocking

FortiGate also maintains a botnet C&C IP address database (botnet IPDB). If a DNS query response IP address

(resolved IP address) matches an entry inside the botnet IPDB, this DNS query is also blocked by DNS Filter botnet C&C blocking.

To view the botnet IPDB list in the CLI:

(global) # diag sys botnet list 9000 10

  1. proto=TCP ip=103.228.28.166, port=80, rule_id=7630075, name_id=3, hits=0
  2. proto=TCP ip=5.9.32.166, port=481, rule_id=4146631, name_id=7, hits=0
  3. proto=TCP ip=91.89.44.166, port=80, rule_id=48, name_id=96, hits=0
  4. proto=TCP ip=46.211.46.166, port=80, rule_id=48, name_id=96, hits=0
  5. proto=TCP ip=77.52.52.166, port=80, rule_id=48, name_id=96, hits=0
  6. proto=TCP ip=98.25.53.166, port=80, rule_id=48, name_id=96, hits=0
  7. proto=TCP ip=70.120.67.166, port=80, rule_id=48, name_id=96, hits=0
  8. proto=TCP ip=85.253.77.166, port=80, rule_id=48, name_id=96, hits=0
  9. proto=TCP ip=193.106.81.166, port=80, rule_id=48, name_id=96, hits=0
  10. proto=TCP ip=58.13.84.166, port=80, rule_id=48, name_id=96, hits=0

To see an example of how DNS filter botnet C&C IPDB blocking works, select an IP address from the IPDB list and use Internet reverse lookup service to find its corresponding domain name. Then from your internal network PC, use a command line tool such as dig or nslookup to query this domain and see that it’s blocked by DNS Filter botnet C&C blocking. For example:

# dig cpe-98-25-53-166.sc.res.rr.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35135 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; cpe-98-25-53-166.sc.res.rr.com.            IN     A

;; ANSWER SECTION:

cpe-98-25-53-166.sc.res.rr.com. 60 IN A  208.91.112.55 <<<==== Since resolved IP address match the botnet IPDB, dns query blocked with redirect portal IP.

;; Received 64 B

;; Time 2019-04-05 11:06:47 PDT ;; From 172.16.95.16@53(UDP) in 0.6 ms

To check the DNS filter log in the GUI:

  1. Go to Log & Report > DNS Query to view the DNS query blocked by botnet C&C IPDB blocking.

To check the DNS filter log in the CLI:

1: date=2019-04-05 time=11:06:48 logid=”1501054600″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554487606 policyid=1 sessionid=55232 srcipp=10.1.100.18 srcport=60510 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=16265 qname=”cpe98-25-53-166.sc.res.rr.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msgg=”Domain was blocked by dns botnet C&C” action=”redirect” botnetip=98.25.53.166

2: date=2019-04-05 time=11:06:48 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554487606 policyid=1 sessionid=55232 srcipp=10.1.100.18 srcport=60510 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=16265 qname=”cpe98-25-53-166.sc.res.rr.com” qtype=”A” qtypeval=1 qclass=”IN”

To check botnet activity:

  1. Go to Dashboard > Status and see the Botnet Activity widget.

If you cannot find the Botnet Activity widget, click the Settings button at the bottom right, select Add Widget, and add the Botnet Activity widget.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!