Category Archives: FortiOS 6.2

Local domain filter

Local domain filter

In addition to FortiGuard’s category-based domain filter, you can also can define your own local static domain filter to allow or block specific domains.

To configure DNS local domain filter on GUI:

Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
In the Static Domain Filter section, enable Domain Filter.
Click Create New to create your local domain filter entries.

To configure DNS local domain filter on CLI:

config dnsfilter domain-filter edit 1 set name “demo” set comment ” config entries edit 1 set domain “www.fortinet.com”

set type simple set action allow set status enable

next edit 2 set domain “*.example.com” set type wildcard set action block set status enable

next edit 3 set domain “google” set type regex set action monitor set status enable

end

To check the DNS local domain filter log in the GUI:

Go to Log & Report > DNS Query to view the DNS query log.

Since the local domain list “google” action is Monitor, it’s blocked by FortiGuard category-based domain filter.

To check the DNS local domain filter log in the CLI:

7: date=2019-04-05 time=15:37:06 logid=”1501054803″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554503826 policyid=1 sessionid=69132 srcipp=10.1.100.18 srcport=49832 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=4612 qname=”www.google.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”208.91.112.55″ msg=”Domain belongs to a denied category in policy” action=”redirect” cat=41 catdesc=”Search Engines and Portals”

8: date=2019-04-05 time=15:37:06 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503826 policyid=1 sessionid=69132 srcipp=10.1.100.18 srcport=49832 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=4612 qname=”www.google.com” qtype=”A” qtypeval=1 qclass=”IN”

9: date=2019-04-05 time=15:36:59 logid=”1501054400″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554503818 policyid=1 sessionid=69121 srcipp=10.1.100.18 srcport=40659 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24730 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked because it is in the domain-filter list” action=”redirect” domainfilteridx=1 domainfilterlist=”demo”

10: date=2019-04-05 time=15:36:59 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503818 policyid=1 sessionid=69121 srcipp=10.1.100.18 srcport=40659 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24730 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

11: date=2019-04-05 time=15:36:51 logid=”1501054401″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”information” vd=”vdom1″ eventtime=1554503810 policyid=1 sessionid=69118 srcipp=10.1.100.18 srcport=33461 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=53801 qname=”www.fortinet.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”13.56.55.78, 54.183.57.55″ msg=”Domain was allowed because it is in the domain-filter list” action=”pass” domainfilteridx=1 domainfilterlist=”demo”

12: date=2019-04-05 time=15:36:51 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554503810 policyid=1 sessionid=69118 srcipp=10.1.100.18 srcport=33461 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=53801 qname=”www.fortinet.com” qtype=”A” qtypeval=1 qclass=”IN”

Sequence and priority

In DNS Filter, local domain filter has a higher priority than FortiGuard category-based domain filter.

A DNS query is scanned and matched with local domain filter first. If an entry matches and the local filter entry’s action is block, then that DNS query is blocked or redirected.

If local domain filter list has no match, then the FortiGuard category-based domain filter is used. If a DNS query domain name rating belongs to the block category, this query is blocked or redirected. If the FortiGuard category-based filter has no match, then the original resolved IP address is returned to the client DNS resolver.

The local domain filter action can be Block, Allow, or Monitor. If the local domain filter action is Allow and an entry matches, it will skip the FortiGuard category-based domain filter and directly return to client DNS resolver. If the local domain filter action is Monitor and an entry matches, it will go to FortiGuard category-based domain filter scanning and matching.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

DNS safe search

Leave a reply

DNS safe search

Enable DNS Filter safe search so that FortiGate responds with the search engine’s children and school safe domain or IP address. Users might not be aware of this filter. Explicit contents are filtered by the search engine itself. This feature isn’t 100% accurate but it can help you avoid explicit and inappropriate search results.

This feature currently supports Google, Bing, and YouTube.

To configure DNS Filter Safe Search on GUI:

Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
Enable Enforce ‘Safe search’ on Google, Bing, YouTube.
For Restrict YouTube Access, select Strict or Moderate.

To configure DNS Filter Safe Search on CLI:

config dnsfilter profile edit “demo” config ftgd-dns set options error-allow config filters edit 2 set category 2

…

end

end set log-all-domain enable set block-botnet enable

set safe-search enable <<<==== DNS Filter Safe Search option

end

Sample

To see an example of how this works, enable this option. Then from your internal network PC, use a command line tool such as dig or nslookup to do a DNS query on www.bing.com. For example:

# dig www.bing.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46568

;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; www.bing.com.

;; ANSWER SECTION:

www.bing.com.

103

CNAME

strict.bing.com. <<<====

strict.bing.com.

103

204.79.197.220

;; Received 67 B

;; Time 2019-04-05 14:34:52 PDT

;; From 172.16.95.16@53(UDP) in 196.0 ms

The DNS query for www.bing.com returns with a CNAME strict.bing.com, and A record for the CNAME. The user’s web browser then connects to this address with the same search engine UI but any explicit content search is filtered out. Check the DNS Filter log for the message DNS Safe Search enforced.

To check the DNS Filter Safe Search log in the CLI:

1: date=2019-04-05 time=14:34:53 logid=”1501054804″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1554500093 policyid=1 sessionid=65955 srcipp=10.1.100.18 srcport=36575 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=59573 qname=”www.bing.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”204.79.197.220″ msg=”DNS Safe Search enforced” action=”pass” sscname=”strict.bing.com” cat=41 catdesc=”Search Engines and Portals”

2: date=2019-04-05 time=14:34:53 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554500092 policyid=1 sessionid=65955 srcipp=10.1.100.18 srcport=36575 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=59573 qname=”www.bing.com” qtype=”A” qtypeval=1 qclass=”IN”

Additional information

For each search engine’s safe search specifications, see its specification page:

External Resources for DNS filter

Leave a reply

External Resources for DNS filter

Introduction

External Resources is a new feature introduced in FortiOS 6.0. It provides a capability to dynamically import an external blacklist into an HTTP server. This feature enables FortiGate to retrieve a dynamic URL/Domain Name/IP

Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as Web Filter’s remote categories, DNS filter’s remote categories, policy address objects, or antivirus profile’s malware definitions. If external resources are updated, FortiGate objects are also updated dynamically.

External Resource is divided into four types:

l URL list (Type=category) l Domain Name List (Type=domain) l IP Address list (Type=address) l Malware hash list (Type=malware)

Remote categories and external IP block list

The DNS Filter profile can use two types of external resources: domain type and address type. Domain type resources file is a domain name list and address type resources file is an IP address list.

When a domain type external resource is configured, it is treated as a Remote Category in DNS Filter profile. If the domain name in DNS Query matches the entry in this external resource file, it is treated as the Remote Category and follows the action configured for this category in DNS Filter profile.

When an address type external resource is configured, it can be enabled as external-ip-blocklist in DNS Filter profile. If DNS resolved IP address in DNS response matches the entry in the external-ip-blocklist, this DNS Query is blocked by DNS Filter.

External Resources file format

File format requirements for External Resources file:

The file is in plain text format with each URL list/IP Address/Domain Name occupying one line.
The file is limited to 10 MB, and each line is limited to 128 KB (128 X 1024 entries). Line length limit is 4 KB characters.
The entry limit also follows the table size limitation defined by CMDB per model.
The External Resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
The External Resources type as category (URL list) and domain (Domain Name list) share the category number

range 192-221 (total of 30 categories).

There is no duplicated entry validation for External Resources file (entry inside each file or inside different files).

For Domain Name list (Type=domain):

Simple wildcard is allowed in domain name list, from example: *.test.com. l IDN (International Domain Name) is supported.

For IP Address list (Type=address):

IP address can be single IP address, subnet address, or address range, for example, 192.168.1.1, 192.168.10.0/24,192.168.100.1-192.168.100.254. l An address can be IPv4 or IPv6 address, for Type=address, IPv6 address does not need to be in [ ] format.

Configure External Resources from CLI

You can use CLI to configure External Resources files in an external HTTP server. Under Global, configure the External Resources file location and specify the resource type. DNS Filter can use domain type and address type external resources.

In the following example, configure a file “Ext-Resource-Type-as-Domain-1.txt” as type domain and it will be treated in DNS Filter as Remote Category name as “Ext-Resource-Type-as-Domain-1” and category-id 194. Configure another external resource file “Ext-Resource-Type-as-Address-1.txt” as type address, and this address object name is “ExtResource-Type-as-Address-1”:

config system external-resource edit “Ext-Resource-Type-as-Domain-1” set type domain <<<==== set category 194 <<<====

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Domain-1.txt” set refresh-rate 1

edit “Ext-Resource-Type-as-Address-1″ set status enable set type address <<<==== set username ” set password set comments ”

set resource “http://172.16.200.66/external-resources/Ext-Resource-Type-as-Address-

1.txt” set refresh-rate 1

end

In each VDOM, domain type external resource can be used in DNS Filter as Remote Category. In the above example, Domain Name list in “Ext-Resource-Type-as-Domain-1.txt” file is treated as remote category (category-id 194). IP address list in “Ext-Resource-Type-as-Address-1.txt” file can be applied in DNS Filter as external-ip-blocklist. If DNS resolved IP address matches any entry in the list in that file, the DNS query is blocked. You should configure the action for this remote category and enable “external-ip-block-list” in a DNS Filter profile and apply it in the policy:

config dnsfilter profile edit “default” set comment “Default dns filtering.” config ftgd-dns config filters edit 1 set category 194 <<<==== domain list in Ext-Resource-Type-as-Domain-1.txt

treated as remote category 194

set action block

next edit 2 set category 12

next edit 3 next

end

set block-botnet enable

set external-ip-blocklist “Ext-Resource-Type-as-Address-1” <<<==== IP address in “ExtResource-Type-as-Address-1” file. next

end

config firewall policy edit 1 set name “DNSFilter” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set logtraffic all set dnsfilter-profile “default” set profile-protocol-options “protocol” set ssl-ssh-profile “protocols”

set nat enable

end

Configure External Resources from GUI

To configure, edit, or view the entries for external resources from GUI:

Go to Global > Security Fabric > Fabric Connectors.
Click Create New and in the Threat Feeds section, select Domain Name or IP Address.
Enter the Resource Name, URL, location of the resource file, resource authentication credentials, and Refresh Rate; and click OK to finish the Threat Feeds configuration.
When the configuration is complete, double-click the Threat Feeds Object you just configured to open the Edit page; then click View Entries to view the entry list in the external resources file.
Go to VDOM > DNS Filter and open a DNS filter profile. The configured external resources displays and you can apply it in each DNS Filter Profile: remote category or external IP block lists.

Log Example

Remote categories

In VDOM > Log & Report > DNS Query, some domains that match the Remote Category list are rated as Remote

Category, overriding their original domain rating.

CLI Example:

1: date=2019-01-18 time=13:49:12 logid=”1501054802″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1547848151 policyid=1 sessionid=82998 srcipp=10.1.100.18 srcport=42985 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=38234 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msg=”Domain is monitored” action=”pass” cat=196 catdesc=”Ext-Resource-Type-as-Domain-3″

2: date=2019-01-18 time=13:49:12 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1547848151 policyid=1 sessionid=82998 srcipp=10.1.100.18 srcport=42985 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=38234 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

External-IP-Block-Lists

You can use Address Type external resources as external-ip-blocklist in DNS Filter Profile. If DNS Query resolved IP Address matches the entry in the external-ip-blocklist, this DNS query is blocked.

CLI Example:

1: date=2019-01-18 time=13:50:53 logid=”1501054400″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1547848253 policyid=1 sessionid=83206 srcipp=10.1.100.18 srcport=47281 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=7501 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked because it is in the domain-filter list” action=”redirect” domainfilteridx=0 domainfilterlist=”Ext-ResourceType-as-Address-1″

2: date=2019-01-18 time=13:50:53 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1547848253 policyid=1 sessionid=83206 srcipp=10.1.100.18 srcport=47281 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”default” xid=7501 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

Botnet C&C IPDB blocking

Leave a reply

Botnet C&C IPDB blocking

FortiGate also maintains a botnet C&C IP address database (botnet IPDB). If a DNS query response IP address

(resolved IP address) matches an entry inside the botnet IPDB, this DNS query is also blocked by DNS Filter botnet C&C blocking.

To view the botnet IPDB list in the CLI:

(global) # diag sys botnet list 9000 10

proto=TCP ip=103.228.28.166, port=80, rule_id=7630075, name_id=3, hits=0
proto=TCP ip=5.9.32.166, port=481, rule_id=4146631, name_id=7, hits=0
proto=TCP ip=91.89.44.166, port=80, rule_id=48, name_id=96, hits=0
proto=TCP ip=46.211.46.166, port=80, rule_id=48, name_id=96, hits=0
proto=TCP ip=77.52.52.166, port=80, rule_id=48, name_id=96, hits=0
proto=TCP ip=98.25.53.166, port=80, rule_id=48, name_id=96, hits=0
proto=TCP ip=70.120.67.166, port=80, rule_id=48, name_id=96, hits=0
proto=TCP ip=85.253.77.166, port=80, rule_id=48, name_id=96, hits=0
proto=TCP ip=193.106.81.166, port=80, rule_id=48, name_id=96, hits=0
proto=TCP ip=58.13.84.166, port=80, rule_id=48, name_id=96, hits=0

To see an example of how DNS filter botnet C&C IPDB blocking works, select an IP address from the IPDB list and use Internet reverse lookup service to find its corresponding domain name. Then from your internal network PC, use a command line tool such as dig or nslookup to query this domain and see that it’s blocked by DNS Filter botnet C&C blocking. For example:

# dig cpe-98-25-53-166.sc.res.rr.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35135 ;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:

;; cpe-98-25-53-166.sc.res.rr.com. IN A

;; ANSWER SECTION:

cpe-98-25-53-166.sc.res.rr.com. 60 IN A 208.91.112.55 <<<==== Since resolved IP address match the botnet IPDB, dns query blocked with redirect portal IP.

;; Received 64 B

;; Time 2019-04-05 11:06:47 PDT ;; From 172.16.95.16@53(UDP) in 0.6 ms

To check the DNS filter log in the GUI:

Go to Log & Report > DNS Query to view the DNS query blocked by botnet C&C IPDB blocking.

To check the DNS filter log in the CLI:

1: date=2019-04-05 time=11:06:48 logid=”1501054600″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554487606 policyid=1 sessionid=55232 srcipp=10.1.100.18 srcport=60510 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=16265 qname=”cpe98-25-53-166.sc.res.rr.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msgg=”Domain was blocked by dns botnet C&C” action=”redirect” botnetip=98.25.53.166

2: date=2019-04-05 time=11:06:48 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554487606 policyid=1 sessionid=55232 srcipp=10.1.100.18 srcport=60510 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=16265 qname=”cpe98-25-53-166.sc.res.rr.com” qtype=”A” qtypeval=1 qclass=”IN”

To check botnet activity:

Go to Dashboard > Status and see the Botnet Activity widget.

If you cannot find the Botnet Activity widget, click the Settings button at the bottom right, select Add Widget, and add the Botnet Activity widget.

Botnet C&C domain blocking

Leave a reply

Botnet C&C domain blocking

FortiGuard Service continually updates the Botnet C&C domain list (Domain DB). The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.

To configure botnet C&C domain blocking in the GUI:

Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
Enable Redirect botnet C&C requests to Block Portal.
Click the botnet package link to see the latest botnet C&C domain list.

Sample

To see an example of how this works, select a botnet domain from that list. Then from your internal network PC, use a command line tool such as dig or nslookup to send a DNS query to traverse the FortiGate to see the query blocked as a botnet domain. For example:

#dig canind.co

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 997

;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; canind.co. IN ;; ANSWER SECTION:	A
canind.co. 60 IN blocked, redirect with portal-IP. ;; Received 43 B ;; Time 2019-04-05 09:55:21 PDT	A	208.91.112.55 <<<==== botnet domain query
;; From 172.16.95.16@53(UDP) in 0.3 ms		208.91.112.55 <<<==== botnet domain query

To check the DNS filter log in the GUI:

Go to Log & Report > DNS Query to view the DNS query blocked as a botnet domain.

To check the DNS filter log in the CLI:

FGT600D (vdom1) # exe log filter category utm-dns

FGT600D (vdom1) # exe log display 2 logs found.

2 logs returned.

1: date=2019-04-04 time=16:43:59 logid=”1501054601″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”warning” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN” msg=”Domain was blocked by dns botnet C&C” action=”redirect” botnetdomain=”canind.co”

2: date=2019-04-04 time=16:43:59 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554421439 policyid=1 sessionid=14135 srcipp=10.1.100.18 srcport=57447 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=24339 qname=”canind.co” qtype=”A” qtypeval=1 qclass=”IN”

FortiGuard category-based DNS domain filtering

Leave a reply

FortiGuard category-based DNS domain filtering

You can use the FortiGuard category-based DNS Domain Filter to inspect DNS traffic. This makes use of FortiGuard’s continually updated domain rating database for more reliable protection.

To configure FortiGuard category-based DNS Domain Filter by GUI:

Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
Enable FortiGuard Category Based Filter.
Select the category and then select Allow, Monitor, or Block for that category.
If you select Block, there are two options:

Redirect Portal IP. If the DNS query domain will be blocked, FortiGate will use portal IP to replace the resolved IP in DNS response packet. You can use the default portal IP 208.91.112.55 or click Specify to enter another portal IP.
Block. Blocked DNS query has no response return and the DNS query client will time out.

To configure FortiGuard category-based DNS Domain Filter by CLI:

config dnsfilter profile

edit “demo”

set comment ”

config domain-filter

unset domain-filter-table

end

config ftgd-dns

set options error-allow

config filters <<<==== FortiGuard Category Based Filter edit 2 set category 2 set action monitor

next edit 7 set category 7 set action monitor next

…

edit 22 set category 0 set action monitor

end

set log-all-domain enable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect/block <<<==== You can specify Block or Redirect

set block-botnet enable

set safe-search enable

set redirect-portal 93.184.216.34 <<<==== Specify Redirect portal-IP.

set redirect-portal6 ::

set youtube-restrict strict

next end

Sample

To see an example of how this works, from your internal network PC, use a command line tool such as dig or nslookup to do DNS query for some domains, for example:

#dig www.example.com

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61252

;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 13; ADDITIONAL: 11

;; QUESTION SECTION:
;; www.example.com. ;; ANSWER SECTION:		IN	A
www.example.com. ;; AUTHORITY SECTION:	17164	IN	A	93.184.216.34
com.	20027	IN	NS	h.gtld-servers.net.
com.	20027	IN	NS	i.gtld-servers.net.
com.	20027	IN	NS	f.gtld-servers.net.
com.	20027	IN	NS	d.gtld-servers.net.
com.	20027	IN	NS	j.gtld-servers.net.
com.	20027	IN	NS	l.gtld-servers.net.
com.	20027	IN	NS	e.gtld-servers.net.
com.	20027	IN	NS	a.gtld-servers.net.
com.	20027	IN	NS	k.gtld-servers.net.
com.	20027	IN	NS	g.gtld-servers.net.
com.	20027	IN	NS	m.gtld-servers.net.
com.	20027	IN	NS	c.gtld-servers.net.
com. ;; ADDITIONAL SECTION:	20027	IN	NS	b.gtld-servers.net.
a.gtld-servers.net.	21999	IN	A	192.5.6.30
a.gtld-servers.net.	21999	IN	AAAA	2001:503:a83e::2:30
b.gtld-servers.net.	21997	IN	A	192.33.14.30
b.gtld-servers.net.	21997	IN	AAAA	2001:503:231d::2:30
c.gtld-servers.net.	21987	IN	A	192.26.92.30
c.gtld-servers.net.	20929	IN	AAAA	2001:503:83eb::30
d.gtld-servers.net.	3340	IN	A	192.31.80.30
d.gtld-servers.net.	3340	IN	AAAA	2001:500:856e::30
e.gtld-servers.net.	19334	IN	A	192.12.94.30
e.gtld-servers.net.	19334	IN	AAAA	2001:502:1ca1::30
f.gtld-servers.net. ;; Received 509 B	3340	IN	A	192.35.51.30
;; Time 2019-04-05 09:39:33 PDT			A
;; From 172.16.95.16@53(UDP) in 3.8 ms

To check the DNS filter log in the GUI:

Go to Log & Report > DNS Query to view the DNS traffic that just traverse the FortiGate and the FortiGuard rating for this domain name.

To check the DNS log in the CLI:

#execute log filter category utm-dns

# execute log display 2 logs found.

2 logs returned.

1: date=2019-04-05 time=09:39:34 logid=”1501054802″ type=”utm” subtype=”dns” eventtype=”dnsresponse” level=”notice” vd=”vdom1″ eventtime=1554482373 policyid=1 sessionid=50868 srcipp=10.1.100.18 srcport=34308 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=17647 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN” ipaddr=”93.184.216.34″ msg=”Domain is monitored” action=”pass” cat=52 catdesc=”Information Technology”

2: date=2019-04-05 time=09:39:34 logid=”1500054000″ type=”utm” subtype=”dns” eventtype=”dnsquery” level=”information” vd=”vdom1″ eventtime=1554482373 policyid=1 sessionid=50868 srcipp=10.1.100.18 srcport=34308 srcintf=”port10″ srcintfrole=”undefined” dstip=172.16.95.16 dstport=53 dstintf=”port9″ dstintfrole=”undefined” proto=17 profile=”demo” xid=17647 qname=”www.example.com” qtype=”A” qtypeval=1 qclass=”IN”

How to configure and apply DNS filter profile

Leave a reply

How to configure and apply DNS filter profile

To create or configure DNS Filter profile in the GUI:

Go to Security Profiles > DNS Filter.
You can modify the default DNS Filter and enable the options you want or you can click + at the top right to create a

new DNS filter.

To create or configure DNS Filter profile in the CLI:

config dnsfilter profile edit “demo”

set comment ” config domain-filter

unset domain-filter-table

end config ftgd-dns set options error-allow config filters

edit 2

set category 2 set action monitor

next edit 7

set category 7 set action block

next …

edit 22

set category 0 set action monitor

next end

end set log-all-domain enable set sdns-ftgd-err-log enable set sdns-domain-log enable set block-action redirect set block-botnet enable set safe-search enable set redirect-portal 93.184.216.34 set redirect-portal6 ::

set youtube-restrict strict

end

After you have created the DNS Filter profile, you can apply it to the policy. DNS filters also support IPv6 policies.

To apply DNS Filter profile to the policy in the GUI:

Go to Policy & Objects IPv4 Policy or IPv6 Policy.
In the Security Profiles section, enable DNS Filter and select the DNS filter.

To apply DNS Filter profile to the policy in the CLI:

config firewall policy edit 1 set name “Demo” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all”

set action accept set schedule “always” set service “ALL” set utm-status enable set inspection-mode proxy set logtraffic all set fsso disable set dnsfilter-profile “demo” <<<==== set profile-protocol-options “default” set ssl-ssh-profile “deep-inspection”

set nat enable

end

Introduction to DNS Filter

1 Reply

Introduction to DNS Filter

Most people who use the Internet use domain names. For example, people who access the Fortinet website type www.fortinet.com into their web browser. However, on the Internet, all websites, computers, or devices actually use IP addresses to locate the destination.

Internet uses DNS (Domain Name System) to translate domain names into IP addresses. For example, when you type www.fortinet.com into your web browser, DNS maps this domain name to Fortinet’s IP address to locate the Fortinet website on the Internet.

If you cannot see DNS Filter under Security Profiles, go to System > Feature Visibility > Security Features section and enable DNS Filter.

DNS primarily uses the UDP protocol on port 53 to serve the address resolve requests.

The FortiGate DNS Filter inspects the UDP protocol on port 53 traffic that traverse FortiGate, and based on the DNS Filter profile configuration, makes the Allow/Monitor/Block or Redirect decision for the inspected traffic.

FortiGate DNS Filter has the following features:

FortiGuard Filtering: filtering the DNS request based on the domain’s FortiGuard rating. l Botnet C&C Domain Blocking: block the DNS request for the known Botnet C&C domains.
External Dynamic Category Domain Filtering: define your own domain category. l DNS Safe Search: Enforce Google, Bing, and YouTube safe addresses for parental controls. l Local Domain Filter: define your own domain list to block or allow.
External IP Block List: define your IP block list to block resolved IPs that match this list. l DNS Translation: map the resolved result to another IP you define.

Sample topology

The topics in this section use the following sample topology to explain how these DNS Filter features work and how to configure it. In this sample topology, there is an internal network and a FortiGate used as a gateway device, with all DNS traffic traversing the FortiGate.