Skip to main content
mymorgan
mymorgan
New Member
January 14, 2025
Solved

Fortigate DNS filter - bulk add of URLs or pointing to cloudflare maybe using APIs

  • January 14, 2025
  • 2 replies
  • 1192 views

Hi all,

 

I have a problem, Fortinet support have been less than useful. FortiGate 

 

We have a cloudflare Zero trust setup that stops any DNS requests to malicious sites. What I want to do is intercept these requests on the Fortigate before they get to Cloudflare.

In the past I have been manually adding eachnew site that cloudflare makes me aware of, this is time consuming. I have been on leave and returned to over 100 URLs to add to the DNS filter on the Fortigate. I was hoping to just import a csv or text file of the URLs into the Fortigate DNS filter list. Apparently this is not possible.

 

I have seen some talk of using a cloudflare API to do this but not sure how.

 

Has anyone found a way to do this.

 

The Stock Frotinet answer of "put in a new feature request" is laughable when solutions are needed quickly and when we all know, that feature will never get added.

 

I don't know why they can't have a plain text input for the list.

 

E.G. on our smoothwall web filter - I can click a list of blocked urls and tell it to change to text input, allowing me to paste in a whole list in one go. If smoothwall can do it, why can't Fortinet with their money and staff?

 

Best answer by funkylicious

You could create a script which creates the following commands and send it via CLI on the firewall.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-DNS-filter-to-allow-block-DNS-queries/ta-p/192151

 

config dnsfilter domain-filter
    edit <ID>
        set name <name>
        config entries
            edit <ID>
                set domain <domain>
                set type <simple/regex/wildcard>
                set action <block/allow/monitor>
                set status <enable/disable>
            next
        end
end

 

You can also use the API having the example body below, using the URL and the method PUT https://FGTIP:PORT/api/v2/cmdb/dnsfilter/domain-filter/{ID}

 

 

{   "id": 4294967295,   "name": "string",   "comment": "string",   "entries": [     {       "id": 4294967295,       "domain": "string",       "type": "simple",       "action": "block",       "status": "enable"     }   ] }

 

 

2 replies

funkylicious
SuperUser
funkyliciousAnswer
SuperUser
January 14, 2025

You could create a script which creates the following commands and send it via CLI on the firewall.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-DNS-filter-to-allow-block-DNS-queries/ta-p/192151

 

config dnsfilter domain-filter
    edit <ID>
        set name <name>
        config entries
            edit <ID>
                set domain <domain>
                set type <simple/regex/wildcard>
                set action <block/allow/monitor>
                set status <enable/disable>
            next
        end
end

 

You can also use the API having the example body below, using the URL and the method PUT https://FGTIP:PORT/api/v2/cmdb/dnsfilter/domain-filter/{ID}

 

 

{   "id": 4294967295,   "name": "string",   "comment": "string",   "entries": [     {       "id": 4294967295,       "domain": "string",       "type": "simple",       "action": "block",       "status": "enable"     }   ] }

 

 

"jack of all trades, master of none"
    mymorgan
    mymorganAuthor
    New Member
    January 15, 2025

    @funkylicious  that's awesome, I was hoping there was a way to do it via cli. Thanks so much for your help. Time saved is always a win!

      Terms & ConditionsAccessibility statement