Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Cybersecurity Forum
This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
- Fortinet Community
- Forums
- Cybersecurity Forum
- Preventing my users from bypassing DNS settings to...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Preventing my users from bypassing DNS settings to surf Internet
In a highschool environment with Fortinet Firewall. Recently, I am discovering that students are bypassing the DNS settings provided through my Dhcp server by configuring their own laptops (usually google 8.8.8.8. or some other DNS). This allows them to bypass all web filtering while still using our Internet pipe. Is there a quick easy way to configure the FORTINET FIREWALL to prevent anyone in the building from accessing the internet unless they are using an IP provided through our own DHCP? Typically, I have 2 internal DNS/ DHCP windows 2008 servers that should be funnelling all traffic to the firewall. Somehow my firewall is accepting any IP traffic?
I'm new to the fortinet family so any simple suggestions or ideas are greatly appreciated.
Thanks.
Labels:
- Labels:
-
Next Generation Firewall
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you start with a firewall rulebase that only allows your DNS servers to go out for DNS? You will still have other battles with proxy etc. but it will stop their simple DNS lookups.
From: Brett D Penza via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: Thursday, January 11, 2018 10:35 AM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - Preventing my users from bypassing DNS settings to surf Internet
In a highschool environment with Fortinet Firewall. Recently, I am discovering that students are bypassing the DNS settings provided through my Dhcp server by configuring their own laptops (usually google 8.8.8.8. or some other DNS). This allows them to bypass all web filtering while still using our Internet pipe. Is there a quick easy way to configure the FORTINET FIREWALL to prevent anyone in the building from accessing the internet unless they are using an IP provided through our own DHCP? Typically, I have 2 internal DNS/ DHCP windows 2008 servers that should be funnelling all traffic to the firewall. Somehow my firewall is accepting any IP traffic?
I'm new to the fortinet family so any simple suggestions or ideas are greatly appreciated.
Thanks.
-----End Original Message-----
From: Brett D Penza via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: Thursday, January 11, 2018 10:35 AM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - Preventing my users from bypassing DNS settings to surf Internet
In a highschool environment with Fortinet Firewall. Recently, I am discovering that students are bypassing the DNS settings provided through my Dhcp server by configuring their own laptops (usually google 8.8.8.8. or some other DNS). This allows them to bypass all web filtering while still using our Internet pipe. Is there a quick easy way to configure the FORTINET FIREWALL to prevent anyone in the building from accessing the internet unless they are using an IP provided through our own DHCP? Typically, I have 2 internal DNS/ DHCP windows 2008 servers that should be funnelling all traffic to the firewall. Somehow my firewall is accepting any IP traffic?
I'm new to the fortinet family so any simple suggestions or ideas are greatly appreciated.
Thanks.
-----End Original Message-----
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That sounds like a good start.
How do I set that up? I have a Fortigate 81E.
Brett Penza
Technology Director/ Instructor
Holy Name Central Catholic Jr. Sr. High School
144 Granite Street
Worcester, MA 01604
bpenza@holyname.net
(508) 753-6371
________________________________
From: Peter Cook via Firewall:
Sent: Thursday, January 11, 2018 10:39 AM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: Preventing my users from bypassing DNS settings to surf Internet
Could you start with a firewall rulebase that only allows your DNS servers to go out for DNS? You will still have other battles with proxy etc. but it will stop their simple DNS lookups.
From: Brett D Penza via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: Thursday, January 11, 2018 10:35 AM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - Preventing my users from bypassing DNS settings to surf Internet
In a highschool environment with Fortinet Firewall. Recently, I am discovering that students are bypassing the DNS settings provided through my Dhcp server by configuring their own laptops (usually google 8.8.8.8. or some other DNS). This allows them to bypass all web filtering while still using our Internet pipe. Is there a quick easy way to configure the FORTINET FIREWALL to prevent anyone in the building from accessing the internet unless they are using an IP provided through our own DHCP? Typically, I have 2 internal DNS/ DHCP windows 2008 servers that should be funnelling all traffic to the firewall. Somehow my firewall is accepting any IP traffic?
I'm new to the fortinet family so any simple suggestions or ideas are greatly appreciated.
Thanks.
-----End Original Message-----
-----End Original Message-----
How do I set that up? I have a Fortigate 81E.
Brett Penza
Technology Director/ Instructor
Holy Name Central Catholic Jr. Sr. High School
144 Granite Street
Worcester, MA 01604
bpenza@holyname.net
(508) 753-6371
________________________________
From: Peter Cook via Firewall:
Sent: Thursday, January 11, 2018 10:39 AM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: Preventing my users from bypassing DNS settings to surf Internet
Could you start with a firewall rulebase that only allows your DNS servers to go out for DNS? You will still have other battles with proxy etc. but it will stop their simple DNS lookups.
From: Brett D Penza via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: Thursday, January 11, 2018 10:35 AM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - Preventing my users from bypassing DNS settings to surf Internet
In a highschool environment with Fortinet Firewall. Recently, I am discovering that students are bypassing the DNS settings provided through my Dhcp server by configuring their own laptops (usually google 8.8.8.8. or some other DNS). This allows them to bypass all web filtering while still using our Internet pipe. Is there a quick easy way to configure the FORTINET FIREWALL to prevent anyone in the building from accessing the internet unless they are using an IP provided through our own DHCP? Typically, I have 2 internal DNS/ DHCP windows 2008 servers that should be funnelling all traffic to the firewall. Somehow my firewall is accepting any IP traffic?
I'm new to the fortinet family so any simple suggestions or ideas are greatly appreciated.
Thanks.
-----End Original Message-----
-----End Original Message-----
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
http://cookbook.fortinet.com/creating-security-policies-54/
In step 1 don't include DNS and have
Add a second policy similar to steps 3 and 4 where you define your DNS servers then add them to a policy allowing DNS out
From: Brett Penza via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: Thursday, January 11, 2018 2:26 PM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: Preventing my users from bypassing DNS settings to surf Internet
That sounds like a good start.
How do I set that up? I have a Fortigate 81E.
Brett Penza
Technology Director/ Instructor
Holy Name Central Catholic Jr. Sr. High School
144 Granite Street
Worcester, MA 01604
bpenza@holyname.net<mailto:bpenza@holyname.net>
(508) 753-6371
________________________________
From: Peter Cook via Firewall:>">mailto:firewall@lists.fusecommunity.fortinet.com>>
Sent: Thursday, January 11, 2018 10:39 AM
To: firewall@lists.fusecommunity.fortinet.com<mailto:firewall@lists.fusecommunity.fortinet.com>
Subject: [Firewall:] - RE: Preventing my users from bypassing DNS settings to surf Internet
Could you start with a firewall rulebase that only allows your DNS servers to go out for DNS? You will still have other battles with proxy etc. but it will stop their simple DNS lookups.
From: Brett D Penza via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: Thursday, January 11, 2018 10:35 AM
To: firewall@lists.fusecommunity.fortinet.com<mailto:firewall@lists.fusecommunity.fortinet.com>
Subject: [Firewall:] - Preventing my users from bypassing DNS settings to surf Internet
In a highschool environment with Fortinet Firewall. Recently, I am discovering that students are bypassing the DNS settings provided through my Dhcp server by configuring their own laptops (usually google 8.8.8.8. or some other DNS). This allows them to bypass all web filtering while still using our Internet pipe. Is there a quick easy way to configure the FORTINET FIREWALL to prevent anyone in the building from accessing the internet unless they are using an IP provided through our own DHCP? Typically, I have 2 internal DNS/ DHCP windows 2008 servers that should be funnelling all traffic to the firewall. Somehow my firewall is accepting any IP traffic?
I'm new to the fortinet family so any simple suggestions or ideas are greatly appreciated.
Thanks.
-----End Original Message-----
-----End Original Message-----
In step 1 don't include DNS and have
Add a second policy similar to steps 3 and 4 where you define your DNS servers then add them to a policy allowing DNS out
From: Brett Penza via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: Thursday, January 11, 2018 2:26 PM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: Preventing my users from bypassing DNS settings to surf Internet
That sounds like a good start.
How do I set that up? I have a Fortigate 81E.
Brett Penza
Technology Director/ Instructor
Holy Name Central Catholic Jr. Sr. High School
144 Granite Street
Worcester, MA 01604
bpenza@holyname.net<mailto:bpenza@holyname.net>
(508) 753-6371
________________________________
From: Peter Cook via Firewall:
Sent: Thursday, January 11, 2018 10:39 AM
To: firewall@lists.fusecommunity.fortinet.com<mailto:firewall@lists.fusecommunity.fortinet.com>
Subject: [Firewall:] - RE: Preventing my users from bypassing DNS settings to surf Internet
Could you start with a firewall rulebase that only allows your DNS servers to go out for DNS? You will still have other battles with proxy etc. but it will stop their simple DNS lookups.
From: Brett D Penza via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: Thursday, January 11, 2018 10:35 AM
To: firewall@lists.fusecommunity.fortinet.com<mailto:firewall@lists.fusecommunity.fortinet.com>
Subject: [Firewall:] - Preventing my users from bypassing DNS settings to surf Internet
In a highschool environment with Fortinet Firewall. Recently, I am discovering that students are bypassing the DNS settings provided through my Dhcp server by configuring their own laptops (usually google 8.8.8.8. or some other DNS). This allows them to bypass all web filtering while still using our Internet pipe. Is there a quick easy way to configure the FORTINET FIREWALL to prevent anyone in the building from accessing the internet unless they are using an IP provided through our own DHCP? Typically, I have 2 internal DNS/ DHCP windows 2008 servers that should be funnelling all traffic to the firewall. Somehow my firewall is accepting any IP traffic?
I'm new to the fortinet family so any simple suggestions or ideas are greatly appreciated.
Thanks.
-----End Original Message-----
-----End Original Message-----
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very good, Thanks very much.
This should help me out quite a bit. (and make a few lazy students pretty unhappy).
Great.
-Brett
Brett Penza
Technology Director/ Instructor
Holy Name Central Catholic Jr. Sr. High School
144 Granite Street
Worcester, MA 01604
bpenza@holyname.net
(508) 753-6371
________________________________
From: Peter Cook via Firewall:
Sent: Thursday, January 11, 2018 2:31 PM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: Preventing my users from bypassing DNS settings to surf Internet
http://cookbook.fortinet.com/creating-security-policies-54/
In step 1 don’t include DNS and have
Add a second policy similar to steps 3 and 4 where you define your DNS servers then add them to a policy allowing DNS out
From: Brett Penza via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: Thursday, January 11, 2018 2:26 PM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: Preventing my users from bypassing DNS settings to surf Internet
That sounds like a good start.
How do I set that up? I have a Fortigate 81E.
Brett Penza
Technology Director/ Instructor
Holy Name Central Catholic Jr. Sr. High School
144 Granite Street
Worcester, MA 01604
bpenza@holyname.net<mailto:bpenza@holyname.net>
(508) 753-6371
________________________________
From: Peter Cook via Firewall:>">mailto:firewall@lists.fusecommunity.fortinet.com>>
Sent: Thursday, January 11, 2018 10:39 AM
To: firewall@lists.fusecommunity.fortinet.com<mailto:firewall@lists.fusecommunity.fortinet.com>
Subject: [Firewall:] - RE: Preventing my users from bypassing DNS settings to surf Internet
Could you start with a firewall rulebase that only allows your DNS servers to go out for DNS? You will still have other battles with proxy etc. but it will stop their simple DNS lookups.
From: Brett D Penza via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: Thursday, January 11, 2018 10:35 AM
To: firewall@lists.fusecommunity.fortinet.com<mailto:firewall@lists.fusecommunity.fortinet.com>
Subject: [Firewall:] - Preventing my users from bypassing DNS settings to surf Internet
In a highschool environment with Fortinet Firewall. Recently, I am discovering that students are bypassing the DNS settings provided through my Dhcp server by configuring their own laptops (usually google 8.8.8.8. or some other DNS). This allows them to bypass all web filtering while still using our Internet pipe. Is there a quick easy way to configure the FORTINET FIREWALL to prevent anyone in the building from accessing the internet unless they are using an IP provided through our own DHCP? Typically, I have 2 internal DNS/ DHCP windows 2008 servers that should be funnelling all traffic to the firewall. Somehow my firewall is accepting any IP traffic?
I'm new to the fortinet family so any simple suggestions or ideas are greatly appreciated.
Thanks.
-----End Original Message-----
-----End Original Message-----
-----End Original Message-----
This should help me out quite a bit. (and make a few lazy students pretty unhappy).
Great.
-Brett
Brett Penza
Technology Director/ Instructor
Holy Name Central Catholic Jr. Sr. High School
144 Granite Street
Worcester, MA 01604
bpenza@holyname.net
(508) 753-6371
________________________________
From: Peter Cook via Firewall:
Sent: Thursday, January 11, 2018 2:31 PM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: Preventing my users from bypassing DNS settings to surf Internet
http://cookbook.fortinet.com/creating-security-policies-54/
In step 1 don’t include DNS and have
Add a second policy similar to steps 3 and 4 where you define your DNS servers then add them to a policy allowing DNS out
From: Brett Penza via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: Thursday, January 11, 2018 2:26 PM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: Preventing my users from bypassing DNS settings to surf Internet
That sounds like a good start.
How do I set that up? I have a Fortigate 81E.
Brett Penza
Technology Director/ Instructor
Holy Name Central Catholic Jr. Sr. High School
144 Granite Street
Worcester, MA 01604
bpenza@holyname.net<mailto:bpenza@holyname.net>
(508) 753-6371
________________________________
From: Peter Cook via Firewall:
Sent: Thursday, January 11, 2018 10:39 AM
To: firewall@lists.fusecommunity.fortinet.com<mailto:firewall@lists.fusecommunity.fortinet.com>
Subject: [Firewall:] - RE: Preventing my users from bypassing DNS settings to surf Internet
Could you start with a firewall rulebase that only allows your DNS servers to go out for DNS? You will still have other battles with proxy etc. but it will stop their simple DNS lookups.
From: Brett D Penza via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: Thursday, January 11, 2018 10:35 AM
To: firewall@lists.fusecommunity.fortinet.com<mailto:firewall@lists.fusecommunity.fortinet.com>
Subject: [Firewall:] - Preventing my users from bypassing DNS settings to surf Internet
In a highschool environment with Fortinet Firewall. Recently, I am discovering that students are bypassing the DNS settings provided through my Dhcp server by configuring their own laptops (usually google 8.8.8.8. or some other DNS). This allows them to bypass all web filtering while still using our Internet pipe. Is there a quick easy way to configure the FORTINET FIREWALL to prevent anyone in the building from accessing the internet unless they are using an IP provided through our own DHCP? Typically, I have 2 internal DNS/ DHCP windows 2008 servers that should be funnelling all traffic to the firewall. Somehow my firewall is accepting any IP traffic?
I'm new to the fortinet family so any simple suggestions or ideas are greatly appreciated.
Thanks.
-----End Original Message-----
-----End Original Message-----
-----End Original Message-----
Labels
-
Next Generation Firewall
308 -
SIEM
147 -
vpn
109 -
Wireless
93 -
Endpoint Protection
81 -
Analytics & Reporting
72 -
Cloud Security
59 -
General
44 -
Threat Intelligence
44 -
Secure Email Gateway
36 -
Identity & Access Management
32 -
Web Application Firewall
32 -
Switching
21 -
Secure Web Gateway
20 -
Sandboxing
16 -
Application Delivery Controller
13 -
Security Fabric
12 -
Secure SD-WAN
10 -
IOT
9 -
SOAR
8 -
Intrusion Prevention System
6 -
Voice
6 -
deception
2 -
Browser Isolation
2 -
Zero Trust Network
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.