FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FJT_FTNT
Staff
Staff

Description

This article provides a sample configuration for DNS based FortiGuard web filtering.


Solution

Topology or network layout

PC---(switch)FGT-111C(wan1)---Internet

Steps

1) Create webfilter profile

### CLI sample ###

config webfilter profile
    edit "dns-wf"
        set inspection-mode dns
            config ftgd-wf
                unset options
                    config filters
                        edit 1
                            set category 140
                        next
                        edit 2
                            set category 141
                        next
                    end
            end
    next
end

### WebGUI sample ###

FD35213_webfilter-profile.jpg

2) Create firewall policy

### CLI sample ###

config firewall policy
    edit 1
        set srcintf "switch"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set webfilter-profile "dns-wf" ==> HERE
        set profile-protocol-options "default"
        set nat enable
    next
end

### WebGUI sample ###

firewall-policy.jpg

3) Specify webfilter profile in system dns-server

This step can be done by only CLI.

### CLI sample ###

config system dns-server
    edit "switch"
        set webfilter-profile "dns-wf" ==> HERE
    next
end

4) Specify webfilter DNS IP address in the Fortiguard settings. 

This step can be done only via the CLI
The IP must be set to a DNS server that returns Fortiguard ratings.   Fortiguard's DNS IP is 208.91.112.220.

### CLI sample ###

config system fortiguard
     set webfilter-sdns-server-ip "208.91.112.220"
     set webfilter-sdns-server-port 53
end

5) Specify a redirect page (optional).

DNS Action has the option of Block or Redirect.   The Redirect Action by default will go to a Fortinet Hosted Webpage.  This webpage displays "Web Page Blocked!".  The Redirect Action can be changed
to a custom defined IP address via the CLI . 

The redirect portal must be an IP address. 

### CLI sample ###

config webfilter profile
    edit "dns-wf"
debug output
         set web-filter-sdns-action redirect
         set web-filter-sdns-portal <ip address>
    end
end

Troubleshooting

This feature can be observed by "diagnose debug application urlfilter -1" and "diagnose debug application dnsproxy -1".

### Sample ###

FG10CH3G09603836 # diagnose debug application urlfilter -1

FG10CH3G09603836 # diagnose debug application dnsproxy -1

FG10CH3G09603836 # diagnose debug enable

FG10CH3G09603836 # batch_on_read()-1945
udp_receive_request()-1589
udp_receive_request()-1643: vd=0, intf=9, len=34, alen=16, 10.130.119.12:57344=>10.130.3.6
handle_dns_request()-1106: id:0xfde6 pktlen=34, qr=0 req_type=2
is_dns_secure_message()-651
dns_secure_get_policy_profile()-1674: vd=0  10.130.119.12:57344=>10.130.3.6:53
dns_policy_find_by_idx()-1640: vfid=0 idx=2
dns_local_lookup()-2085: vfid=0 qname=www.fortinet.com, qtype=1, qclass=1, offset=34, map#=3 max_sz=512
dns_lookup_aa_zone()-494: vfid=0, fqdn=www.fortinet.com
dns_send_cached_response()-961
dns_adjust_ttl_values()-117
dns_adjust_ttl_values()-120: Offset of 1st RR: 34
dns_adjust_ttl_values()-122: Number of RR's: 4
dns_adjust_ttl_values()-133: New ttl: 1519
dns_adjust_ttl_values()-133: New ttl: 166901
dns_adjust_ttl_values()-133: New ttl: 166901
dns_adjust_ttl_values()-133: New ttl: 166901
dns_forward_response()-948
dns_secure_forward_response()-891: category=52 profile=dns-wf
dns_send_url_request()-843: vfid=0 id=0x3320 profile=dns-wf category=52 protocol=17
udp_receive_request()-1589
msg="received a request /tmp/.dnsproxy_0_0.url.socket, addr_len=32: d=www.fortinet.com:80, id=8243, vfname='root', vfid=0, profile='dns-wf', type=0, client=10.130.119.12, url_source=0, url="/"
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=10.130.119.12 sport=57344 dst=10.130.3.6 dport=53
service="http" cat=52 cat_desc="Information Technology" hostname="www.fortinet.com" url="/"
url_receive_response()-1828
url_receive_response()-1833: id=0x3320 cate=52 action=9 log=0 carry_back=17
dns_udp_handle_url_response()-1785
dns_secure_apply_action()-1456: action=9 category=52 log=0 profile=dns-wf
dns_secure_log_response()-1242: domain=www.fortinet.com profile=dns-wf log=0
dns_policy_find_by_idx()-1640: vfid=0 idx=2

 

Contributors