FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mbernatek
Staff
Staff
Description
This article provides a sample configuration for DNS based FortiGuard web filtering.

In FortiOS v5.2 the DNS web filtering is one option of ‘Web Filter’ profile.  In FortiOS v5.4 this feature has moved to separate ‘DNS Filter’ security profile.

The use of this feature is straightforward:
  • Create and configure ‘DNS Filter’ profile
  • Create and configure firewall policy
  • Assign the profile to the firewall policy
FortiOS intercepts DNS requests from clients to DNS servers and asks FortiGuard servers for rating.

It is recommended to filter client’s DNS requests only and not the DNS requests from own DNS servers.

Solution
Network topology


Internet w/ DNS servers  ===  (wan1)[FG100D](lan)  ===  PCs in LAN


Configure DNS filter

mbernatek_FD40587_tn_FD40587-1.jpg
CLI

config dnsfilter profile
    edit "filter_users"
        config ftgd-dns
            config filters
                edit 1
                    set category 83
                    set action block
                next
                edit 2
                    set category 5
                    set action block
                next
                edit 3
                    set category 1
                    set action block
                next
                edit 4
                    set category 6
                    set action block
                next

                 … truncated …

                      edit 29
                next
            end
        end
    next
end

Configure firewall policies
mbernatek_FD40587_tn_FD40587-2.jpg

 config firewall policy
    edit 1
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "LAN"
        set dstaddr "myDNS1" "myDNS2"
        set action accept
        set schedule "always"
        set service "DNS"
        set utm-status enable
        set dnsfilter-profile "filter_users"
        set profile-protocol-options "default"
        set nat enable
    next
    edit 2
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "LAN"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
        set nat enable
    next
end

To troubleshoot use the following command:
diag debug enable
diag debug application dnsproxy -1

When finished, disable debug with:
diag debug reset
diag debug disable

Related Articles

Technical Note: How to configure DNS based FortiGuard web filtering

Contributors