Technical Tip: Changes in SDNS and Webfilter lookups

SDNS and Webfilter lookups on the FortiGuard website have been updated to provide more granular lookup results based on the FortiOS version of the FortiGate - 7.0+, 5.6+, 5.4 or older.

The lookups are useful when troubleshooting why a specific website is getting blocked or when configuring DNS and Webfilter profiles.

SDNS lookup: www.fortiguard.com/services/sdns

 Webfilter lookup: www.fortiguard.com/webfilter

In general, DNS and Webfilter categories for a specific website should be always the same for a given FortiOS version.

In case there is a discrepancy, always submit a recategorization request:

www.fortiguard.com/contactus

In CLI check the category numbers with the following command:

#get webfilter categories

<output omitted>
g07 General Interest - Business:
31 Finance and Banking
41 Search Engines and Portals
43 General Organizations
49 Business
50 Information and Computer Security
51 Government and Legal Organizations
52 Information Technology
53 Armed Forces
<output omitted>

After the DNS filter to a forward traffic policy on the FortiGate, check the SDNS cache (list of saved hostnames and their SDNS categories) with the following CLI command:

# diagnose test application dnsproxy 15

worker idx: 0
SDNS rating cache:
name=youtube.com, category=25, ttl=10797
name=aliexpress.com, category=42, ttl=10796
name=bbc.co.uk, category=36, ttl=10796
name=www.nationalgeographic.com, category=30, ttl=10796
name=twitter.com, category=37, ttl=10796
name=instagram.com, category=37, ttl=10796
name=www.microsoft.com, category=52, ttl=10795
name=wikipedia.com, category=39, ttl=10795
name=fortinet.com, category=52, ttl=10795
RATING CACHE num=9

For troubleshooting purposes, the SDNS cache can be cleared:

# diagnose test application dnsproxy 16

For more information on checking Webfilter cache please refer to the following article:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Verify-the-webfilter-cache-content/t...