FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ksolovjova
Staff
Staff
Description This article aims to describe the recent changes in SDNS and Webfilter lookups, and also provide some tips on checking DNS and Webfilter categories on the FortiGate.
Scope All FortiOS versions.
Solution

SDNS and Webfilter lookups on the FortiGuard website have been updated to provide more granular lookup results based on the FortiOS version of the FortiGate - 7.0+, 5.6+, 5.4 or older.

 

The lookups are useful when troubleshooting why a specific website is getting blocked or when configuring DNS and Webfilter profiles.

 

SDNS lookup: www.fortiguard.com/services/sdns

 

ksolovjova_0-1651239399350.png

 

 Webfilter lookup: www.fortiguard.com/webfilter

 

ksolovjova_1-1651239502981.png

 

In general, DNS and Webfilter categories for a specific website should be always the same for a given FortiOS version.

In case there is a discrepancy, always submit a recategorization request:

 

www.fortiguard.com/contactus

 

In CLI check the category numbers with the following command:

 

#get webfilter categories

<output omitted>
g07 General Interest - Business:
31 Finance and Banking
41 Search Engines and Portals
43 General Organizations
49 Business
50 Information and Computer Security
51 Government and Legal Organizations
52 Information Technology
53 Armed Forces
<output omitted>

 

After the DNS filter to a forward traffic policy on the FortiGate, check the SDNS cache (list of saved hostnames and their SDNS categories) with the following CLI command:

 

# diagnose test application dnsproxy 15

worker idx: 0
SDNS rating cache:
name=youtube.com, category=25, ttl=10797
name=aliexpress.com, category=42, ttl=10796
name=bbc.co.uk, category=36, ttl=10796
name=www.nationalgeographic.com, category=30, ttl=10796
name=twitter.com, category=37, ttl=10796
name=instagram.com, category=37, ttl=10796
name=www.microsoft.com, category=52, ttl=10795
name=wikipedia.com, category=39, ttl=10795
name=fortinet.com, category=52, ttl=10795
RATING CACHE num=9

 

For troubleshooting purposes, the SDNS cache can be cleared:

 

# diagnose test application dnsproxy 16

 

For more information on checking Webfilter cache please refer to the following article:

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Verify-the-webfilter-cache-content/t...

Contributors