FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mkatary
Staff
Staff
Article Id 202778
Description

This article describes the workaround to use in case of DNS error logs showing in FortiAnalyzer.

Scope

This is an expected behavior where the firewall logs any invalid DNS traffic. The firewall action itself is allow/pass, but the bad reply from the server is not forwarded back to the requesting client thus showing the 'Deny: DNS Error' message.

 

Invalid DNS traffic would be UDP packets on port 53 that are not DNS traffic, packets which are oversized, bad checksum etc.

 

It can happen that the information expected by the security policy is not contained in the header/payload of the packet and that is when the packet is denied or dropped.

 

Session helper for DNS is not mandatory for which reason you can delete it and it should work properly after.

Solution
  • Identify DNS session helper entry ID.

 

show system session-helper

 

  • Delete DNS session helper entry.

 

config system session-helper

    delete <id>

end

 

The same can be accomplished in FortiGate with the following commands:

 

config log fortianalyzer filter

config free-style

    edit 0

        set filter-type exclude

        set filter "logid 0000000011"

    end

end

 

Anthony_E_0-1670823402017.png

 

 

Related articles:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/318199/disabling-a-session-helper

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-and-disable-FortiGate-system-sessio...