FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pminarik
Staff
Staff
Article Id 239549
Description

 

This article discusses the details of the static DNS filter's matching logic, with examples provided to illustrate the behavior.

 

Scope

 

The DNS filter operates only on DNS traffic and filters only domain names. If it is wanted to take specific block/allow actions based on detailed URL paths such as shown below, a web filter must be used.

 

example.com/allowed/section => allow.

example.com/block/this/path => block.

 

This article describes only the matching logic. For general information about Static Domain Filter, or DNS Filter profiles, refer to the documentation:

Local domain filter

 

Solution

 

FortiOS has three types of static domain filters: simple, wildcard, and regular expression. The simple type behaves differently based on the inspection mode of the firewall policy (flow or proxy). Wildcard and regular expression types behave the same regardless of the inspection mode.

 

Simple Filter: Flow Mode.

In flow-mode inspection, this filter performs a simple substring match. If the provided domain string is located anywhere in the evaluated domain name, the match is positive.

 

Example: simple filter 'fortinet.com'.

 

Screenshot 2024-07-30 151033.png

 

domain

result

fortinet.com

match

fortunate.com

no match

www.fortinet.com

match

docs.fortinet.com

match

fakefortinet.com match
fortinet.community match
fortinet.com.fake.com match

 

Note that the wildcard symbol '*' is not permitted in simple filters.

 

Simple filter: proxy mode.

 

In proxy-mode inspection, this filter matches the provided domain and any of its sub-domains, and it also matches if the string itself is a sub-domain of another domain.

 

Example: simple filter: 'fortinet.com'.

 

domain result
fortinet.com match
fortunate.com no match
www.fortinet.com match
docs.fortinet.com match
fakefortinet.com no match (differs from flow-mode)
fortinet.community

no match (differs from flow-mode)

fortinet.com.fake.com

match

 

Wildcard filter.

This filter accepts the wildcard '*' symbol. The filter is internally converted to a regular expression, with the provided string surrounded by word-boundary tokens (\b). Sub-domain matching is similar to a proxy-mode simple filter.

 

Example: wildcard filter: 'fortinet.com'.

 

domain result
fortinet.com match
fortunate.com no match
www.fortinet.com match
docs.fortinet.com match
fakefortinet.com no match
fortinet.community no match
fortinet.com.fake.com

match

not-fortinet.com

match ('-' is a word-boundary character!)

 

The wildcard symbol '*' is a substitute for any number of arbitrary characters (including zero characters).

 

Example: wildcard filter: '*fortinet.com'.

Screenshot 2024-07-30 151247.png

 

domain result
fortinet.com match
fakefortinet.com match
docs.fortinet.com

match

fortinet.community

no match

 

Note: Wrapping the domain string with '*' on both ends (*fortinet.com*) results in behavior identical to the flow-mode simple filter - a simple substring match.

 

Note that the filter '*.domain.com' will match sub-domains of 'domain.com' but will not match 'domain.com' itself.

 

Example: wildcard filter: '*.fortinet.com'.

 

domain result
www.fortinet.com match
docs.fortinet.com match
fortinet.com no match (the filter requires '.' preceding 'fortinet')
fakefortinet.com no match
docs.fortinet.com.fake.com match

 

The wildcard symbol can also be used in the middle of the string.

 

Example: wildcard filter: 'forti*net.com'.

 

domain result
fortinet.com match
fortifiednet.com match
forti.other.examplenet.com

match

forti.net.com.fake.com

match

notfortinet.com no match ('forti' is not initial, or preceded by a word-boundary character)

 

Regular expression.

 

This filter operates using PCRE regular expressions. The list below shows a handful, useful or interesting filters.

 

regex filter behavior
fortinet\.com equivalent to flow-mode simple filter (simple sub-string match; see above for match/non-match examples)
\bfortinet\.com\b equivalent to wildcard filter (see above)
^fortinet\.com$ precisely matches this domain only, no sub-domains
^\.fortinet\.com$ matches only the sub-domains of this domain (not the domain itself)
^(.*\.)*fortinet\.com$ matches the domain and any of its sub-domains

 

Note:

In regular expressions, '.' is a wildcard symbol for a single character of any kind. To match the dot character it must be escaped with a backslash.

 

test\.example\.com will match 'test.example.com' literally, as a sub-string
test.example.com

will also match testxexample.com, test.exampleycom, etc.