FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 239549


This article discusses the details of the static DNS filter's matching logic, with examples provided to illustrate the behavior.




The DNS filter operates only on DNS traffic and filters only domain names. If it is wanted to take specific block/allow actions based on detailed URL paths such as shown below, a web filter must be used. => allow. => block.


This article describes only the matching logic. For general information about Static Domain Filter, or DNS Filter profiles, refer to the documentation:




FortiOS has three types of static domain filters: simple, wildcard, and regular expression. The simple type behaves differently based on the inspection mode of the firewall policy (flow or proxy). Wildcard and regular expression types behave the same regardless of the inspection mode.


Simple Filter - Flow Mode.


In flow-mode inspection, this filter performs a simple substring match. If the provided domain string is located anywhere in the evaluated domain name, the match is positive.


Example: simple filter ''.





no match


match match match match


Note that the wildcard symbol '*' is not permitted in simple filters.


Simple filter - proxy mode.


In proxy-mode inspection, this filter matches the provided domain and any of its sub-domains, and it also matches if the string itself is a sub-domain of another domain.


Example: simple filter: ''.


domain result match no match match match no match (differs from flow-mode)

no match (differs from flow-mode)



Wildcard filter.


This filter accepts the wildcard '*' symbol. The filter is internally converted to a regular expression, with the provided string surrounded by word-boundary tokens (\b). Sub-domain matching is similar to a proxy-mode simple filter.


Example: wildcard filter: ''.


domain result match no match match match no match no match


match ('-' is a word-boundary character!)


The wildcard symbol '*' is a substitute for any number of arbitrary characters (including zero characters).


Example: wildcard filter: '*'.


domain result match match


no match


Note: Wrapping the domain string with '*' on both ends (**) results in behavior identical to the flow-mode simple filter - a simple substring match.


Note that the filter '*' will match sub-domains of '' but will not match '' itself.


Example: wildcard filter: '*'.


domain result match match no match (the filter requires '.' preceding 'fortinet') no match match


The wildcard symbol can also be used in the middle of the string.


Example: wildcard filter: 'forti*'.


domain result match match


match no match ('forti' is not initial, or preceded by a word-boundary character)


Regular expression.


This filter operates using PCRE regular expressions. The list below shows a handful, useful or interesting filters.


regex filter behavior
fortinet\.com equivalent to flow-mode simple filter (simple sub-string match; see above for match/non-match examples)
\bfortinet\.com\b equivalent to wildcard filter (see above)
^fortinet\.com$ precisely matches this domain only, no sub-domains
^\.fortinet\.com$ matches only the sub-domains of this domain (not the domain itself)
^(.*\.)*fortinet\.com$ matches the domain and any of its sub-domains


Note: In regular expressions, '.' is a wildcard symbol for a single character of any kind.

In order to match the dot character literally it must be escaped with a backslash.


test\.example\.com will match '' literally, as a sub-string

will also match, test.exampleycom, etc.