| Description | This article describes how the FortiGate Static DNS filter will log the traffic respective to the action setting configured for each domain |
| Scope | FortiGate |
| Solution |
This LAB testing involves FortiGate as Firewall where DNS filter security profile is applied and a PC Client (windows) – as a client simulator
Static DNS filter with domain 'test.com'
There are 3 (three) action-settings: block - Block DNS requests matching the domain filter with logging. allow - Allow DNS requests matching the domain filter without logging. monitor - Allow DNS requests matching the domain filter with logging.
*block = redirect to block portal at GUI
Security profile for DNS filter
Under Security profile - > 'DNS Filter' - > Log all DNS queries and responses must be disabled, so FortiGate will log only according to action setting on 'Static Domain Filter' list, any action on 'FortiGuard Category Based Filter' will not be logged.
Enable DNS-Server on FortiGate
On client PCs – make sure DNS requests are forwarded to FortiGate interface IP (where DNS-server is configured on FortiGate) – in this sample '192.168.11.1'.
Under 'Firewall Policy' - > Logging options - > enabled or disabled will not affect the logging behavior from DNSfilter – 'DNS Query' – hence this logging will affect 'Forward Traffic' log.
Complete setting view of DNS filter profile test.com
Performing a web browsing test from client PC with destination:
Google.com -- action allow Detik.com -- action block Cnn.com -- action monitor
Conclusion: Only domain with 'allow' action is not logged, the others are logged. On log display – 'monitor' action message will show as 'Domain was allowed because it is in the domain-filter list' |
